Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows7_x64 -
resource
win7 -
submitted
08-07-2020 14:46
Static task
static1
Behavioral task
behavioral1
Sample
Request for Quotation-BV-76435020.exe
Resource
win7
Behavioral task
behavioral2
Sample
Request for Quotation-BV-76435020.exe
Resource
win10v200430
General
-
Target
Request for Quotation-BV-76435020.exe
-
Size
654KB
-
MD5
a2fe795e8b63eb414f66e09953a56a46
-
SHA1
ffd4c5641f9253d6004af10110ffcc630be27521
-
SHA256
b00ebd12d239ba9f75f11b3ad96b127730779e48f3e2fead50c9e5a7b7ca598a
-
SHA512
3a99dffb20ab52a9a771b495f9e7f7acbc72d319b265197cc8465211b44eea1fa9c1550581a083f176a97bfecab3f6c6d79033b3cc5a8fcfd75cb6ac27e9e65a
Malware Config
Signatures
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
Request for Quotation-BV-76435020.exeRequest for Quotation-BV-76435020.exeraserver.exedescription pid process target process PID 1496 set thread context of 1020 1496 Request for Quotation-BV-76435020.exe Request for Quotation-BV-76435020.exe PID 1020 set thread context of 1228 1020 Request for Quotation-BV-76435020.exe Explorer.EXE PID 388 set thread context of 1228 388 raserver.exe Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Request for Quotation-BV-76435020.exeraserver.exedescription pid process Token: SeDebugPrivilege 1020 Request for Quotation-BV-76435020.exe Token: SeDebugPrivilege 388 raserver.exe -
Adds Run entry to start application 2 TTPs 2 IoCs
Processes:
raserver.exedescription ioc process Key created \Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run raserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\-Z-XJLGPTH = "C:\\Program Files (x86)\\Ekpx0cfw0\\userdpwtjleh.exe" raserver.exe -
Suspicious use of SendNotifyMessage 7 IoCs
Processes:
Explorer.EXEpid process 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE -
Processes:
raserver.exedescription ioc process Key created \Registry\User\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 raserver.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
Request for Quotation-BV-76435020.exeExplorer.EXEraserver.exedescription pid process target process PID 1496 wrote to memory of 1020 1496 Request for Quotation-BV-76435020.exe Request for Quotation-BV-76435020.exe PID 1496 wrote to memory of 1020 1496 Request for Quotation-BV-76435020.exe Request for Quotation-BV-76435020.exe PID 1496 wrote to memory of 1020 1496 Request for Quotation-BV-76435020.exe Request for Quotation-BV-76435020.exe PID 1496 wrote to memory of 1020 1496 Request for Quotation-BV-76435020.exe Request for Quotation-BV-76435020.exe PID 1228 wrote to memory of 388 1228 Explorer.EXE raserver.exe PID 1228 wrote to memory of 388 1228 Explorer.EXE raserver.exe PID 1228 wrote to memory of 388 1228 Explorer.EXE raserver.exe PID 1228 wrote to memory of 388 1228 Explorer.EXE raserver.exe PID 388 wrote to memory of 336 388 raserver.exe cmd.exe PID 388 wrote to memory of 336 388 raserver.exe cmd.exe PID 388 wrote to memory of 336 388 raserver.exe cmd.exe PID 388 wrote to memory of 336 388 raserver.exe cmd.exe PID 388 wrote to memory of 1628 388 raserver.exe Firefox.exe PID 388 wrote to memory of 1628 388 raserver.exe Firefox.exe PID 388 wrote to memory of 1628 388 raserver.exe Firefox.exe PID 388 wrote to memory of 1628 388 raserver.exe Firefox.exe PID 388 wrote to memory of 1628 388 raserver.exe Firefox.exe -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
Request for Quotation-BV-76435020.exeRequest for Quotation-BV-76435020.exeraserver.exepid process 1496 Request for Quotation-BV-76435020.exe 1020 Request for Quotation-BV-76435020.exe 1020 Request for Quotation-BV-76435020.exe 1020 Request for Quotation-BV-76435020.exe 388 raserver.exe 388 raserver.exe 388 raserver.exe 388 raserver.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 336 cmd.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
Processes:
Explorer.EXEpid process 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE -
Processes:
Explorer.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
Request for Quotation-BV-76435020.exeRequest for Quotation-BV-76435020.exeraserver.exepid process 1496 Request for Quotation-BV-76435020.exe 1020 Request for Quotation-BV-76435020.exe 1020 Request for Quotation-BV-76435020.exe 388 raserver.exe 388 raserver.exe 388 raserver.exe 388 raserver.exe 388 raserver.exe 388 raserver.exe 388 raserver.exe 388 raserver.exe 388 raserver.exe 388 raserver.exe 388 raserver.exe 388 raserver.exe 388 raserver.exe 388 raserver.exe 388 raserver.exe 388 raserver.exe 388 raserver.exe 388 raserver.exe 388 raserver.exe 388 raserver.exe 388 raserver.exe 388 raserver.exe 388 raserver.exe 388 raserver.exe 388 raserver.exe 388 raserver.exe 388 raserver.exe 388 raserver.exe -
Drops file in Program Files directory 1 IoCs
Processes:
raserver.exedescription ioc process File opened for modification C:\Program Files (x86)\Ekpx0cfw0\userdpwtjleh.exe raserver.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
- Checks whether UAC is enabled
PID:1228 -
C:\Users\Admin\AppData\Local\Temp\Request for Quotation-BV-76435020.exe"C:\Users\Admin\AppData\Local\Temp\Request for Quotation-BV-76435020.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
PID:1496 -
C:\Users\Admin\AppData\Local\Temp\Request for Quotation-BV-76435020.exe"C:\Users\Admin\AppData\Local\Temp\Request for Quotation-BV-76435020.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
PID:1020 -
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Adds Run entry to start application
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
- Drops file in Program Files directory
PID:388 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Request for Quotation-BV-76435020.exe"3⤵
- Deletes itself
PID:336 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:1628