Analysis
-
max time kernel
147s -
max time network
145s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
26-02-2021 06:53
Static task
static1
Behavioral task
behavioral1
Sample
Request for Quotation.exe
Resource
win7v20201028
General
-
Target
Request for Quotation.exe
-
Size
500KB
-
MD5
1d9fd84bc6eaa80b160bd313750f6ff5
-
SHA1
011e1975d6cb6a567ad3fed83d59310728bd9227
-
SHA256
1df6109d033a42d97b34133e69afc0da679586b85b6614b034ebfd9343062d20
-
SHA512
d66d0a83284f6f21e711c3d62bcd280042d6a50125dc410b4c79d6f6dba7be5b6bd628fb21e6491b2bb291770f6d1c3951257e948dcbbb587e397fc75296a8da
Malware Config
Extracted
formbook
http://www.fptableau.com/u3q/
wingenomics.com
malwaredeepdive.com
uvdxkup.icu
safeweb-url624.com
lighthousetan.com
liumeilin.com
thaiexpressnyc.com
primedperspective.com
georgekwalker.com
purelife-gt.com
theboseproject.com
moralalaska.icu
anthonysoflittleitaly.com
talahadavi.com
waterbrooksacademy.com
aluneaproaieauayauwpalaua.com
mytshirtforlife.com
penerbitlayung.com
chainslugs.com
bhbgsc.com
blessux.com
jacqueselegantbling.jewelry
nautradio.com
taolife365.com
dreamteammortage.com
starboardvalueac.com
konstantiuk.com
plataformamultireweb-1bn.xyz
prime-deliveries19.com
articulationcrew.com
xdtee.com
collegeadmissions.xyz
diabetesdirective.com
rgyabogadas.com
getxpro.com
hydrogrowlife.com
confirmacionesrfea.com
caleighsmacarons.com
swiftnearby.com
timliadiwasi.com
odonyenicoleboutique.com
mydomainaccounts.com
dietanutricional.com
agilecoaching30.com
carbeloy.com
coinflip259.com
jsinekovo.com
carazone.com
huaweilabs.com
bestsonomahomesearch.com
myproductteam.com
amct-tony.com
thecleanstones.com
gunrangesonline.com
njywy.com
aboutourwellness.com
futebolpleyhd.com
devotedfootwear.com
parkpatent.com
pqlon.com
commercialinsuranceclaims.guru
conjureandcharm.com
greenracksolar.com
gwtguardwell.com
Signatures
-
Beds Protector Packer 1 IoCs
Detects Beds Protector packer used to load .NET malware.
Processes:
resource yara_rule behavioral1/memory/776-7-0x00000000004D0000-0x000000000052E000-memory.dmp beds_protector -
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1992-10-0x000000000041EB70-mapping.dmp formbook behavioral1/memory/1992-9-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/1784-18-0x0000000000080000-0x00000000000AE000-memory.dmp formbook -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 436 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Request for Quotation.exeRequest for Quotation.exeipconfig.exedescription pid process target process PID 776 set thread context of 1992 776 Request for Quotation.exe Request for Quotation.exe PID 1992 set thread context of 1248 1992 Request for Quotation.exe Explorer.EXE PID 1784 set thread context of 1248 1784 ipconfig.exe Explorer.EXE -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 1784 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
Request for Quotation.exeipconfig.exepid process 1992 Request for Quotation.exe 1992 Request for Quotation.exe 1784 ipconfig.exe 1784 ipconfig.exe 1784 ipconfig.exe 1784 ipconfig.exe 1784 ipconfig.exe 1784 ipconfig.exe 1784 ipconfig.exe 1784 ipconfig.exe 1784 ipconfig.exe 1784 ipconfig.exe 1784 ipconfig.exe 1784 ipconfig.exe 1784 ipconfig.exe 1784 ipconfig.exe 1784 ipconfig.exe 1784 ipconfig.exe 1784 ipconfig.exe 1784 ipconfig.exe 1784 ipconfig.exe 1784 ipconfig.exe 1784 ipconfig.exe 1784 ipconfig.exe 1784 ipconfig.exe 1784 ipconfig.exe 1784 ipconfig.exe 1784 ipconfig.exe 1784 ipconfig.exe 1784 ipconfig.