Overview

overview

10

Static

static

QuotePDF.vbs

windows7_x64

10

QuotePDF.vbs

windows10_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    27-01-2022 14:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    QuotePDF.vbs

  • Size

    444KB

  • MD5

    d9f992f8020aa3a3bf5053657ae2b4e1

  • SHA1

    04862f6295b1f63466eac99adbe9f28f678b4aab

  • SHA256

    8dba6450d3ff2ac99d519d8f75affdcbb25bf5743e265246e0bfedd60a325a28

  • SHA512

    1f632773295db7dd8a30370a66f29bbcd10485f0483b616ae6e736020d6144cb345e992cd6101da50c70ae078d79de42afd9b1b6e33fd90ced49b0e81207199a

Score
10/10
asyncratstormkittyratspywarestealersuricata

Malware Config

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Contains code to disable Windows Defender 6 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty Payload 3 IoCs
  • suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

    suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

    suricata
  • Async RAT payload 9 IoCs
    rat
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 5 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\QuotePDF.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1652
    • C:\Users\Admin\AppData\Local\Temp\file.exe
      "C:\Users\Admin\AppData\Local\Temp\file.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:268
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tmpFE2D.tmp.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:988
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /sc onlogon /rl highest /tn word.exe /tr "C:\Users\Admin\AppData\Roaming\word.exe
          4⤵
          • Creates scheduled task(s)
          PID:1740
      • C:\Users\Admin\AppData\Roaming\word.exe
        "C:\Users\Admin\AppData\Roaming\word.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:592
    • C:\Users\Admin\AppData\Local\Temp\name.exe
      "C:\Users\Admin\AppData\Local\Temp\name.exe"
      2⤵
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1276
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1964
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
            PID:1532
          • C:\Windows\SysWOW64\netsh.exe
            netsh wlan show profile
            4⤵
              PID:1968
            • C:\Windows\SysWOW64\findstr.exe
              findstr All
              4⤵
                PID:1120
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:1776
              • C:\Windows\SysWOW64\chcp.com
                chcp 65001
                4⤵
                  PID:988
                • C:\Windows\SysWOW64\netsh.exe
                  netsh wlan show networks mode=bssid
                  4⤵
                    PID:940
            • C:\Windows\system32\wbem\WmiApSrv.exe
              C:\Windows\system32\wbem\WmiApSrv.exe
              1⤵
                PID:1768
              • C:\Windows\system32\wbem\WmiApSrv.exe
                C:\Windows\system32\wbem\WmiApSrv.exe
                1⤵
                  PID:828

                Network

                MITRE ATT&CK Matrix ATT&CK v6

                Initial Access

                Execution

                Scheduled Task

                1
                T1053

                Persistence

                Scheduled Task

                1
                T1053

                Privilege Escalation

                Scheduled Task

                1
                T1053

                Defense Evasion

                Credential Access

                Credentials in Files

                1
                T1081

                Discovery

                System Information Discovery

                2
                T1082

                Query Registry

                1
                T1012

                Lateral Movement

                Collection

                Data from Local System

                1
                T1005

                Exfiltration

                Command and Control

                Impact

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\file.exe
                  MD5

                  78df8357a69de092306ef19bd3d392a9

                  SHA1

                  eba4800d57aaf97a06f787fec82641065527f6d5

                  SHA256

                  7d0ccd90388759c96e536943055fbecca5c51f553fb25f350de37ceb40a2613e

                  SHA512

                  a5dbf72231e6513c2c7a9cc34ba24eedc0c1f49020deb2cf68e31eb93cac222bfdc8a6ce6f8d6ceb3c6efec23eef6cf62200b6a867ea67ad29c5ad43b5332d9a

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\file.exe
                  MD5

                  78df8357a69de092306ef19bd3d392a9

                  SHA1

                  eba4800d57aaf97a06f787fec82641065527f6d5

                  SHA256

                  7d0ccd90388759c96e536943055fbecca5c51f553fb25f350de37ceb40a2613e

                  SHA512

                  a5dbf72231e6513c2c7a9cc34ba24eedc0c1f49020deb2cf68e31eb93cac222bfdc8a6ce6f8d6ceb3c6efec23eef6cf62200b6a867ea67ad29c5ad43b5332d9a

