Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    08-07-2020 14:46

General

  • Target

    Request for Quotation-BV-76435020.exe

  • Size

    654KB

  • MD5

    a2fe795e8b63eb414f66e09953a56a46

  • SHA1

    ffd4c5641f9253d6004af10110ffcc630be27521

  • SHA256

    b00ebd12d239ba9f75f11b3ad96b127730779e48f3e2fead50c9e5a7b7ca598a

  • SHA512

    3a99dffb20ab52a9a771b495f9e7f7acbc72d319b265197cc8465211b44eea1fa9c1550581a083f176a97bfecab3f6c6d79033b3cc5a8fcfd75cb6ac27e9e65a

Malware Config

Signatures

  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Adds Run entry to start application 2 TTPs 2 IoCs
  • Suspicious use of SendNotifyMessage 7 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Deletes itself 1 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Drops file in Program Files directory 1 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    • Suspicious use of FindShellTrayWindow
    • Checks whether UAC is enabled
    PID:1228
    • C:\Users\Admin\AppData\Local\Temp\Request for Quotation-BV-76435020.exe
      "C:\Users\Admin\AppData\Local\Temp\Request for Quotation-BV-76435020.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      • Suspicious behavior: MapViewOfSection
      • Suspicious behavior: EnumeratesProcesses
      PID:1496
      • C:\Users\Admin\AppData\Local\Temp\Request for Quotation-BV-76435020.exe
        "C:\Users\Admin\AppData\Local\Temp\Request for Quotation-BV-76435020.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious behavior: MapViewOfSection
        • Suspicious behavior: EnumeratesProcesses
        PID:1020
    • C:\Windows\SysWOW64\raserver.exe
      "C:\Windows\SysWOW64\raserver.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Adds Run entry to start application
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      • Suspicious behavior: MapViewOfSection
      • Suspicious behavior: EnumeratesProcesses
      • Drops file in Program Files directory
      PID:388
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\Request for Quotation-BV-76435020.exe"
        3⤵
        • Deletes itself
        PID:336
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:1628

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\-823QC40\-82logim.jpeg

    • C:\Users\Admin\AppData\Roaming\-823QC40\-82logrf.ini

    • C:\Users\Admin\AppData\Roaming\-823QC40\-82logri.ini

    • C:\Users\Admin\AppData\Roaming\-823QC40\-82logrv.ini

    • memory/336-4-0x0000000000000000-mapping.dmp

    • memory/388-3-0x00000000000B0000-0x00000000000CC000-memory.dmp

      Filesize

      112KB

    • memory/388-6-0x0000000003A90000-0x0000000003BA4000-memory.dmp

      Filesize

      1.1MB

    • memory/388-5-0x0000000002FA0000-0x000000000305D000-memory.dmp

      Filesize

      756KB

    • memory/388-2-0x0000000000000000-mapping.dmp

    • memory/1020-0-0x0000000000400000-0x000000000042D000-memory.dmp

      Filesize

      180KB

    • memory/1020-1-0x000000000041E2A0-mapping.dmp

    • memory/1628-7-0x0000000000000000-mapping.dmp

    • memory/1628-8-0x000000013F600000-0x000000013F693000-memory.dmp

      Filesize

      588KB