Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
27-01-2022 22:17
Static task
static1
Behavioral task
behavioral1
Sample
Quote_PDF.vbs
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
Quote_PDF.vbs
Resource
win10-en-20211208
General
-
Target
Quote_PDF.vbs
-
Size
444KB
-
MD5
d9f992f8020aa3a3bf5053657ae2b4e1
-
SHA1
04862f6295b1f63466eac99adbe9f28f678b4aab
-
SHA256
8dba6450d3ff2ac99d519d8f75affdcbb25bf5743e265246e0bfedd60a325a28
-
SHA512
1f632773295db7dd8a30370a66f29bbcd10485f0483b616ae6e736020d6144cb345e992cd6101da50c70ae078d79de42afd9b1b6e33fd90ced49b0e81207199a
Malware Config
Signatures
-
Contains code to disable Windows Defender 5 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\file.exe disable_win_def C:\Users\Admin\AppData\Local\Temp\file.exe disable_win_def behavioral2/memory/3864-120-0x00000000000C0000-0x00000000000E4000-memory.dmp disable_win_def C:\Users\Admin\AppData\Roaming\word.exe disable_win_def C:\Users\Admin\AppData\Roaming\word.exe disable_win_def -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\name.exe family_stormkitty C:\Users\Admin\AppData\Local\Temp\name.exe family_stormkitty behavioral2/memory/3204-123-0x0000000000540000-0x0000000000570000-memory.dmp family_stormkitty -
Async RAT payload 8 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\file.exe asyncrat C:\Users\Admin\AppData\Local\Temp\file.exe asyncrat behavioral2/memory/3864-120-0x00000000000C0000-0x00000000000E4000-memory.dmp asyncrat C:\Users\Admin\AppData\Local\Temp\name.exe asyncrat C:\Users\Admin\AppData\Local\Temp\name.exe asyncrat behavioral2/memory/3204-123-0x0000000000540000-0x0000000000570000-memory.dmp asyncrat C:\Users\Admin\AppData\Roaming\word.exe asyncrat C:\Users\Admin\AppData\Roaming\word.exe asyncrat -
Executes dropped EXE 3 IoCs
Processes:
file.exename.exeword.exepid process 3864 file.exe 3204 name.exe 192 word.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 9 IoCs
Processes:
name.exedescription ioc process File created C:\Users\Admin\AppData\Local\d1177b714d25f8c715ef9e5ea394ef45\Admin@MHKKHUYI_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini name.exe File opened for modification C:\Users\Admin\AppData\Local\d1177b714d25f8c715ef9e5ea394ef45\Admin@MHKKHUYI_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini name.exe File created C:\Users\Admin\AppData\Local\d1177b714d25f8c715ef9e5ea394ef45\Admin@MHKKHUYI_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini name.exe File created C:\Users\Admin\AppData\Local\d1177b714d25f8c715ef9e5ea394ef45\Admin@MHKKHUYI_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini name.exe File created C:\Users\Admin\AppData\Local\d1177b714d25f8c715ef9e5ea394ef45\Admin@MHKKHUYI_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini name.exe File opened for modification C:\Users\Admin\AppData\Local\d1177b714d25f8c715ef9e5ea394ef45\Admin@MHKKHUYI_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini name.exe File created C:\Users\Admin\AppData\Local\d1177b714d25f8c715ef9e5ea394ef45\Admin@MHKKHUYI_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini name.exe File opened for modification C:\Users\Admin\AppData\Local\d1177b714d25f8c715ef9e5ea394ef45\Admin@MHKKHUYI_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini name.exe File created C:\Users\Admin\AppData\Local\d1177b714d25f8c715ef9e5ea394ef45\Admin@MHKKHUYI_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini name.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 19 icanhazip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
