Analysis
-
max time kernel
149s -
max time network
140s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
07-07-2020 08:50
Static task
static1
Behavioral task
behavioral1
Sample
Quotation.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Quotation.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
Quotation.exe
-
Size
456KB
-
MD5
35890d210ae3539ce3cf24f730d186d5
-
SHA1
73e5145cef8463d9d1f9ea556cd3cee069370402
-
SHA256
c2221b7f65afde44bb459fec37286e4ad1f032d30be34d04527497c4b6acfdbd
-
SHA512
acd15ba2923e2d6fc3c43759b08247078ba0241e929664abe0d99d44e979068437c2c82f61717e4b7efd8e181f08a15fcc003380de62eed89604d41ffaee6c6a
Score
10/10
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
Quotation.exeExplorer.EXEcmmon32.exedescription pid process target process PID 3932 wrote to memory of 2072 3932 Quotation.exe Quotation.exe PID 3932 wrote to memory of 2072 3932 Quotation.exe Quotation.exe PID 3932 wrote to memory of 2072 3932 Quotation.exe Quotation.exe PID 3932 wrote to memory of 2072 3932 Quotation.exe Quotation.exe PID 3932 wrote to memory of 2072 3932 Quotation.exe Quotation.exe PID 3932 wrote to memory of 2072 3932 Quotation.exe Quotation.exe PID 3000 wrote to memory of 2448 3000 Explorer.EXE cmmon32.exe PID 3000 wrote to memory of 2448 3000 Explorer.EXE cmmon32.exe PID 3000 wrote to memory of 2448 3000 Explorer.EXE cmmon32.exe PID 2448 wrote to memory of 2668 2448 cmmon32.exe cmd.exe PID 2448 wrote to memory of 2668 2448 cmmon32.exe cmd.exe PID 2448 wrote to memory of 2668 2448 cmmon32.exe cmd.exe PID 2448 wrote to memory of 3848 2448 cmmon32.exe cmd.exe PID 2448 wrote to memory of 3848 2448 cmmon32.exe cmd.exe PID 2448 wrote to memory of 3848 2448 cmmon32.exe cmd.exe PID 2448 wrote to memory of 3860 2448 cmmon32.exe Firefox.exe PID 2448 wrote to memory of 3860 2448 cmmon32.exe Firefox.exe PID 2448 wrote to memory of 3860 2448 cmmon32.exe Firefox.exe -
Suspicious behavior: EnumeratesProcesses 44 IoCs
Processes:
Quotation.execmmon32.exepid process 2072 Quotation.exe 2072 Quotation.exe 2072 Quotation.exe 2072 Quotation.exe 2448 cmmon32.exe 2448 cmmon32.exe 2448 cmmon32.exe 2448 cmmon32.exe 2448 cmmon32.exe 2448 cmmon32.exe 2448 cmmon32.exe 2448 cmmon32.exe 2448 cmmon32.exe 2448 cmmon32.exe 2448 cmmon32.exe 2448 cmmon32.exe 2448 cmmon32.exe 2448 cmmon32.exe 2448 cmmon32.exe 2448 cmmon32.exe 2448 cmmon32.exe 2448 cmmon32.exe 2448 cmmon32.exe 2448 cmmon32.exe 2448 cmmon32.exe 2448 cmmon32.exe 2448 cmmon32.exe 2448 cmmon32.exe 2448 cmmon32.exe 2448 cmmon32.exe 2448 cmmon32.exe 2448 cmmon32.exe 2448 cmmon32.exe 2448 cmmon32.exe 2448 cmmon32.exe 2448 cmmon32.exe 2448 cmmon32.exe 2448 cmmon32.exe 2448 cmmon32.exe 2448 cmmon32.exe 2448 cmmon32.exe 2448 cmmon32.exe 2448 cmmon32.exe 2448 cmmon32.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
Quotation.execmmon32.exepid process 2072 Quotation.exe 2072 Quotation.exe 2072 Quotation.exe 2448 cmmon32.exe 2448 cmmon32.exe 2448 cmmon32.exe 2448 cmmon32.exe -
Drops file in Program Files directory 1 IoCs
Processes:
cmmon32.exedescription ioc process File opened for modification C:\Program Files (x86)\Lbbvhf\qtwgrlt.exe cmmon32.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
cmmon32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer cmmon32.exe -
Adds Run entry to policy start application 2 TTPs 2 IoCs
Processes:
cmmon32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cmmon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\8P6HZLLXYJZ = "C:\\Program Files (x86)\\Lbbvhf\\qtwgrlt.exe" cmmon32.exe -
Processes:
cmmon32.exedescription ioc process Key created \Registry\User\S-1-5-21-1231583446-2617009595-2137880041-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cmmon32.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Quotation.exeQuotation.execmmon32.exedescription pid process target process PID 3932 set thread context of 2072 3932 Quotation.exe Quotation.exe PID 2072 set thread context of 3000 2072 Quotation.exe Explorer.EXE PID 2448 set thread context of 3000 2448 cmmon32.exe Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
Quotation.execmmon32.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 2072 Quotation.exe Token: SeDebugPrivilege 2448 cmmon32.exe Token: SeShutdownPrivilege 3000 Explorer.EXE Token: SeCreatePagefilePrivilege 3000 Explorer.EXE Token: SeShutdownPrivilege 3000 Explorer.EXE Token: SeCreatePagefilePrivilege 3000 Explorer.EXE Token: SeShutdownPrivilege 3000 Explorer.EXE Token: SeCreatePagefilePrivilege 3000 Explorer.EXE Token: SeShutdownPrivilege 3000 Explorer.EXE Token: SeCreatePagefilePrivilege 3000 Explorer.EXE Token: SeShutdownPrivilege 3000 Explorer.EXE Token: SeCreatePagefilePrivilege 3000 Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:3000 -
C:\Users\Admin\AppData\Local\Temp\Quotation.exe"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:3932 -
C:\Users\Admin\AppData\Local\Temp\Quotation.exe"{path}"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2072 -
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Drops file in Program Files directory
- System policy modification
- Adds Run entry to policy start application
- Modifies Internet Explorer settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2448 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"3⤵PID:2668
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵PID:3848
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:3860