Analysis
-
max time kernel
147s -
max time network
160s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
27-07-2021 20:20
Static task
static1
Behavioral task
behavioral1
Sample
QUOTATION.exe
Resource
win7v20210408
General
-
Target
QUOTATION.exe
-
Size
739KB
-
MD5
f6b430cda92dd026e96e7d304d20db43
-
SHA1
701f788e29b0a9640e53c826cd871f3f9fdd3160
-
SHA256
e1f620a49978341460d102aefd71b13a0f3d36aaf8dfa042844984ad6dcfaa7c
-
SHA512
a7e82ac7e136a03e03665e4ed108ab14296726867413c464a25c5b9e28280721fec639c6a4825733c18934ad17e3840d72ab7a1ef36a4912b043e960c095c582
Malware Config
Extracted
formbook
4.1
http://www.jzmbgjj.com/j7e/
cefuoficial.com
luxmusicclub.com
getridofmyed.xyz
sports-plaza.com
peteropsomer.com
kemendi.com
divinciresolve.com
readtogrowup.com
hidex-corp.com
aladininternational.com
snesait.art
ezzpick.net
saveashow.com
eazyprintsplus.com
usadatesclub.com
rafaelraf.com
themiamadison.com
regarta.com
aiocitys.net
ahorn-invest.com
anajoiasrj.com
rozamail.com
mauriciosagastegui.com
cohorsetrails.com
alboxshop.com
jrqualityautodetailing.com
americanroofingnow.com
scszwl.com
poicol.xyz
primarybillserv.com
smallfinancials.com
rahpilates.info
workflowxray.com
clothapparels.com
cathycre8.co.uk
familiesstores.com
printbonn.com
manismas.com
krispykremesweetpeek.com
redgtc.com
uixsv.com
superiorvillage.com
fdgrenewables.com
appments.com
shanscorp.com
modelleftcoast.com
lookitlook.com
inijuslem.com
bjtqbxg.com
ontariolitigationlawyers.com
certificationroundtable.com
levelup-edu.com
muahangonl.com
lexingtonclarke.com
brapscallions.com
elti-stables.com
nivxros.com
diversifiededhospitality.com
lnstagramappealform.com
anushwirasinha.net
shopalife.xyz
mycryptotrading.net
gxsmrtwtch.icu
williamandholland.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1640-64-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/1640-65-0x000000000041EA80-mapping.dmp formbook behavioral1/memory/1820-74-0x00000000000D0000-0x00000000000FE000-memory.dmp formbook -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1756 cmd.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
QUOTATION.exeQUOTATION.execontrol.exedescription pid process target process PID 1832 set thread context of 1640 1832 QUOTATION.exe QUOTATION.exe PID 1640 set thread context of 1212 1640 QUOTATION.exe Explorer.EXE PID 1640 set thread context of 1212 1640 QUOTATION.exe Explorer.EXE PID 1820 set thread context of 1212 1820 control.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
QUOTATION.execontrol.exepid process 1640 QUOTATION.exe 1640 QUOTATION.exe 1640 QUOTATION.exe 1820 control.exe 1820 control.exe 1820 control.exe 1820 control.exe 1820 control.exe 1820 control.exe 1820 control.exe 1820 control.exe 1820 control.exe 1820 control.exe 1820 control.exe 1820 control.exe 1820 control.exe 1820 control.exe 1820 control.exe 1820 control.exe 1820 control.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
QUOTATION.execontrol.exepid process 1640 QUOTATION.exe 1640 QUOTATION.exe 1640 QUOTATION.exe 1640 QUOTATION.exe 1820 control.exe 1820 control.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
QUOTATION.execontrol.exedescription pid process Token: SeDebugPrivilege 1640 QUOTATION.exe Token: SeDebugPrivilege 1820 control.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
