Analysis
-
max time kernel
156s -
max time network
165s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
27-01-2022 22:17
Static task
static1
Behavioral task
behavioral1
Sample
Quote_PDF.vbs
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
Quote_PDF.vbs
Resource
win10-en-20211208
General
-
Target
Quote_PDF.vbs
-
Size
444KB
-
MD5
d9f992f8020aa3a3bf5053657ae2b4e1
-
SHA1
04862f6295b1f63466eac99adbe9f28f678b4aab
-
SHA256
8dba6450d3ff2ac99d519d8f75affdcbb25bf5743e265246e0bfedd60a325a28
-
SHA512
1f632773295db7dd8a30370a66f29bbcd10485f0483b616ae6e736020d6144cb345e992cd6101da50c70ae078d79de42afd9b1b6e33fd90ced49b0e81207199a
Malware Config
Signatures
-
Contains code to disable Windows Defender 6 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\file.exe disable_win_def C:\Users\Admin\AppData\Local\Temp\file.exe disable_win_def behavioral1/memory/1028-61-0x0000000000800000-0x0000000000824000-memory.dmp disable_win_def C:\Users\Admin\AppData\Roaming\word.exe disable_win_def C:\Users\Admin\AppData\Roaming\word.exe disable_win_def behavioral1/memory/1292-68-0x0000000000D00000-0x0000000000D24000-memory.dmp disable_win_def -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\name.exe family_stormkitty C:\Users\Admin\AppData\Local\Temp\name.exe family_stormkitty behavioral1/memory/580-59-0x00000000011B0000-0x00000000011E0000-memory.dmp family_stormkitty -
Async RAT payload 9 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\file.exe asyncrat C:\Users\Admin\AppData\Local\Temp\file.exe asyncrat C:\Users\Admin\AppData\Local\Temp\name.exe asyncrat C:\Users\Admin\AppData\Local\Temp\name.exe asyncrat behavioral1/memory/580-59-0x00000000011B0000-0x00000000011E0000-memory.dmp asyncrat behavioral1/memory/1028-61-0x0000000000800000-0x0000000000824000-memory.dmp asyncrat C:\Users\Admin\AppData\Roaming\word.exe asyncrat C:\Users\Admin\AppData\Roaming\word.exe asyncrat behavioral1/memory/1292-68-0x0000000000D00000-0x0000000000D24000-memory.dmp asyncrat -
Executes dropped EXE 3 IoCs
Processes:
file.exename.exeword.exepid process 1028 file.exe 580 name.exe 1292 word.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 5 IoCs
Processes:
name.exedescription ioc process File created C:\Users\Admin\AppData\Local\0156931b588302ee37d614b7af6448b3\Admin@VQVVOAJK_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini name.exe File created C:\Users\Admin\AppData\Local\0156931b588302ee37d614b7af6448b3\Admin@VQVVOAJK_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini name.exe File created C:\Users\Admin\AppData\Local\0156931b588302ee37d614b7af6448b3\Admin@VQVVOAJK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini name.exe File created C:\Users\Admin\AppData\Local\0156931b588302ee37d614b7af6448b3\Admin@VQVVOAJK_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini name.exe File opened for modification C:\Users\Admin\AppData\Local\0156931b588302ee37d614b7af6448b3\Admin@VQVVOAJK_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini name.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 icanhazip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
name.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 name.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier name.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
