Analysis
-
max time kernel
148s -
max time network
138s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
08-04-2021 06:53
Static task
static1
Behavioral task
behavioral1
Sample
Quotation.exe
Resource
win7v20201028
General
-
Target
Quotation.exe
-
Size
222KB
-
MD5
1f86caaa19912ceb55c9f6121eb692bb
-
SHA1
2d4dd95fdb17937b22a3d6a41862704ed80acf70
-
SHA256
8309d803c92faaf24828cd67e4c1041f9465ecf6c63f7608d7ed4579f075a02c
-
SHA512
720c68b543c3d5eb2d026feb0ae46d0c77aa0eb71cd3302c520384cbff27e28fed1f9f0b3c761aed7bdea054fd2d3829f294f3250175d6d159d1167122f67a72
Malware Config
Extracted
formbook
4.1
http://www.riceandginger.com/fcn/
bellee-select.com
unlock-motorola.com
courtneyrunyon.com
hnzywjz.com
retrievingbest.net
ayescarrental.com
beyoutifulblessings.com
heritagediscovery.net
fasoum.com
wbz.xyz
lownak.com
alinkarmay.com
coffeyquiltco.com
validdreamers.com
yuksukcu.club
buildnextfrc.com
avantfarme.com
xyfs360.com
holisticpacific.com
banejia.com
champsn.com
ebitit.com
esseneceedibles.com
findmyautoparts.com
belenusadvisory.net
esrise.net
lovewillfindaway.net
chienluocmarketing.net
greenbelieve.com
shopyourgift.com
theweddingofshadiandmike.com
greenstavern.com
klinku.com
norastravel.com
team5thgroup.com
ohrchadash.com
hauteandcood.com
ap-333.com
jonathantyar.com
robertabraham.com
citestaccnt1597691130.com
665asilo.com
deerokoj.com
ezcovid19.com
heritageivhoa.com
ultraprecisiondata.com
alkiefsaudi.com
camelliaflowers.space
clickqrcoaster.com
ponorogokita.com
stainlesslion.com
china-ymc.com
littner.xyz
houseof2.com
metabolytix.com
1000-help6.club
another-sc.com
suafrisolac.com
whitetreechainmail.com
amazon-service-app-account.com
cruiseameroca.com
yaxett.net
adsmat.com
afternoontravel.site
Signatures
-
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3160-5-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/2440-12-0x0000000002940000-0x000000000296E000-memory.dmp formbook -
Loads dropped DLL 1 IoCs
Processes:
Quotation.exepid process 644 Quotation.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Quotation.exeQuotation.execolorcpl.exedescription pid process target process PID 644 set thread context of 3160 644 Quotation.exe Quotation.exe PID 3160 set thread context of 3052 3160 Quotation.exe Explorer.EXE PID 2440 set thread context of 3052 2440 colorcpl.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
Quotation.execolorcpl.exepid process 3160 Quotation.exe 3160 Quotation.exe 3160 Quotation.exe 3160 Quotation.exe 2440 colorcpl.exe 2440 colorcpl.exe 2440 colorcpl.exe 2440 colorcpl.exe 2440 colorcpl.exe 2440 colorcpl.exe 2440 colorcpl.exe 2440 colorcpl.exe 2440 colorcpl.exe 2440 colorcpl.exe 2440 colorcpl.exe 2440 colorcpl.exe 2440 colorcpl.exe 2440 colorcpl.exe 2440 colorcpl.exe 2440 colorcpl.exe 2440 colorcpl.exe 2440 colorcpl.exe 2440 colorcpl.exe 2440 colorcpl.exe 2440 colorcpl.exe 2440 colorcpl.exe 2440 colorcpl.exe 2440 colorcpl.exe 2440 colorcpl.exe 2440 colorcpl.exe 2440 colorcpl.exe 2440 colorcpl.exe 2440 colorcpl.exe 2440 colorcpl.exe 2440 colorcpl.exe 2440 colorcpl.exe 2440 colorcpl.exe 2440 colorcpl.exe 2440 colorcpl.exe 2440 colorcpl.exe 2440 colorcpl.exe 2440 colorcpl.exe 2440 colorcpl.exe 2440 colorcpl.exe 2440 colorcpl.exe 2440 colorcpl.exe 2440 colorcpl.exe 2440 colorcpl.exe 2440 colorcpl.exe 2440 colorcpl.exe 2440 colorcpl.exe 2440 colorcpl.exe 2440 colorcpl.exe 2440 colorcpl.exe 2440 colorcpl.exe 2440 colorcpl.exe 2440 colorcpl.exe 2440 colorcpl.exe 2440 colorcpl.exe 2440 colorcpl.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