name.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 name.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier name.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 1 IoCs
Processes:
file.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings file.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
file.exeword.exename.exepid process 3864 file.exe 3864 file.exe 3864 file.exe 3864 file.exe 3864 file.exe 3864 file.exe 3864 file.exe 3864 file.exe 3864 file.exe 3864 file.exe 3864 file.exe 3864 file.exe 3864 file.exe 3864 file.exe 3864 file.exe 3864 file.exe 3864 file.exe 3864 file.exe 3864 file.exe 3864 file.exe 3864 file.exe 3864 file.exe 3864 file.exe 3864 file.exe 3864 file.exe 3864 file.exe 3864 file.exe 3864 file.exe 3864 file.exe 3864 file.exe 3864 file.exe 3864 file.exe 3864 file.exe 3864 file.exe 192 word.exe 192 word.exe 192 word.exe 192 word.exe 192 word.exe 192 word.exe 192 word.exe 192 word.exe 192 word.exe 192 word.exe 192 word.exe 192 word.exe 192 word.exe 192 word.exe 192 word.exe 192 word.exe 192 word.exe 192 word.exe 192 word.exe 192 word.exe 192 word.exe 3204 name.exe 3204 name.exe 3204 name.exe 3204 name.exe 3204 name.exe 3204 name.exe 3204 name.exe 3204 name.exe 3204 name.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
name.exefile.exeword.exedescription pid process Token: SeDebugPrivilege 3204 name.exe Token: SeDebugPrivilege 3864 file.exe Token: SeDebugPrivilege 192 word.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
WScript.exefile.exeWScript.exename.execmd.execmd.exedescription pid process target process PID 2716 wrote to memory of 3864 2716 WScript.exe file.exe PID 2716 wrote to memory of 3864 2716 WScript.exe file.exe PID 2716 wrote to memory of 3204 2716 WScript.exe name.exe PID 2716 wrote to memory of 3204 2716 WScript.exe name.exe PID 2716 wrote to memory of 3204 2716 WScript.exe name.exe PID 3864 wrote to memory of 1028 3864 file.exe WScript.exe PID 3864 wrote to memory of 1028 3864 file.exe WScript.exe PID 1028 wrote to memory of 2660 1028 WScript.exe schtasks.exe PID 1028 wrote to memory of 2660 1028 WScript.exe schtasks.exe PID 3864 wrote to memory of 192 3864 file.exe word.exe PID 3864 wrote to memory of 192 3864 file.exe word.exe PID 3204 wrote to memory of 1372 3204 name.exe cmd.exe PID 3204 wrote to memory of 1372 3204 name.exe cmd.exe PID 3204 wrote to memory of 1372 3204 name.exe cmd.exe PID 1372 wrote to memory of 2484 1372 cmd.exe chcp.com PID 1372 wrote to memory of 2484 1372 cmd.exe chcp.com PID 1372 wrote to memory of 2484 1372 cmd.exe chcp.com PID 1372 wrote to memory of 1812 1372 cmd.exe netsh.exe PID 1372 wrote to memory of 1812 1372 cmd.exe netsh.exe PID 1372 wrote to memory of 1812 1372 cmd.exe netsh.exe PID 1372 wrote to memory of 1772 1372 cmd.exe findstr.exe PID 1372 wrote to memory of 1772 1372 cmd.exe findstr.exe PID 1372 wrote to memory of 1772 1372 cmd.exe findstr.exe PID 3204 wrote to memory of 2068 3204 name.exe cmd.exe PID 3204 wrote to memory of 2068 3204 name.exe cmd.exe PID 3204 wrote to memory of 2068 3204 name.exe cmd.exe PID 2068 wrote to memory of 1976 2068 cmd.exe chcp.com PID 2068 wrote to memory of 1976 2068 cmd.exe chcp.com PID 2068 wrote to memory of 1976 2068 cmd.exe chcp.com PID 2068 wrote to memory of 1580 2068 cmd.exe netsh.exe PID 2068 wrote to memory of 1580 2068 cmd.exe netsh.exe PID 2068 wrote to memory of 1580 2068 cmd.exe netsh.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Quote_PDF.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tmpC8EE.tmp.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc onlogon /rl highest /tn word.exe /tr "C:\Users\Admin\AppData\Roaming\word.exe4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\word.exe"C:\Users\Admin\AppData\Roaming\word.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\name.exe"C:\Users\Admin\AppData\Local\Temp\name.exe"2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile4⤵