file.exeword.exename.exepid process 1028 file.exe 1028 file.exe 1028 file.exe 1028 file.exe 1028 file.exe 1028 file.exe 1028 file.exe 1028 file.exe 1028 file.exe 1028 file.exe 1028 file.exe 1028 file.exe 1028 file.exe 1292 word.exe 1292 word.exe 1292 word.exe 1292 word.exe 1292 word.exe 1292 word.exe 1292 word.exe 1292 word.exe 1292 word.exe 1292 word.exe 580 name.exe 580 name.exe 580 name.exe 580 name.exe 580 name.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
name.exefile.exeword.exedescription pid process Token: SeDebugPrivilege 580 name.exe Token: SeDebugPrivilege 1028 file.exe Token: SeDebugPrivilege 1292 word.exe -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
WScript.exefile.exeWScript.exename.execmd.execmd.exedescription pid process target process PID 848 wrote to memory of 1028 848 WScript.exe file.exe PID 848 wrote to memory of 1028 848 WScript.exe file.exe PID 848 wrote to memory of 1028 848 WScript.exe file.exe PID 848 wrote to memory of 580 848 WScript.exe name.exe PID 848 wrote to memory of 580 848 WScript.exe name.exe PID 848 wrote to memory of 580 848 WScript.exe name.exe PID 848 wrote to memory of 580 848 WScript.exe name.exe PID 1028 wrote to memory of 1404 1028 file.exe WScript.exe PID 1028 wrote to memory of 1404 1028 file.exe WScript.exe PID 1028 wrote to memory of 1404 1028 file.exe WScript.exe PID 1404 wrote to memory of 1128 1404 WScript.exe schtasks.exe PID 1404 wrote to memory of 1128 1404 WScript.exe schtasks.exe PID 1404 wrote to memory of 1128 1404 WScript.exe schtasks.exe PID 1028 wrote to memory of 1292 1028 file.exe word.exe PID 1028 wrote to memory of 1292 1028 file.exe word.exe PID 1028 wrote to memory of 1292 1028 file.exe word.exe PID 580 wrote to memory of 1968 580 name.exe cmd.exe PID 580 wrote to memory of 1968 580 name.exe cmd.exe PID 580 wrote to memory of 1968 580 name.exe cmd.exe PID 580 wrote to memory of 1968 580 name.exe cmd.exe PID 1968 wrote to memory of 988 1968 cmd.exe chcp.com PID 1968 wrote to memory of 988 1968 cmd.exe chcp.com PID 1968 wrote to memory of 988 1968 cmd.exe chcp.com PID 1968 wrote to memory of 988 1968 cmd.exe chcp.com PID 1968 wrote to memory of 1884 1968 cmd.exe netsh.exe PID 1968 wrote to memory of 1884 1968 cmd.exe netsh.exe PID 1968 wrote to memory of 1884 1968 cmd.exe netsh.exe PID 1968 wrote to memory of 1884 1968 cmd.exe netsh.exe PID 1968 wrote to memory of 1172 1968 cmd.exe findstr.exe PID 1968 wrote to memory of 1172 1968 cmd.exe findstr.exe PID 1968 wrote to memory of 1172 1968 cmd.exe findstr.exe PID 1968 wrote to memory of 1172 1968 cmd.exe findstr.exe PID 580 wrote to memory of 1688 580 name.exe cmd.exe PID 580 wrote to memory of 1688 580 name.exe cmd.exe PID 580 wrote to memory of 1688 580 name.exe cmd.exe PID 580 wrote to memory of 1688 580 name.exe cmd.exe PID 1688 wrote to memory of 784 1688 cmd.exe chcp.com PID 1688 wrote to memory of 784 1688 cmd.exe chcp.com PID 1688 wrote to memory of 784 1688 cmd.exe chcp.com PID 1688 wrote to memory of 784 1688 cmd.exe chcp.com PID 1688 wrote to memory of 1992 1688 cmd.exe netsh.exe PID 1688 wrote to memory of 1992 1688 cmd.exe netsh.exe PID 1688 wrote to memory of 1992 1688 cmd.exe netsh.exe PID 1688 wrote to memory of 1992 1688 cmd.exe netsh.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Quote_PDF.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tmp1FB1.tmp.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc onlogon /rl highest /tn word.exe /tr "C:\Users\Admin\AppData\Roaming\word.exe4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\word.exe"C:\Users\Admin\AppData\Roaming\word.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\name.exe"C:\Users\Admin\AppData\Local\Temp\name.exe"2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile4⤵
