Analysis
-
max time kernel
146s -
max time network
139s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
27-01-2022 14:51
Static task
static1
Behavioral task
behavioral1
Sample
QuotePDF.vbs
Resource
win7-en-20211208
General
-
Target
QuotePDF.vbs
-
Size
444KB
-
MD5
d9f992f8020aa3a3bf5053657ae2b4e1
-
SHA1
04862f6295b1f63466eac99adbe9f28f678b4aab
-
SHA256
8dba6450d3ff2ac99d519d8f75affdcbb25bf5743e265246e0bfedd60a325a28
-
SHA512
1f632773295db7dd8a30370a66f29bbcd10485f0483b616ae6e736020d6144cb345e992cd6101da50c70ae078d79de42afd9b1b6e33fd90ced49b0e81207199a
Malware Config
Signatures
-
Contains code to disable Windows Defender 6 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\file.exe disable_win_def C:\Users\Admin\AppData\Local\Temp\file.exe disable_win_def behavioral1/memory/268-60-0x0000000000C20000-0x0000000000C44000-memory.dmp disable_win_def behavioral1/memory/592-69-0x0000000000170000-0x0000000000194000-memory.dmp disable_win_def C:\Users\Admin\AppData\Roaming\word.exe disable_win_def C:\Users\Admin\AppData\Roaming\word.exe disable_win_def -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\name.exe family_stormkitty C:\Users\Admin\AppData\Local\Temp\name.exe family_stormkitty behavioral1/memory/1276-61-0x0000000000FE0000-0x0000000001010000-memory.dmp family_stormkitty -
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
-
Async RAT payload 9 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\file.exe asyncrat C:\Users\Admin\AppData\Local\Temp\file.exe asyncrat C:\Users\Admin\AppData\Local\Temp\name.exe asyncrat C:\Users\Admin\AppData\Local\Temp\name.exe asyncrat behavioral1/memory/268-60-0x0000000000C20000-0x0000000000C44000-memory.dmp asyncrat behavioral1/memory/1276-61-0x0000000000FE0000-0x0000000001010000-memory.dmp asyncrat behavioral1/memory/592-69-0x0000000000170000-0x0000000000194000-memory.dmp asyncrat C:\Users\Admin\AppData\Roaming\word.exe asyncrat C:\Users\Admin\AppData\Roaming\word.exe asyncrat -
Executes dropped EXE 3 IoCs
Processes:
file.exename.exeword.exepid process 268 file.exe 1276 name.exe 592 word.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 5 IoCs
Processes:
name.exedescription ioc process File created C:\Users\Admin\AppData\Local\d65792383300f784b36841317e7d8e72\Admin@QSKGHMYQ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini name.exe File opened for modification C:\Users\Admin\AppData\Local\d65792383300f784b36841317e7d8e72\Admin@QSKGHMYQ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini name.exe File created C:\Users\Admin\AppData\Local\d65792383300f784b36841317e7d8e72\Admin@QSKGHMYQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini name.exe File created C:\Users\Admin\AppData\Local\d65792383300f784b36841317e7d8e72\Admin@QSKGHMYQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini name.exe File created C:\Users\Admin\AppData\Local\d65792383300f784b36841317e7d8e72\Admin@QSKGHMYQ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini name.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 icanhazip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
name.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 name.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier name.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