QUOTATION.exeExplorer.EXEcontrol.exedescription pid process target process PID 1832 wrote to memory of 1232 1832 QUOTATION.exe schtasks.exe PID 1832 wrote to memory of 1232 1832 QUOTATION.exe schtasks.exe PID 1832 wrote to memory of 1232 1832 QUOTATION.exe schtasks.exe PID 1832 wrote to memory of 1232 1832 QUOTATION.exe schtasks.exe PID 1832 wrote to memory of 1640 1832 QUOTATION.exe QUOTATION.exe PID 1832 wrote to memory of 1640 1832 QUOTATION.exe QUOTATION.exe PID 1832 wrote to memory of 1640 1832 QUOTATION.exe QUOTATION.exe PID 1832 wrote to memory of 1640 1832 QUOTATION.exe QUOTATION.exe PID 1832 wrote to memory of 1640 1832 QUOTATION.exe QUOTATION.exe PID 1832 wrote to memory of 1640 1832 QUOTATION.exe QUOTATION.exe PID 1832 wrote to memory of 1640 1832 QUOTATION.exe QUOTATION.exe PID 1212 wrote to memory of 1820 1212 Explorer.EXE control.exe PID 1212 wrote to memory of 1820 1212 Explorer.EXE control.exe PID 1212 wrote to memory of 1820 1212 Explorer.EXE control.exe PID 1212 wrote to memory of 1820 1212 Explorer.EXE control.exe PID 1820 wrote to memory of 1756 1820 control.exe cmd.exe PID 1820 wrote to memory of 1756 1820 control.exe cmd.exe PID 1820 wrote to memory of 1756 1820 control.exe cmd.exe PID 1820 wrote to memory of 1756 1820 control.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe"C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KpABAQIVyVKx" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB78C.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\control.exe"C:\Windows\SysWOW64\control.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpB78C.tmpMD5
909b56222639654ca267442e0ad77c19
SHA1b02d096e3b8df1a865524dbb7b47ce9b3a021972
SHA256c6dacaacc1038989f67301e9cb0e5520beeedb73d9833a1ba3753d68bc81e604
SHA512062bb9dd37a75df3c134ff98766791f37886cccbdc7fba4574c4eee53c1b2071885630a331cd936f2a48c389c6ff0fdeda404fdb86b3c44f298af9d2a49cb83e
-
memory/1212-68-0x0000000004FB0000-0x00000000050B8000-memory.dmpFilesize
1.0MB
-
memory/1212-78-0x0000000006720000-0x00000000068AC000-memory.dmpFilesize
1.5MB
-
memory/1212-70-0x0000000003E20000-0x0000000003EED000-memory.dmpFilesize
820KB
-
memory/1232-62-0x0000000000000000-mapping.dmp
-
memory/1640-66-0x0000000000910000-0x0000000000C13000-memory.dmpFilesize
3.0MB
-
memory/1640-69-0x00000000003E0000-0x00000000003F4000-memory.dmpFilesize
80KB
-
memory/1640-67-0x0000000000240000-0x0000000000254000-memory.dmpFilesize
80KB
-
memory/1640-65-0x000000000041EA80-mapping.dmp
-
memory/1640-64-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1756-75-0x0000000000000000-mapping.dmp
-
memory/1820-71-0x0000000000000000-mapping.dmp
-
memory/1820-73-0x0000000000470000-0x000000000048F000-memory.dmpFilesize
124KB
-
memory/1820-76-0x0000000001EF0000-0x00000000021F3000-memory.dmpFilesize
3.0MB
-
memory/1820-74-0x00000000000D0000-0x00000000000FE000-memory.dmpFilesize
184KB
-
memory/1820-77-0x0000000001DD0000-0x0000000001E63000-memory.dmpFilesize
588KB
-
memory/1832-61-0x0000000001FC1000-0x0000000001FC2000-memory.dmpFilesize
4KB
-
memory/1832-59-0x0000000075801000-0x0000000075803000-memory.dmpFilesize
8KB
-
memory/1832-60-0x0000000001FC0000-0x0000000001FC1000-memory.dmpFilesize
4KB