-
C:\Windows\SysWOW64\findstr.exefindstr All4⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid4⤵
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\file.exeMD5
78df8357a69de092306ef19bd3d392a9
SHA1eba4800d57aaf97a06f787fec82641065527f6d5
SHA2567d0ccd90388759c96e536943055fbecca5c51f553fb25f350de37ceb40a2613e
SHA512a5dbf72231e6513c2c7a9cc34ba24eedc0c1f49020deb2cf68e31eb93cac222bfdc8a6ce6f8d6ceb3c6efec23eef6cf62200b6a867ea67ad29c5ad43b5332d9a
-
C:\Users\Admin\AppData\Local\Temp\file.exeMD5
78df8357a69de092306ef19bd3d392a9
SHA1eba4800d57aaf97a06f787fec82641065527f6d5
SHA2567d0ccd90388759c96e536943055fbecca5c51f553fb25f350de37ceb40a2613e
SHA512a5dbf72231e6513c2c7a9cc34ba24eedc0c1f49020deb2cf68e31eb93cac222bfdc8a6ce6f8d6ceb3c6efec23eef6cf62200b6a867ea67ad29c5ad43b5332d9a
-
C:\Users\Admin\AppData\Local\Temp\name.exeMD5
85a86da84355abb40ccabdb5f45ae13b
SHA14a98a7682fbb721354f0fb672d9338ac62b4350c
SHA256d43d7ed548724fd7fe611014b3d4b170b41b36cc84e37fc307a7c6f4ea14272c
SHA5127aa56b3556739317196f7b2e28cbadb597c0260a7e0cf33afc7b07057a368ac5345a822abf7ba74e5fd3889c801fbf240f6af250289cb01148e036dde5dc0bc1
-
C:\Users\Admin\AppData\Local\Temp\name.exeMD5
85a86da84355abb40ccabdb5f45ae13b
SHA14a98a7682fbb721354f0fb672d9338ac62b4350c
SHA256d43d7ed548724fd7fe611014b3d4b170b41b36cc84e37fc307a7c6f4ea14272c
SHA5127aa56b3556739317196f7b2e28cbadb597c0260a7e0cf33afc7b07057a368ac5345a822abf7ba74e5fd3889c801fbf240f6af250289cb01148e036dde5dc0bc1
-
C:\Users\Admin\AppData\Local\Temp\tmp1FB1.tmp.vbsMD5
f39a89ff1b5f43b3d88d8c8d140483af
SHA1c9ebd9d2d1625dbb11733c53000e88e2b24cd659
SHA2568d15cd30d9ef7e9021ea1afdfd689d6fdbc746cba5617f5315734dfff65f1e09
SHA512033f659a9f1fa998767529adfbe1adfc82c7788994e351fbf78152555759c0ed9f3dd750cb6d3a5ca3b99414ad52690e69698bf17ad12a47e14c86e2669aa78b
-
C:\Users\Admin\AppData\Roaming\word.exeMD5
78df8357a69de092306ef19bd3d392a9
SHA1eba4800d57aaf97a06f787fec82641065527f6d5
SHA2567d0ccd90388759c96e536943055fbecca5c51f553fb25f350de37ceb40a2613e
SHA512a5dbf72231e6513c2c7a9cc34ba24eedc0c1f49020deb2cf68e31eb93cac222bfdc8a6ce6f8d6ceb3c6efec23eef6cf62200b6a867ea67ad29c5ad43b5332d9a
-
C:\Users\Admin\AppData\Roaming\word.exeMD5
78df8357a69de092306ef19bd3d392a9
SHA1eba4800d57aaf97a06f787fec82641065527f6d5
SHA2567d0ccd90388759c96e536943055fbecca5c51f553fb25f350de37ceb40a2613e
SHA512a5dbf72231e6513c2c7a9cc34ba24eedc0c1f49020deb2cf68e31eb93cac222bfdc8a6ce6f8d6ceb3c6efec23eef6cf62200b6a867ea67ad29c5ad43b5332d9a
-
memory/580-62-0x0000000000650000-0x0000000000651000-memory.dmpFilesize
4KB
-
memory/580-60-0x00000000751B1000-0x00000000751B3000-memory.dmpFilesize
8KB
-
memory/580-59-0x00000000011B0000-0x00000000011E0000-memory.dmpFilesize
192KB
-
memory/580-70-0x0000000000655000-0x0000000000666000-memory.dmpFilesize
68KB
-
memory/848-54-0x000007FEFB591000-0x000007FEFB593000-memory.dmpFilesize
8KB
-
memory/1028-61-0x0000000000800000-0x0000000000824000-memory.dmpFilesize
144KB
-
memory/1028-63-0x000000001B090000-0x000000001B092000-memory.dmpFilesize
8KB
-
memory/1292-68-0x0000000000D00000-0x0000000000D24000-memory.dmpFilesize
144KB
-
memory/1292-69-0x0000000002170000-0x0000000002172000-memory.dmpFilesize
8KB