Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows7_x64 -
resource
win7 -
submitted
10-08-2020 09:13
Static task
static1
Behavioral task
behavioral1
Sample
Quotationv.exe
Resource
win7
General
-
Target
Quotationv.exe
-
Size
669KB
-
MD5
52cfc15a97799e70a8b4a39b04bc8e2b
-
SHA1
2cfa4daab21dd8115167a3ccba0080f5fdad63ff
-
SHA256
f910b739d3d727fc1f5acde88b0740a575c603dc6c61246156c5debd6bd126bc
-
SHA512
95b7d0c4942703ebfec9d405bfe08efd1f11c2af3b9f65e05bef5afb3440fabcff5e5733de9bec824331d6b22c26e72419e25ca66a6948c07c0c4d4cc98fcdc3
Malware Config
Extracted
formbook
http://www.fex-tracks.com/pdup/
mycharlesschwab.com
casinocode.online
lesliemostellerart.com
cdtevergreen.com
jualpenirumasli.com
lvyouonline.com
moteaiai.com
coachmo13.com
lampungtimur.com
sellmycapecodhouse.com
wearschool.com
onlinekazancyollari.com
ubmotherhood.com
sqyxedu.com
sibate518.com
energygv.com
sathsathhain.com
paperghostsbook.com
investinbritain.net
tansuokeji.ink
quintelcapital.com
inkox.com
horsedrawnpress.com
hoertjesbijjouindebuurt.online
van-to-choice.com
undohate.com
innovativeconnections.info
xn--2qu076aq4bo3gg7hvoqohm.net
bancodecreditosyprestamos.com
xingyesq.com
8894x.com
loreet.com
studiopavia.cloud
dairong.net
timo9.com
taikang365.ink
chatterentertainment.com
apluspower.net
nelamaps.com
cryptoustaad.com
baevmaylllerch.win
saintjulia.church
caneloalvarezvsgolovkin.com
barronetttire.com
government-jobs.click
teamexitus.com
alponafashion.com
myriamavanza.com
qianxunedu.com
jglzs.com
tv-production.com
vfjgiftshop.com
timekeeper248.com
4thirteenfitnessclothing.com
motorcityam.com
hfhy888.com
kirso.info
grupoquo.com
trentgoins.net
storey360.com
xyxy4567.com
farmersinsurancematt.com
gwor5v.com
mjstfy.men
Signatures
-
Formbook Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1468-1-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/1468-1-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/1468-2-0x000000000041EDC0-mapping.dmp formbook behavioral1/memory/1096-4-0x0000000000000000-mapping.dmp formbook -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1536 cmd.exe -
Processes:
Explorer.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE -
Suspicious use of SetThreadContext 4 IoCs
Processes:
Quotationv.exeQuotationv.execmmon32.exedescription pid process target process PID 1124 set thread context of 1468 1124 Quotationv.exe Quotationv.exe PID 1468 set thread context of 1304 1468 Quotationv.exe Explorer.EXE PID 1468 set thread context of 1304 1468 Quotationv.exe Explorer.EXE PID 1096 set thread context of 1304 1096 cmmon32.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
Quotationv.exeQuotationv.execmmon32.exepid process 1124 Quotationv.exe 1124 Quotationv.exe 1468 Quotationv.exe 1468 Quotationv.exe 1468 Quotationv.exe 1096 cmmon32.exe 1096 cmmon32.exe 1096 cmmon32.exe 1096 cmmon32.exe 1096 cmmon32.exe 1096 cmmon32.exe 1096 cmmon32.exe 1096 cmmon32.exe 1096 cmmon32.exe 1096 cmmon32.exe 1096 cmmon32.exe 1096 cmmon32.exe 1096 cmmon32.exe 1096 cmmon32.exe 1096 cmmon32.exe 1096 cmmon32.exe 1096 cmmon32.exe 1096 cmmon32.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
Quotationv.execmmon32.exepid process 1468 Quotationv.exe 1468 Quotationv.exe 1468 Quotationv.exe 1468 Quotationv.exe 1096 cmmon32.exe 1096 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Quotationv.exeQuotationv.exeExplorer.EXEcmmon32.exedescription pid process Token: SeDebugPrivilege 1124 Quotationv.exe Token: SeDebugPrivilege 1468 Quotationv.exe Token: SeShutdownPrivilege 1304 Explorer.EXE Token: SeDebugPrivilege 1096 cmmon32.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
Explorer.EXEpid process 1304 Explorer.EXE 1304 Explorer.EXE 1304 Explorer.EXE 1304 Explorer.EXE 1304 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1304 Explorer.EXE 1304 Explorer.EXE 1304 Explorer.EXE 1304 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Quotationv.exeQuotationv.execmmon32.exedescription pid process target process PID 1124 wrote to memory of 1468 1124 Quotationv.exe Quotationv.exe PID 1124 wrote to memory of 1468 1124 Quotationv.exe Quotationv.exe PID 1124 wrote to memory of 1468 1124 Quotationv.exe Quotationv.exe PID 1124 wrote to memory of 1468 1124 Quotationv.exe Quotationv.exe PID 1124 wrote to memory of 1468 1124 Quotationv.exe Quotationv.exe PID 1124 wrote to memory of 1468 1124 Quotationv.exe Quotationv.exe PID 1124 wrote to memory of 1468 1124 Quotationv.exe Quotationv.exe PID 1468 wrote to memory of 1096 1468 Quotationv.exe cmmon32.exe PID 1468 wrote to memory of 1096 1468 Quotationv.exe cmmon32.exe PID 1468 wrote to memory of 1096 1468 Quotationv.exe cmmon32.exe PID 1468 wrote to memory of 1096 1468 Quotationv.exe cmmon32.exe PID 1096 wrote to memory of 1536 1096 cmmon32.exe cmd.exe PID 1096 wrote to memory of 1536 1096 cmmon32.exe cmd.exe PID 1096 wrote to memory of 1536 1096 cmmon32.exe cmd.exe PID 1096 wrote to memory of 1536 1096 cmmon32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1304 -
C:\Users\Admin\AppData\Local\Temp\Quotationv.exe"C:\Users\Admin\AppData\Local\Temp\Quotationv.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Users\Admin\AppData\Local\Temp\Quotationv.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Quotationv.exe"5⤵
- Deletes itself
PID:1536 -
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:1620