Quotation.exeQuotation.execolorcpl.exepid process 644 Quotation.exe 3160 Quotation.exe 3160 Quotation.exe 3160 Quotation.exe 2440 colorcpl.exe 2440 colorcpl.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Quotation.execolorcpl.exedescription pid process Token: SeDebugPrivilege 3160 Quotation.exe Token: SeDebugPrivilege 2440 colorcpl.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3052 Explorer.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Quotation.exeExplorer.EXEcolorcpl.exedescription pid process target process PID 644 wrote to memory of 3160 644 Quotation.exe Quotation.exe PID 644 wrote to memory of 3160 644 Quotation.exe Quotation.exe PID 644 wrote to memory of 3160 644 Quotation.exe Quotation.exe PID 644 wrote to memory of 3160 644 Quotation.exe Quotation.exe PID 3052 wrote to memory of 2440 3052 Explorer.EXE colorcpl.exe PID 3052 wrote to memory of 2440 3052 Explorer.EXE colorcpl.exe PID 3052 wrote to memory of 2440 3052 Explorer.EXE colorcpl.exe PID 2440 wrote to memory of 756 2440 colorcpl.exe cmd.exe PID 2440 wrote to memory of 756 2440 colorcpl.exe cmd.exe PID 2440 wrote to memory of 756 2440 colorcpl.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Quotation.exe"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Quotation.exe"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\colorcpl.exe"C:\Windows\SysWOW64\colorcpl.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsh5858.tmp\laegtoh4.dllMD5
f68cd7ef81a40b6dc714658aef692640
SHA1377095c12352bea1ce2aa195f4354270f8571767
SHA256b0511bd682e5d539f05be2c97d5e8e23dddc48cc32aaa6c25b6a6ecea4dee475
SHA5124c412eb6c9b01ffe57b582373703864448db10b86d69a8b5ab9f2933917e6fd9fcd6124ff17a6a605a1c6d6569ea22df1b80877bef61b43f8d59b248d8791083
-
memory/644-4-0x00000000022B0000-0x00000000022B2000-memory.dmpFilesize
8KB
-
memory/756-14-0x0000000000000000-mapping.dmp
-
memory/2440-12-0x0000000002940000-0x000000000296E000-memory.dmpFilesize
184KB
-
memory/2440-10-0x0000000000000000-mapping.dmp
-
memory/2440-11-0x0000000000150000-0x0000000000169000-memory.dmpFilesize
100KB
-
memory/2440-13-0x00000000043C0000-0x00000000046E0000-memory.dmpFilesize
3.1MB
-
memory/2440-16-0x0000000004220000-0x00000000042B3000-memory.dmpFilesize
588KB
-
memory/3052-9-0x0000000002A30000-0x0000000002AF9000-memory.dmpFilesize
804KB
-
memory/3052-17-0x0000000004F60000-0x0000000005029000-memory.dmpFilesize
804KB
-
memory/3160-6-0x0000000000B40000-0x0000000000E60000-memory.dmpFilesize
3.1MB
-
memory/3160-8-0x00000000005C0000-0x00000000005D4000-memory.dmpFilesize
80KB
-
memory/3160-5-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/3160-3-0x000000000041EAA0-mapping.dmp