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Request for Quotation.exeipconfig.exepid process 1992 Request for Quotation.exe 1992 Request for Quotation.exe 1992 Request for Quotation.exe 1784 ipconfig.exe 1784 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Request for Quotation.exeipconfig.exedescription pid process Token: SeDebugPrivilege 1992 Request for Quotation.exe Token: SeDebugPrivilege 1784 ipconfig.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1248 Explorer.EXE 1248 Explorer.EXE 1248 Explorer.EXE 1248 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1248 Explorer.EXE 1248 Explorer.EXE 1248 Explorer.EXE 1248 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Request for Quotation.exeExplorer.EXEipconfig.exedescription pid process target process PID 776 wrote to memory of 1992 776 Request for Quotation.exe Request for Quotation.exe PID 776 wrote to memory of 1992 776 Request for Quotation.exe Request for Quotation.exe PID 776 wrote to memory of 1992 776 Request for Quotation.exe Request for Quotation.exe PID 776 wrote to memory of 1992 776 Request for Quotation.exe Request for Quotation.exe PID 776 wrote to memory of 1992 776 Request for Quotation.exe Request for Quotation.exe PID 776 wrote to memory of 1992 776 Request for Quotation.exe Request for Quotation.exe PID 776 wrote to memory of 1992 776 Request for Quotation.exe Request for Quotation.exe PID 1248 wrote to memory of 1784 1248 Explorer.EXE ipconfig.exe PID 1248 wrote to memory of 1784 1248 Explorer.EXE ipconfig.exe PID 1248 wrote to memory of 1784 1248 Explorer.EXE ipconfig.exe PID 1248 wrote to memory of 1784 1248 Explorer.EXE ipconfig.exe PID 1784 wrote to memory of 436 1784 ipconfig.exe cmd.exe PID 1784 wrote to memory of 436 1784 ipconfig.exe cmd.exe PID 1784 wrote to memory of 436 1784 ipconfig.exe cmd.exe PID 1784 wrote to memory of 436 1784 ipconfig.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1992 -
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\SysWOW64\ipconfig.exe"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"3⤵
- Deletes itself
PID:436
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/436-19-0x0000000000000000-mapping.dmp
-
memory/776-2-0x0000000073D40000-0x000000007442E000-memory.dmpFilesize
6.9MB
-
memory/776-3-0x0000000000D00000-0x0000000000D01000-memory.dmpFilesize
4KB
-
memory/776-5-0x0000000075C61000-0x0000000075C63000-memory.dmpFilesize
8KB
-
memory/776-6-0x0000000002260000-0x0000000002261000-memory.dmpFilesize
4KB
-
memory/776-7-0x00000000004D0000-0x000000000052E000-memory.dmpFilesize
376KB
-
memory/776-8-0x0000000000440000-0x000000000044F000-memory.dmpFilesize
60KB
-
memory/1248-14-0x0000000004FD0000-0x00000000050DE000-memory.dmpFilesize
1.1MB
-
memory/1248-22-0x0000000006A60000-0x0000000006BB0000-memory.dmpFilesize
1.3MB
-
memory/1784-15-0x0000000000000000-mapping.dmp
-
memory/1784-17-0x0000000000B50000-0x0000000000B5A000-memory.dmpFilesize
40KB
-
memory/1784-18-0x0000000000080000-0x00000000000AE000-memory.dmpFilesize
184KB
-
memory/1784-20-0x00000000020F0000-0x00000000023F3000-memory.dmpFilesize
3.0MB
-
memory/1784-21-0x00000000009F0000-0x0000000000A83000-memory.dmpFilesize
588KB
-
memory/1992-9-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1992-12-0x0000000000930000-0x0000000000C33000-memory.dmpFilesize
3.0MB
-
memory/1992-13-0x0000000000290000-0x00000000002A4000-memory.dmpFilesize
80KB
-
memory/1992-10-0x000000000041EB70-mapping.dmp