Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24-12-2024 16:55
Static task
static1
Behavioral task
behavioral1
Sample
Quotation.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Quotation.exe
Resource
win10v2004-20241007-en
General
-
Target
Quotation.exe
-
Size
940KB
-
MD5
180ccd64c5a7543dd30077c48d20f67c
-
SHA1
b8a68eac1ff1f76b0d0dd1ebe5f795c2a02d1929
-
SHA256
42306b57fbe6db0e589995f0e50a28140c86715953a8d637e7ed42a59e2ebcb3
-
SHA512
06a26968634697648ddf33dd0d25fa022b01be5bc6f64c6e8210610a1e0e21ef628cc53f8c4449579897278fd975091f46174a5ebf0b2ec057960d748f0a262a
-
SSDEEP
24576:PkXOPSJCh5kbQ5Q+HHC/6UISfAHgwjc3b:PGRJu5CKNUISYHgwjc3
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2816 powershell.exe 2860 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Quotation.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2756 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 316 Quotation.exe 316 Quotation.exe 316 Quotation.exe 316 Quotation.exe 316 Quotation.exe 316 Quotation.exe 316 Quotation.exe 316 Quotation.exe 316 Quotation.exe 316 Quotation.exe 316 Quotation.exe 316 Quotation.exe 316 Quotation.exe 316 Quotation.exe 316 Quotation.exe 316 Quotation.exe 2816 powershell.exe 2860 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 316 Quotation.exe Token: SeDebugPrivilege 2816 powershell.exe Token: SeDebugPrivilege 2860 powershell.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 316 wrote to memory of 2816 316 Quotation.exe 31 PID 316 wrote to memory of 2816 316 Quotation.exe 31 PID 316 wrote to memory of 2816 316 Quotation.exe 31 PID 316 wrote to memory of 2816 316 Quotation.exe 31 PID 316 wrote to memory of 2860 316 Quotation.exe 33 PID 316 wrote to memory of 2860 316 Quotation.exe 33 PID 316 wrote to memory of 2860 316 Quotation.exe 33 PID 316 wrote to memory of 2860 316 Quotation.exe 33 PID 316 wrote to memory of 2756 316 Quotation.exe 35 PID 316 wrote to memory of 2756 316 Quotation.exe 35 PID 316 wrote to memory of 2756 316 Quotation.exe 35 PID 316 wrote to memory of 2756 316 Quotation.exe 35 PID 316 wrote to memory of 2668 316 Quotation.exe 37 PID 316 wrote to memory of 2668 316 Quotation.exe 37 PID 316 wrote to memory of 2668 316 Quotation.exe 37 PID 316 wrote to memory of 2668 316 Quotation.exe 37 PID 316 wrote to memory of 2716 316 Quotation.exe 38 PID 316 wrote to memory of 2716 316 Quotation.exe 38 PID 316 wrote to memory of 2716 316 Quotation.exe 38 PID 316 wrote to memory of 2716 316 Quotation.exe 38 PID 316 wrote to memory of 1704 316 Quotation.exe 39 PID 316 wrote to memory of 1704 316 Quotation.exe 39 PID 316 wrote to memory of 1704 316 Quotation.exe 39 PID 316 wrote to memory of 1704 316 Quotation.exe 39 PID 316 wrote to memory of 3020 316 Quotation.exe 40 PID 316 wrote to memory of 3020 316 Quotation.exe 40 PID 316 wrote to memory of 3020 316 Quotation.exe 40 PID 316 wrote to memory of 3020 316 Quotation.exe 40 PID 316 wrote to memory of 2648 316 Quotation.exe 41 PID 316 wrote to memory of 2648 316 Quotation.exe 41 PID 316 wrote to memory of 2648 316 Quotation.exe 41 PID 316 wrote to memory of 2648 316 Quotation.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quotation.exe"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2816
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BKKZIuXFLRr.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2860
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BKKZIuXFLRr" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE8D9.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2756
-
-
C:\Users\Admin\AppData\Local\Temp\Quotation.exe"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"2⤵PID:2668
-
-
C:\Users\Admin\AppData\Local\Temp\Quotation.exe"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"2⤵PID:2716
-
-
C:\Users\Admin\AppData\Local\Temp\Quotation.exe"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"2⤵PID:1704
-
-
C:\Users\Admin\AppData\Local\Temp\Quotation.exe"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"2⤵PID:3020
-
-
C:\Users\Admin\AppData\Local\Temp\Quotation.exe"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"2⤵PID:2648
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b922cd23393fd5fcae33f3c05619e6eb
SHA10408f72841380855b84fa46a3a29ba3068b5c81c
SHA256c490a4dd1251fcedf15143d4543a7ae78f0cee0a0563dd761859ef4d79f0889e
SHA512240ff81f995b16e0f2c6782e34a54fc2759456fdca933261409be9f4667e8875548f6ea6c7b93e42521976f3b9bd1c003015e22ea3b122f639ebf9475fb45c36
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GZTJTK9YCTKBQMUVWPMB.temp
Filesize7KB
MD5b68bb37d09eb347fb9f3fe2211cc1348
SHA15f393a6b27e121dd82dede74c30a3c764baeb250
SHA2569e2056d5d2d35cab4b0a819ab301d0a75e2e93fc789215cefaec2a7ac73ee193
SHA51266befc55fe9c2b1e9b64da99db8bd918006e6bea09aaaa773627771dd520cee8e0b7fcbba1df00863034389f2d34854c810f7402a195c9544f571bb69c339a57