Analysis
-
max time kernel
147s -
max time network
141s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
27-01-2022 14:51
Static task
static1
Behavioral task
behavioral1
Sample
QuotePDF.vbs
Resource
win7-en-20211208
General
-
Target
QuotePDF.vbs
-
Size
444KB
-
MD5
d9f992f8020aa3a3bf5053657ae2b4e1
-
SHA1
04862f6295b1f63466eac99adbe9f28f678b4aab
-
SHA256
8dba6450d3ff2ac99d519d8f75affdcbb25bf5743e265246e0bfedd60a325a28
-
SHA512
1f632773295db7dd8a30370a66f29bbcd10485f0483b616ae6e736020d6144cb345e992cd6101da50c70ae078d79de42afd9b1b6e33fd90ced49b0e81207199a
Malware Config
Signatures
-
Contains code to disable Windows Defender 5 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\file.exe disable_win_def C:\Users\Admin\AppData\Local\Temp\file.exe disable_win_def behavioral2/memory/3776-117-0x00000000003C0000-0x00000000003E4000-memory.dmp disable_win_def C:\Users\Admin\AppData\Roaming\word.exe disable_win_def C:\Users\Admin\AppData\Roaming\word.exe disable_win_def -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\name.exe family_stormkitty C:\Users\Admin\AppData\Local\Temp\name.exe family_stormkitty behavioral2/memory/4104-120-0x0000000000EA0000-0x0000000000ED0000-memory.dmp family_stormkitty -
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
-
suricata: ET MALWARE StormKitty Data Exfil via Telegram
suricata: ET MALWARE StormKitty Data Exfil via Telegram
-
Async RAT payload 8 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\file.exe asyncrat C:\Users\Admin\AppData\Local\Temp\file.exe asyncrat behavioral2/memory/3776-117-0x00000000003C0000-0x00000000003E4000-memory.dmp asyncrat C:\Users\Admin\AppData\Local\Temp\name.exe asyncrat C:\Users\Admin\AppData\Local\Temp\name.exe asyncrat behavioral2/memory/4104-120-0x0000000000EA0000-0x0000000000ED0000-memory.dmp asyncrat C:\Users\Admin\AppData\Roaming\word.exe asyncrat C:\Users\Admin\AppData\Roaming\word.exe asyncrat -
Executes dropped EXE 3 IoCs
Processes:
file.exename.exeword.exepid process 3776 file.exe 4104 name.exe 4544 word.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 7 IoCs
Processes:
name.exedescription ioc process File created C:\Users\Admin\AppData\Local\6a1d7a1dbfc5526602a25c035065e18c\Admin@MHKKHUYI_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini name.exe File created C:\Users\Admin\AppData\Local\6a1d7a1dbfc5526602a25c035065e18c\Admin@MHKKHUYI_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini name.exe File created C:\Users\Admin\AppData\Local\6a1d7a1dbfc5526602a25c035065e18c\Admin@MHKKHUYI_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini name.exe File created C:\Users\Admin\AppData\Local\6a1d7a1dbfc5526602a25c035065e18c\Admin@MHKKHUYI_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini name.exe File opened for modification C:\Users\Admin\AppData\Local\6a1d7a1dbfc5526602a25c035065e18c\Admin@MHKKHUYI_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini name.exe File created C:\Users\Admin\AppData\Local\6a1d7a1dbfc5526602a25c035065e18c\Admin@MHKKHUYI_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini name.exe File created C:\Users\Admin\AppData\Local\6a1d7a1dbfc5526602a25c035065e18c\Admin@MHKKHUYI_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini name.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 28 icanhazip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
name.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 name.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier name.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 1 IoCs
Processes:
file.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings file.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
file.exeword.exename.exepid process 3776 file.exe 3776 file.exe 3776 file.exe 3776 file.exe 3776 file.exe 3776 file.exe 3776 file.exe 3776 file.exe 3776 file.exe 3776 file.exe 3776 file.exe 3776 file.exe 3776 file.exe 3776 file.exe 3776 file.exe 3776 file.exe 3776 file.exe 3776 file.exe 3776 file.exe 3776 file.exe 3776 file.exe 3776 file.exe 3776 file.exe 3776 file.exe 3776 file.exe 3776 file.exe 3776 file.exe 3776 file.exe 3776 file.exe 3776 file.exe 3776 file.exe 3776 file.exe 3776 file.exe 3776 file.exe 4544 word.exe 4544 word.exe 4544 word.exe 4544 word.exe 4544 word.exe 4544 word.exe 4544 word.exe 4544 word.exe 4544 word.exe 4544 word.exe 4544 word.exe 4544 word.exe 4544 word.exe 4544 word.exe 4544 word.exe 4544 word.exe 4544 word.exe 4544 word.exe 4544 word.exe 4544 word.exe 4544 word.exe 4104 name.exe 4104 name.exe 4104 name.exe 4104 name.exe 4104 name.exe 4104 name.exe 4104 name.exe 4104 name.exe 4104 name.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
name.exefile.exeword.exedescription pid process Token: SeDebugPrivilege 4104 name.exe Token: SeDebugPrivilege 3776 file.exe Token: SeDebugPrivilege 4544 word.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
WScript.exefile.exeWScript.exename.execmd.execmd.exedescription pid process target process PID 3476 wrote to memory of 3776 3476 WScript.exe file.exe PID 3476 wrote to memory of 3776 3476 WScript.exe file.exe PID 3476 wrote to memory of 4104 3476 WScript.exe name.exe PID 3476 wrote to memory of 4104 3476 WScript.exe name.exe PID 3476 wrote to memory of 4104 3476 WScript.exe name.exe PID 3776 wrote to memory of 4376 3776 file.exe WScript.exe PID 3776 wrote to memory of 4376 3776 file.exe WScript.exe PID 4376 wrote to memory of 3256 4376 WScript.exe schtasks.exe PID 4376 wrote to memory of 3256 4376 WScript.exe schtasks.exe PID 3776 wrote to memory of 4544 3776 file.exe word.exe PID 3776 wrote to memory of 4544 3776 file.exe word.exe PID 4104 wrote to memory of 1652 4104 name.exe cmd.exe PID 4104 wrote to memory of 1652 4104 name.exe cmd.exe PID 4104 wrote to memory of 1652 4104 name.exe cmd.exe PID 1652 wrote to memory of 1848 1652 cmd.exe chcp.com PID 1652 wrote to memory of 1848 1652 cmd.exe chcp.com PID 1652 wrote to memory of 1848 1652 cmd.exe chcp.com PID 1652 wrote to memory of 1284 1652 cmd.exe netsh.exe PID 1652 wrote to memory of 1284 1652 cmd.exe netsh.exe PID 1652 wrote to memory of 1284 1652 cmd.exe netsh.exe PID 1652 wrote to memory of 2060 1652 cmd.exe findstr.exe PID 1652 wrote to memory of 2060 1652 cmd.exe findstr.exe PID 1652 wrote to memory of 2060 1652 cmd.exe findstr.exe PID 4104 wrote to memory of 3928 4104 name.exe cmd.exe PID 4104 wrote to memory of 3928 4104 name.exe cmd.exe PID 4104 wrote to memory of 3928 4104 name.exe cmd.exe PID 3928 wrote to memory of 4576 3928 cmd.exe chcp.com PID 3928 wrote to memory of 4576 3928 cmd.exe chcp.com PID 3928 wrote to memory of 4576 3928 cmd.exe chcp.com PID 3928 wrote to memory of 4824 3928 cmd.exe netsh.exe PID 3928 wrote to memory of 4824 3928 cmd.exe netsh.exe PID 3928 wrote to memory of 4824 3928 cmd.exe netsh.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\QuotePDF.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tmpB779.tmp.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc onlogon /rl highest /tn word.exe /tr "C:\Users\Admin\AppData\Roaming\word.exe4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\word.exe"C:\Users\Admin\AppData\Roaming\word.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\name.exe"C:\Users\Admin\AppData\Local\Temp\name.exe"2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile4⤵