file.exename.exeword.exepid process 268 file.exe 268 file.exe 268 file.exe 268 file.exe 268 file.exe 268 file.exe 268 file.exe 268 file.exe 268 file.exe 268 file.exe 268 file.exe 268 file.exe 268 file.exe 1276 name.exe 1276 name.exe 592 word.exe 592 word.exe 592 word.exe 592 word.exe 1276 name.exe 1276 name.exe 592 word.exe 592 word.exe 592 word.exe 592 word.exe 592 word.exe 592 word.exe 1276 name.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
name.exefile.exeword.exedescription pid process Token: SeDebugPrivilege 1276 name.exe Token: SeDebugPrivilege 268 file.exe Token: SeDebugPrivilege 592 word.exe -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
WScript.exefile.exeWScript.exename.execmd.execmd.exedescription pid process target process PID 1652 wrote to memory of 268 1652 WScript.exe file.exe PID 1652 wrote to memory of 268 1652 WScript.exe file.exe PID 1652 wrote to memory of 268 1652 WScript.exe file.exe PID 1652 wrote to memory of 1276 1652 WScript.exe name.exe PID 1652 wrote to memory of 1276 1652 WScript.exe name.exe PID 1652 wrote to memory of 1276 1652 WScript.exe name.exe PID 1652 wrote to memory of 1276 1652 WScript.exe name.exe PID 268 wrote to memory of 988 268 file.exe WScript.exe PID 268 wrote to memory of 988 268 file.exe WScript.exe PID 268 wrote to memory of 988 268 file.exe WScript.exe PID 988 wrote to memory of 1740 988 WScript.exe schtasks.exe PID 988 wrote to memory of 1740 988 WScript.exe schtasks.exe PID 988 wrote to memory of 1740 988 WScript.exe schtasks.exe PID 268 wrote to memory of 592 268 file.exe word.exe PID 268 wrote to memory of 592 268 file.exe word.exe PID 268 wrote to memory of 592 268 file.exe word.exe PID 1276 wrote to memory of 1964 1276 name.exe cmd.exe PID 1276 wrote to memory of 1964 1276 name.exe cmd.exe PID 1276 wrote to memory of 1964 1276 name.exe cmd.exe PID 1276 wrote to memory of 1964 1276 name.exe cmd.exe PID 1964 wrote to memory of 1532 1964 cmd.exe chcp.com PID 1964 wrote to memory of 1532 1964 cmd.exe chcp.com PID 1964 wrote to memory of 1532 1964 cmd.exe chcp.com PID 1964 wrote to memory of 1532 1964 cmd.exe chcp.com PID 1964 wrote to memory of 1968 1964 cmd.exe netsh.exe PID 1964 wrote to memory of 1968 1964 cmd.exe netsh.exe PID 1964 wrote to memory of 1968 1964 cmd.exe netsh.exe PID 1964 wrote to memory of 1968 1964 cmd.exe netsh.exe PID 1964 wrote to memory of 1120 1964 cmd.exe findstr.exe PID 1964 wrote to memory of 1120 1964 cmd.exe findstr.exe PID 1964 wrote to memory of 1120 1964 cmd.exe findstr.exe PID 1964 wrote to memory of 1120 1964 cmd.exe findstr.exe PID 1276 wrote to memory of 1776 1276 name.exe cmd.exe PID 1276 wrote to memory of 1776 1276 name.exe cmd.exe PID 1276 wrote to memory of 1776 1276 name.exe cmd.exe PID 1276 wrote to memory of 1776 1276 name.exe cmd.exe PID 1776 wrote to memory of 988 1776 cmd.exe chcp.com PID 1776 wrote to memory of 988 1776 cmd.exe chcp.com PID 1776 wrote to memory of 988 1776 cmd.exe chcp.com PID 1776 wrote to memory of 988 1776 cmd.exe chcp.com PID 1776 wrote to memory of 940 1776 cmd.exe netsh.exe PID 1776 wrote to memory of 940 1776 cmd.exe netsh.exe PID 1776 wrote to memory of 940 1776 cmd.exe netsh.exe PID 1776 wrote to memory of 940 1776 cmd.exe netsh.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\QuotePDF.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tmpFE2D.tmp.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc onlogon /rl highest /tn word.exe /tr "C:\Users\Admin\AppData\Roaming\word.exe4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\word.exe"C:\Users\Admin\AppData\Roaming\word.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\name.exe"C:\Users\Admin\AppData\Local\Temp\name.exe"2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile4⤵
