Overview

overview

10

Static

static

1

Quotation.exe

windows7_x64

10

Quotation.exe

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    08-04-2021 06:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quotation.exe

  • Size

    222KB

  • MD5

    1f86caaa19912ceb55c9f6121eb692bb

  • SHA1

    2d4dd95fdb17937b22a3d6a41862704ed80acf70

  • SHA256

    8309d803c92faaf24828cd67e4c1041f9465ecf6c63f7608d7ed4579f075a02c

  • SHA512

    720c68b543c3d5eb2d026feb0ae46d0c77aa0eb71cd3302c520384cbff27e28fed1f9f0b3c761aed7bdea054fd2d3829f294f3250175d6d159d1167122f67a72

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.riceandginger.com/fcn/

Decoy

bellee-select.com

unlock-motorola.com

courtneyrunyon.com

hnzywjz.com

retrievingbest.net

ayescarrental.com

beyoutifulblessings.com

heritagediscovery.net

fasoum.com

wbz.xyz

lownak.com

alinkarmay.com

coffeyquiltco.com

validdreamers.com

yuksukcu.club

buildnextfrc.com

avantfarme.com

xyfs360.com

holisticpacific.com

banejia.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 2 IoCs
    rat
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1248
    • C:\Users\Admin\AppData\Local\Temp\Quotation.exe
      "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:784
      • C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2012
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\SysWOW64\cmd.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:336
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        3⤵
        • Deletes itself
        PID:1712

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nshF8E0.tmp\laegtoh4.dll
    MD5

    f68cd7ef81a40b6dc714658aef692640

    SHA1

    377095c12352bea1ce2aa195f4354270f8571767

    SHA256

    b0511bd682e5d539f05be2c97d5e8e23dddc48cc32aaa6c25b6a6ecea4dee475

    SHA512

    4c412eb6c9b01ffe57b582373703864448db10b86d69a8b5ab9f2933917e6fd9fcd6124ff17a6a605a1c6d6569ea22df1b80877bef61b43f8d59b248d8791083

    Download Submit
  • memory/336-14-0x000000004AA10000-0x000000004AA5C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/336-17-0x0000000001DA0000-0x0000000001E33000-memory.dmp
    Filesize

    588KB

    Download
  • memory/336-16-0x0000000002070000-0x0000000002373000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/336-15-0x0000000000080000-0x00000000000AE000-memory.dmp
    Filesize

    184KB

    Download
  • memory/336-12-0x0000000000000000-mapping.dmp
    Download
  • memory/784-5-0x0000000000470000-0x0000000000472000-memory.dmp
    Filesize

    8KB

    Download
  • memory/784-2-0x0000000075C61000-0x0000000075C63000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1248-18-0x0000000003DA0000-0x0000000003E63000-memory.dmp
    Filesize

    780KB

    Download
  • memory/1248-9-0x0000000004FD0000-0x0000000005145000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/1248-11-0x0000000007410000-0x00000000075B4000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/1712-13-0x0000000000000000-mapping.dmp
    Download
  • memory/2012-6-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/2012-10-0x00000000003A0000-0x00000000003B4000-memory.dmp
    Filesize

    80KB

    Download
  • memory/2012-8-0x00000000002C0000-0x00000000002D4000-memory.dmp
    Filesize

    80KB

    Download
  • memory/2012-7-0x0000000000820000-0x0000000000B23000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/2012-4-0x000000000041EAA0-mapping.dmp
    Download