Analysis
-
max time kernel
145s -
max time network
129s -
platform
windows10_x64 -
resource
win10 -
submitted
13-07-2020 14:18
Static task
static1
Behavioral task
behavioral1
Sample
rectified quote.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
rectified quote.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
rectified quote.exe
-
Size
400KB
-
MD5
0c6982e8d622d6550a6a170f1c0b9c49
-
SHA1
489f667a831be85ffd37288ca187d0517fc5d649
-
SHA256
714e525a436fc97ce8b8e31b63c79e8f13cc0577c80f613f825cafdf7fddeb1f
-
SHA512
c1b81fdc18fe5ab49b005a2e5847f6007c95baa8a04bd0b3140fc3e8295f05e141f5db2b07478798fcf5293be3f8415ae4d97daee7c926b69e8338c47898cadc
Score
10/10
Malware Config
Signatures
-
Adds Run entry to policy start application 2 TTPs 2 IoCs
Processes:
wlanext.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wlanext.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Y8LTCTBPGJX = "C:\\Program Files (x86)\\Rcrk\\2dj8qnoxudfd.exe" wlanext.exe -
Drops startup file 1 IoCs
Processes:
rectified quote.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe rectified quote.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
rectified quote.exeExplorer.EXEwlanext.exedescription pid process target process PID 3832 wrote to memory of 3032 3832 rectified quote.exe RegAsm.exe PID 3832 wrote to memory of 3032 3832 rectified quote.exe RegAsm.exe PID 3832 wrote to memory of 3032 3832 rectified quote.exe RegAsm.exe PID 3832 wrote to memory of 3032 3832 rectified quote.exe RegAsm.exe PID 2988 wrote to memory of 3488 2988 Explorer.EXE wlanext.exe PID 2988 wrote to memory of 3488 2988 Explorer.EXE wlanext.exe PID 2988 wrote to memory of 3488 2988 Explorer.EXE wlanext.exe PID 3488 wrote to memory of 3992 3488 wlanext.exe cmd.exe PID 3488 wrote to memory of 3992 3488 wlanext.exe cmd.exe PID 3488 wrote to memory of 3992 3488 wlanext.exe cmd.exe PID 3488 wrote to memory of 752 3488 wlanext.exe cmd.exe PID 3488 wrote to memory of 752 3488 wlanext.exe cmd.exe PID 3488 wrote to memory of 752 3488 wlanext.exe cmd.exe PID 3488 wrote to memory of 2232 3488 wlanext.exe Firefox.exe PID 3488 wrote to memory of 2232 3488 wlanext.exe Firefox.exe PID 3488 wrote to memory of 2232 3488 wlanext.exe Firefox.exe -
Drops file in Program Files directory 1 IoCs
Processes:
wlanext.exedescription ioc process File opened for modification C:\Program Files (x86)\Rcrk\2dj8qnoxudfd.exe wlanext.exe -
Processes:
wlanext.exedescription ioc process Key created \Registry\User\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 wlanext.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 56 IoCs
Processes:
RegAsm.exewlanext.exepid process 3032 RegAsm.exe 3032 RegAsm.exe 3032 RegAsm.exe 3032 RegAsm.exe 3032 RegAsm.exe 3032 RegAsm.exe 3488 wlanext.exe 3488 wlanext.exe 3488 wlanext.exe 3488 wlanext.exe 3488 wlanext.exe 3488 wlanext.exe 3488 wlanext.exe 3488 wlanext.exe 3488 wlanext.exe 3488 wlanext.exe 3488 wlanext.exe 3488 wlanext.exe 3488 wlanext.exe 3488 wlanext.exe 3488 wlanext.exe 3488 wlanext.exe 3488 wlanext.exe 3488 wlanext.exe 3488 wlanext.exe 3488 wlanext.exe 3488 wlanext.exe 3488 wlanext.exe 3488 wlanext.exe 3488 wlanext.exe 3488 wlanext.exe 3488 wlanext.exe 3488 wlanext.exe 3488 wlanext.exe 3488 wlanext.exe 3488 wlanext.exe 3488 wlanext.exe 3488 wlanext.exe 3488 wlanext.exe 3488 wlanext.exe 3488 wlanext.exe 3488 wlanext.exe 3488 wlanext.exe 3488 wlanext.exe 3488 wlanext.exe 3488 wlanext.exe 3488 wlanext.exe 3488 wlanext.exe 3488 wlanext.exe 3488 wlanext.exe 3488 wlanext.exe 3488 wlanext.exe 3488 wlanext.exe 3488 wlanext.exe 3488 wlanext.exe 3488 wlanext.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
Explorer.EXEpid process 2988 Explorer.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Explorer.EXEpid process 2988 Explorer.EXE -
System policy modification 1 TTPs 1 IoCs
Processes:
wlanext.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer wlanext.exe -
Suspicious behavior: MapViewOfSection 9 IoCs
Processes:
rectified quote.exeRegAsm.exewlanext.exepid process 3832 rectified quote.exe 3032 RegAsm.exe 3032 RegAsm.exe 3032 RegAsm.exe 3032 RegAsm.exe 3488 wlanext.exe 3488 wlanext.exe 3488 wlanext.exe 3488 wlanext.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
rectified quote.exeRegAsm.exewlanext.exedescription pid process target process PID 3832 set thread context of 3032 3832 rectified quote.exe RegAsm.exe PID 3032 set thread context of 2988 3032 RegAsm.exe Explorer.EXE PID 3032 set thread context of 2988 3032 RegAsm.exe Explorer.EXE PID 3488 set thread context of 2988 3488 wlanext.exe Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
RegAsm.exeExplorer.EXEwlanext.exedescription pid process Token: SeDebugPrivilege 3032 RegAsm.exe Token: SeShutdownPrivilege 2988 Explorer.EXE Token: SeCreatePagefilePrivilege 2988 Explorer.EXE Token: SeDebugPrivilege 3488 wlanext.exe Token: SeShutdownPrivilege 2988 Explorer.EXE Token: SeCreatePagefilePrivilege 2988 Explorer.EXE Token: SeShutdownPrivilege 2988 Explorer.EXE Token: SeCreatePagefilePrivilege 2988 Explorer.EXE Token: SeShutdownPrivilege 2988 Explorer.EXE Token: SeCreatePagefilePrivilege 2988 Explorer.EXE Token: SeShutdownPrivilege 2988 Explorer.EXE Token: SeCreatePagefilePrivilege 2988 Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SendNotifyMessage
- Suspicious use of FindShellTrayWindow
- Suspicious use of AdjustPrivilegeToken
PID:2988 -
C:\Users\Admin\AppData\Local\Temp\rectified quote.exe"C:\Users\Admin\AppData\Local\Temp\rectified quote.exe"2⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:3832 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3032 -
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:3300
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:3756
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:3892
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:3896
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:3904
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:3932
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:3868
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:3864
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:3872
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:3860
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:3948
-
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"2⤵
- Adds Run entry to policy start application
- Suspicious use of WriteProcessMemory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- System policy modification
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3488 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:3992
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵PID:752
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:2232