-
C:\Windows\SysWOW64\findstr.exefindstr All4⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid4⤵
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\file.exeMD5
78df8357a69de092306ef19bd3d392a9
SHA1eba4800d57aaf97a06f787fec82641065527f6d5
SHA2567d0ccd90388759c96e536943055fbecca5c51f553fb25f350de37ceb40a2613e
SHA512a5dbf72231e6513c2c7a9cc34ba24eedc0c1f49020deb2cf68e31eb93cac222bfdc8a6ce6f8d6ceb3c6efec23eef6cf62200b6a867ea67ad29c5ad43b5332d9a
-
C:\Users\Admin\AppData\Local\Temp\file.exeMD5
78df8357a69de092306ef19bd3d392a9
SHA1eba4800d57aaf97a06f787fec82641065527f6d5
SHA2567d0ccd90388759c96e536943055fbecca5c51f553fb25f350de37ceb40a2613e
SHA512a5dbf72231e6513c2c7a9cc34ba24eedc0c1f49020deb2cf68e31eb93cac222bfdc8a6ce6f8d6ceb3c6efec23eef6cf62200b6a867ea67ad29c5ad43b5332d9a
-
C:\Users\Admin\AppData\Local\Temp\name.exeMD5
85a86da84355abb40ccabdb5f45ae13b
SHA14a98a7682fbb721354f0fb672d9338ac62b4350c
SHA256d43d7ed548724fd7fe611014b3d4b170b41b36cc84e37fc307a7c6f4ea14272c
SHA5127aa56b3556739317196f7b2e28cbadb597c0260a7e0cf33afc7b07057a368ac5345a822abf7ba74e5fd3889c801fbf240f6af250289cb01148e036dde5dc0bc1
-
C:\Users\Admin\AppData\Local\Temp\name.exeMD5
85a86da84355abb40ccabdb5f45ae13b
SHA14a98a7682fbb721354f0fb672d9338ac62b4350c
SHA256d43d7ed548724fd7fe611014b3d4b170b41b36cc84e37fc307a7c6f4ea14272c
SHA5127aa56b3556739317196f7b2e28cbadb597c0260a7e0cf33afc7b07057a368ac5345a822abf7ba74e5fd3889c801fbf240f6af250289cb01148e036dde5dc0bc1
-
C:\Users\Admin\AppData\Local\Temp\tmpFE2D.tmp.vbsMD5
f39a89ff1b5f43b3d88d8c8d140483af
SHA1c9ebd9d2d1625dbb11733c53000e88e2b24cd659
SHA2568d15cd30d9ef7e9021ea1afdfd689d6fdbc746cba5617f5315734dfff65f1e09
SHA512033f659a9f1fa998767529adfbe1adfc82c7788994e351fbf78152555759c0ed9f3dd750cb6d3a5ca3b99414ad52690e69698bf17ad12a47e14c86e2669aa78b
-
C:\Users\Admin\AppData\Roaming\word.exeMD5
78df8357a69de092306ef19bd3d392a9
SHA1eba4800d57aaf97a06f787fec82641065527f6d5
SHA2567d0ccd90388759c96e536943055fbecca5c51f553fb25f350de37ceb40a2613e
SHA512a5dbf72231e6513c2c7a9cc34ba24eedc0c1f49020deb2cf68e31eb93cac222bfdc8a6ce6f8d6ceb3c6efec23eef6cf62200b6a867ea67ad29c5ad43b5332d9a
-
C:\Users\Admin\AppData\Roaming\word.exeMD5
78df8357a69de092306ef19bd3d392a9
SHA1eba4800d57aaf97a06f787fec82641065527f6d5
SHA2567d0ccd90388759c96e536943055fbecca5c51f553fb25f350de37ceb40a2613e
SHA512a5dbf72231e6513c2c7a9cc34ba24eedc0c1f49020deb2cf68e31eb93cac222bfdc8a6ce6f8d6ceb3c6efec23eef6cf62200b6a867ea67ad29c5ad43b5332d9a
-
memory/268-64-0x0000000000300000-0x0000000000540000-memory.dmpFilesize
2.2MB
-
memory/268-60-0x0000000000C20000-0x0000000000C44000-memory.dmpFilesize
144KB
-
memory/592-69-0x0000000000170000-0x0000000000194000-memory.dmpFilesize
144KB
-
memory/592-70-0x000000001B060000-0x000000001B062000-memory.dmpFilesize
8KB
-
memory/1276-62-0x0000000076641000-0x0000000076643000-memory.dmpFilesize
8KB
-
memory/1276-63-0x0000000000350000-0x0000000000351000-memory.dmpFilesize
4KB
-
memory/1276-61-0x0000000000FE0000-0x0000000001010000-memory.dmpFilesize
192KB
-
memory/1276-71-0x0000000000355000-0x0000000000366000-memory.dmpFilesize
68KB
-
memory/1652-55-0x000007FEFC401000-0x000007FEFC403000-memory.dmpFilesize
8KB