-
C:\Windows\SysWOW64\findstr.exefindstr All4⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid4⤵
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\file.exeMD5
78df8357a69de092306ef19bd3d392a9
SHA1eba4800d57aaf97a06f787fec82641065527f6d5
SHA2567d0ccd90388759c96e536943055fbecca5c51f553fb25f350de37ceb40a2613e
SHA512a5dbf72231e6513c2c7a9cc34ba24eedc0c1f49020deb2cf68e31eb93cac222bfdc8a6ce6f8d6ceb3c6efec23eef6cf62200b6a867ea67ad29c5ad43b5332d9a
-
C:\Users\Admin\AppData\Local\Temp\file.exeMD5
78df8357a69de092306ef19bd3d392a9
SHA1eba4800d57aaf97a06f787fec82641065527f6d5
SHA2567d0ccd90388759c96e536943055fbecca5c51f553fb25f350de37ceb40a2613e
SHA512a5dbf72231e6513c2c7a9cc34ba24eedc0c1f49020deb2cf68e31eb93cac222bfdc8a6ce6f8d6ceb3c6efec23eef6cf62200b6a867ea67ad29c5ad43b5332d9a
-
C:\Users\Admin\AppData\Local\Temp\name.exeMD5
85a86da84355abb40ccabdb5f45ae13b
SHA14a98a7682fbb721354f0fb672d9338ac62b4350c
SHA256d43d7ed548724fd7fe611014b3d4b170b41b36cc84e37fc307a7c6f4ea14272c
SHA5127aa56b3556739317196f7b2e28cbadb597c0260a7e0cf33afc7b07057a368ac5345a822abf7ba74e5fd3889c801fbf240f6af250289cb01148e036dde5dc0bc1
-
C:\Users\Admin\AppData\Local\Temp\name.exeMD5
85a86da84355abb40ccabdb5f45ae13b
SHA14a98a7682fbb721354f0fb672d9338ac62b4350c
SHA256d43d7ed548724fd7fe611014b3d4b170b41b36cc84e37fc307a7c6f4ea14272c
SHA5127aa56b3556739317196f7b2e28cbadb597c0260a7e0cf33afc7b07057a368ac5345a822abf7ba74e5fd3889c801fbf240f6af250289cb01148e036dde5dc0bc1
-
C:\Users\Admin\AppData\Local\Temp\tmpC8EE.tmp.vbsMD5
f39a89ff1b5f43b3d88d8c8d140483af
SHA1c9ebd9d2d1625dbb11733c53000e88e2b24cd659
SHA2568d15cd30d9ef7e9021ea1afdfd689d6fdbc746cba5617f5315734dfff65f1e09
SHA512033f659a9f1fa998767529adfbe1adfc82c7788994e351fbf78152555759c0ed9f3dd750cb6d3a5ca3b99414ad52690e69698bf17ad12a47e14c86e2669aa78b
-
C:\Users\Admin\AppData\Roaming\word.exeMD5
78df8357a69de092306ef19bd3d392a9
SHA1eba4800d57aaf97a06f787fec82641065527f6d5
SHA2567d0ccd90388759c96e536943055fbecca5c51f553fb25f350de37ceb40a2613e
SHA512a5dbf72231e6513c2c7a9cc34ba24eedc0c1f49020deb2cf68e31eb93cac222bfdc8a6ce6f8d6ceb3c6efec23eef6cf62200b6a867ea67ad29c5ad43b5332d9a
-
C:\Users\Admin\AppData\Roaming\word.exeMD5
78df8357a69de092306ef19bd3d392a9
SHA1eba4800d57aaf97a06f787fec82641065527f6d5
SHA2567d0ccd90388759c96e536943055fbecca5c51f553fb25f350de37ceb40a2613e
SHA512a5dbf72231e6513c2c7a9cc34ba24eedc0c1f49020deb2cf68e31eb93cac222bfdc8a6ce6f8d6ceb3c6efec23eef6cf62200b6a867ea67ad29c5ad43b5332d9a
-
memory/192-130-0x000000001AF60000-0x000000001AF62000-memory.dmpFilesize
8KB
-
memory/3204-126-0x0000000004EA0000-0x0000000004F06000-memory.dmpFilesize
408KB
-
memory/3204-124-0x0000000004E90000-0x0000000004E91000-memory.dmpFilesize
4KB
-
memory/3204-123-0x0000000000540000-0x0000000000570000-memory.dmpFilesize
192KB
-
memory/3204-131-0x0000000005C60000-0x0000000005CF2000-memory.dmpFilesize
584KB
-
memory/3204-132-0x0000000006200000-0x00000000066FE000-memory.dmpFilesize
5.0MB
-
memory/3204-133-0x0000000004E93000-0x0000000004E95000-memory.dmpFilesize
8KB
-
memory/3204-134-0x0000000005D70000-0x0000000005D7A000-memory.dmpFilesize
40KB
-
memory/3204-135-0x0000000005E00000-0x0000000005E12000-memory.dmpFilesize
72KB
-
memory/3864-125-0x0000000000680000-0x0000000000682000-memory.dmpFilesize
8KB
-
memory/3864-120-0x00000000000C0000-0x00000000000E4000-memory.dmpFilesize
144KB