-
C:\Windows\SysWOW64\findstr.exefindstr All4⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid4⤵
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\file.exeMD5
78df8357a69de092306ef19bd3d392a9
SHA1eba4800d57aaf97a06f787fec82641065527f6d5
SHA2567d0ccd90388759c96e536943055fbecca5c51f553fb25f350de37ceb40a2613e
SHA512a5dbf72231e6513c2c7a9cc34ba24eedc0c1f49020deb2cf68e31eb93cac222bfdc8a6ce6f8d6ceb3c6efec23eef6cf62200b6a867ea67ad29c5ad43b5332d9a
-
C:\Users\Admin\AppData\Local\Temp\file.exeMD5
78df8357a69de092306ef19bd3d392a9
SHA1eba4800d57aaf97a06f787fec82641065527f6d5
SHA2567d0ccd90388759c96e536943055fbecca5c51f553fb25f350de37ceb40a2613e
SHA512a5dbf72231e6513c2c7a9cc34ba24eedc0c1f49020deb2cf68e31eb93cac222bfdc8a6ce6f8d6ceb3c6efec23eef6cf62200b6a867ea67ad29c5ad43b5332d9a
-
C:\Users\Admin\AppData\Local\Temp\name.exeMD5
85a86da84355abb40ccabdb5f45ae13b
SHA14a98a7682fbb721354f0fb672d9338ac62b4350c
SHA256d43d7ed548724fd7fe611014b3d4b170b41b36cc84e37fc307a7c6f4ea14272c
SHA5127aa56b3556739317196f7b2e28cbadb597c0260a7e0cf33afc7b07057a368ac5345a822abf7ba74e5fd3889c801fbf240f6af250289cb01148e036dde5dc0bc1
-
C:\Users\Admin\AppData\Local\Temp\name.exeMD5
85a86da84355abb40ccabdb5f45ae13b
SHA14a98a7682fbb721354f0fb672d9338ac62b4350c
SHA256d43d7ed548724fd7fe611014b3d4b170b41b36cc84e37fc307a7c6f4ea14272c
SHA5127aa56b3556739317196f7b2e28cbadb597c0260a7e0cf33afc7b07057a368ac5345a822abf7ba74e5fd3889c801fbf240f6af250289cb01148e036dde5dc0bc1
-
C:\Users\Admin\AppData\Local\Temp\tmpB779.tmp.vbsMD5
f39a89ff1b5f43b3d88d8c8d140483af
SHA1c9ebd9d2d1625dbb11733c53000e88e2b24cd659
SHA2568d15cd30d9ef7e9021ea1afdfd689d6fdbc746cba5617f5315734dfff65f1e09
SHA512033f659a9f1fa998767529adfbe1adfc82c7788994e351fbf78152555759c0ed9f3dd750cb6d3a5ca3b99414ad52690e69698bf17ad12a47e14c86e2669aa78b
-
C:\Users\Admin\AppData\Roaming\word.exeMD5
78df8357a69de092306ef19bd3d392a9
SHA1eba4800d57aaf97a06f787fec82641065527f6d5
SHA2567d0ccd90388759c96e536943055fbecca5c51f553fb25f350de37ceb40a2613e
SHA512a5dbf72231e6513c2c7a9cc34ba24eedc0c1f49020deb2cf68e31eb93cac222bfdc8a6ce6f8d6ceb3c6efec23eef6cf62200b6a867ea67ad29c5ad43b5332d9a
-
C:\Users\Admin\AppData\Roaming\word.exeMD5
78df8357a69de092306ef19bd3d392a9
SHA1eba4800d57aaf97a06f787fec82641065527f6d5
SHA2567d0ccd90388759c96e536943055fbecca5c51f553fb25f350de37ceb40a2613e
SHA512a5dbf72231e6513c2c7a9cc34ba24eedc0c1f49020deb2cf68e31eb93cac222bfdc8a6ce6f8d6ceb3c6efec23eef6cf62200b6a867ea67ad29c5ad43b5332d9a
-
memory/3776-117-0x00000000003C0000-0x00000000003E4000-memory.dmpFilesize
144KB
-
memory/3776-122-0x000000001AF50000-0x000000001AF52000-memory.dmpFilesize
8KB
-
memory/4104-123-0x0000000005830000-0x0000000005896000-memory.dmpFilesize
408KB
-
memory/4104-121-0x00000000018B0000-0x00000000018B1000-memory.dmpFilesize
4KB
-
memory/4104-120-0x0000000000EA0000-0x0000000000ED0000-memory.dmpFilesize
192KB
-
memory/4104-138-0x00000000065D0000-0x0000000006662000-memory.dmpFilesize
584KB
-
memory/4104-139-0x00000000018B3000-0x00000000018B5000-memory.dmpFilesize
8KB
-
memory/4104-140-0x0000000006B70000-0x000000000706E000-memory.dmpFilesize
5.0MB
-
memory/4104-141-0x00000000066C0000-0x00000000066CA000-memory.dmpFilesize
40KB
-
memory/4104-142-0x0000000006B20000-0x0000000006B32000-memory.dmpFilesize
72KB
-
memory/4544-127-0x000000001B040000-0x000000001B042000-memory.dmpFilesize
8KB