Analysis
-
max time kernel
142s -
max time network
23s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
11-07-2020 16:52
Static task
static1
Behavioral task
behavioral1
Sample
MATWORLD_QUOTE221.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
MATWORLD_QUOTE221.exe
Resource
win10
General
-
Target
MATWORLD_QUOTE221.exe
-
Size
959KB
-
MD5
f67268e684c9c3c9aec485d3b8011d57
-
SHA1
12872aad2d3327b5cd32d1b2af56c2667aa74add
-
SHA256
0874b3168d4582178f30aac5d4e86a935228aa76e68754692539105c51059467
-
SHA512
1a084d70cd1964e4ea1f9b140c83d40495b6d2ee3ad88eef76917ab5b871e88adf329648e1c00dbbdf2b6cc072a16cc9e3b25db8cc5c821a6b46b6f5ae24d140
Malware Config
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
MATWORLD_QUOTE221.exedescription pid process target process PID 1520 set thread context of 1772 1520 MATWORLD_QUOTE221.exe MATWORLD_QUOTE221.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MATWORLD_QUOTE221.exedescription pid process Token: SeDebugPrivilege 1772 MATWORLD_QUOTE221.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
MATWORLD_QUOTE221.exepid process 1772 MATWORLD_QUOTE221.exe 1772 MATWORLD_QUOTE221.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
MATWORLD_QUOTE221.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion MATWORLD_QUOTE221.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion MATWORLD_QUOTE221.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
MATWORLD_QUOTE221.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions MATWORLD_QUOTE221.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
MATWORLD_QUOTE221.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools MATWORLD_QUOTE221.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
MATWORLD_QUOTE221.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MATWORLD_QUOTE221.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 MATWORLD_QUOTE221.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
MATWORLD_QUOTE221.exedescription pid process target process PID 1520 wrote to memory of 1772 1520 MATWORLD_QUOTE221.exe MATWORLD_QUOTE221.exe PID 1520 wrote to memory of 1772 1520 MATWORLD_QUOTE221.exe MATWORLD_QUOTE221.exe PID 1520 wrote to memory of 1772 1520 MATWORLD_QUOTE221.exe MATWORLD_QUOTE221.exe PID 1520 wrote to memory of 1772 1520 MATWORLD_QUOTE221.exe MATWORLD_QUOTE221.exe PID 1520 wrote to memory of 1772 1520 MATWORLD_QUOTE221.exe MATWORLD_QUOTE221.exe PID 1520 wrote to memory of 1772 1520 MATWORLD_QUOTE221.exe MATWORLD_QUOTE221.exe PID 1520 wrote to memory of 1772 1520 MATWORLD_QUOTE221.exe MATWORLD_QUOTE221.exe PID 1520 wrote to memory of 1772 1520 MATWORLD_QUOTE221.exe MATWORLD_QUOTE221.exe PID 1520 wrote to memory of 1772 1520 MATWORLD_QUOTE221.exe MATWORLD_QUOTE221.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MATWORLD_QUOTE221.exe"C:\Users\Admin\AppData\Local\Temp\MATWORLD_QUOTE221.exe"1⤵
- Suspicious use of SetThreadContext
- Checks BIOS information in registry
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Users\Admin\AppData\Local\Temp\MATWORLD_QUOTE221.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1772