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\name.exe
                  MD5

                  85a86da84355abb40ccabdb5f45ae13b

                  SHA1

                  4a98a7682fbb721354f0fb672d9338ac62b4350c

                  SHA256

                  d43d7ed548724fd7fe611014b3d4b170b41b36cc84e37fc307a7c6f4ea14272c

                  SHA512

                  7aa56b3556739317196f7b2e28cbadb597c0260a7e0cf33afc7b07057a368ac5345a822abf7ba74e5fd3889c801fbf240f6af250289cb01148e036dde5dc0bc1

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\name.exe
                  MD5

                  85a86da84355abb40ccabdb5f45ae13b

                  SHA1

                  4a98a7682fbb721354f0fb672d9338ac62b4350c

                  SHA256

                  d43d7ed548724fd7fe611014b3d4b170b41b36cc84e37fc307a7c6f4ea14272c

                  SHA512

                  7aa56b3556739317196f7b2e28cbadb597c0260a7e0cf33afc7b07057a368ac5345a822abf7ba74e5fd3889c801fbf240f6af250289cb01148e036dde5dc0bc1

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\tmpFE2D.tmp.vbs
                  MD5

                  f39a89ff1b5f43b3d88d8c8d140483af

                  SHA1

                  c9ebd9d2d1625dbb11733c53000e88e2b24cd659

                  SHA256

                  8d15cd30d9ef7e9021ea1afdfd689d6fdbc746cba5617f5315734dfff65f1e09

                  SHA512

                  033f659a9f1fa998767529adfbe1adfc82c7788994e351fbf78152555759c0ed9f3dd750cb6d3a5ca3b99414ad52690e69698bf17ad12a47e14c86e2669aa78b

                  Download Submit
                • C:\Users\Admin\AppData\Roaming\word.exe
                  MD5

                  78df8357a69de092306ef19bd3d392a9

                  SHA1

                  eba4800d57aaf97a06f787fec82641065527f6d5

                  SHA256

                  7d0ccd90388759c96e536943055fbecca5c51f553fb25f350de37ceb40a2613e

                  SHA512

                  a5dbf72231e6513c2c7a9cc34ba24eedc0c1f49020deb2cf68e31eb93cac222bfdc8a6ce6f8d6ceb3c6efec23eef6cf62200b6a867ea67ad29c5ad43b5332d9a

                  Download Submit
                • C:\Users\Admin\AppData\Roaming\word.exe
                  MD5

                  78df8357a69de092306ef19bd3d392a9

                  SHA1

                  eba4800d57aaf97a06f787fec82641065527f6d5

                  SHA256

                  7d0ccd90388759c96e536943055fbecca5c51f553fb25f350de37ceb40a2613e

                  SHA512

                  a5dbf72231e6513c2c7a9cc34ba24eedc0c1f49020deb2cf68e31eb93cac222bfdc8a6ce6f8d6ceb3c6efec23eef6cf62200b6a867ea67ad29c5ad43b5332d9a

                  Download Submit
                • memory/268-64-0x0000000000300000-0x0000000000540000-memory.dmp
                  Filesize

                  2.2MB

                  Download
                • memory/268-60-0x0000000000C20000-0x0000000000C44000-memory.dmp
                  Filesize

                  144KB

                  Download
                • memory/592-69-0x0000000000170000-0x0000000000194000-memory.dmp
                  Filesize

                  144KB

                  Download
                • memory/592-70-0x000000001B060000-0x000000001B062000-memory.dmp
                  Filesize

                  8KB

                  Download
                • memory/1276-62-0x0000000076641000-0x0000000076643000-memory.dmp
                  Filesize

                  8KB

                  Download
                • memory/1276-63-0x0000000000350000-0x0000000000351000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/1276-61-0x0000000000FE0000-0x0000000001010000-memory.dmp
                  Filesize

                  192KB

                  Download
                • memory/1276-71-0x0000000000355000-0x0000000000366000-memory.dmp
                  Filesize

                  68KB

                  Download
                • memory/1652-55-0x000007FEFC401000-0x000007FEFC403000-memory.dmp
                  Filesize

                  8KB

                  Download