Analysis
-
max time kernel
148s -
max time network
129s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
06-02-2022 15:54
Static task
static1
Behavioral task
behavioral1
Sample
Quotation.exe
Resource
win7-en-20211208
General
-
Target
Quotation.exe
-
Size
1.2MB
-
MD5
ca3395b17a2f8092f2f5054a06eccbee
-
SHA1
bbcec44150facad7ee24c6c69329456fdd4cb011
-
SHA256
a35a739a11186937e37899ee065f6c1832f27ec88a182079f7a8f2d57884184b
-
SHA512
738c278d8cab458fb60e93433cd4e78799898602bdb24694f2e49ee17df6c1e2c0a56697ef4e9cfda12a03a895504176e6f9c1312c0272a7937e65877acb7e48
Malware Config
Extracted
formbook
4.1
vns
sparkspressworld.com
everydayresidency.com
thebosscollectionn.com
milkweedmagic.com
worklesshours.com
romeosfurnituremadera.com
unclepetesproduce.com
athleticamackay.com
9nhl.com
powellassetmanagement.com
jxlamp.com
onpointpetproducts.com
buymysoft.com
nazertrader.com
goprj.com
keeptalkservice.com
aolei1688.com
donstackl.com
almasorchids.com
pj5bwn.com
featuredshop2020.com
connectmheduaction.com
kcastleint.com
quintessentialmiss.com
forenvid.com
vetementsbd.com
fabrizioamadori.net
remaxplatinumva.com
drivecart.net
ordertds.com
huayuanjiajiao.com
islamiportal.com
innergardenhealing.space
wlwmwntor.com
wiitendo.com
ceschandigarh.com
mitchellche.com
levaporz.com
eraophthalmica.com
gnzywyht.com
bobbinsbroider.com
pollygen.com
xn--kbrsotocheckup-5fcc.com
theunprofessionalpodcast.com
lendini.site
digitalpardis.com
meenaveen.com
yihuafence.com
mercadoaria.com
domennyarendi44.net
juandiegopalacio.com
meltdownfitnesstulsa.com
xn--laclnicadelvnculo-gvbi.com
paripartners378.com
valadecia.com
womenring.com
ocarlosresolve.com
vedicherbsindia.com
nonnearrapate.com
viplending.net
angelbeatsgamingclan.com
rigmodisc.com
page-id-78613.com
yapadaihindi.com
hollandhousedesigns.design
Signatures
-
Babadeda Crypter 2 IoCs
resource yara_rule family_babadeda behavioral1/files/0x00060000000130dd-59.dat family_babadeda -
Formbook Payload 2 IoCs
resource yara_rule behavioral1/memory/2004-60-0x0000000000E40000-0x0000000000FB0000-memory.dmp formbook behavioral1/memory/1352-65-0x0000000000080000-0x00000000000AE000-memory.dmp formbook -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \Registry\User\S-1-5-21-2329389628-4064185017-3901522362-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run netsh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\YZ7XNZ989 = "C:\\Users\\Admin\\AppData\\Roaming\\UltimateDefrag\\udefrag.exe" netsh.exe -
Executes dropped EXE 1 IoCs
pid Process 2004 udefrag.exe -
Loads dropped DLL 2 IoCs
pid Process 1156 Quotation.exe 2004 udefrag.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Key created \Registry\User\S-1-5-21-2329389628-4064185017-3901522362-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run netsh.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2004 set thread context of 1404 2004 udefrag.exe 17 PID 1352 set thread context of 1404 1352 netsh.exe 17 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \Registry\User\S-1-5-21-2329389628-4064185017-3901522362-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 netsh.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 2004 udefrag.exe 2004 udefrag.exe 1352 netsh.exe 1352 netsh.exe 1352 netsh.exe 1352 netsh.exe 1352 netsh.exe 1352 netsh.exe 1352 netsh.exe 1352 netsh.exe 1352 netsh.exe 1352 netsh.exe 1352 netsh.exe 1352 netsh.exe 1352 netsh.exe 1352 netsh.exe 1352 netsh.exe 1352 netsh.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 2004 udefrag.exe 2004 udefrag.exe 2004 udefrag.exe 1352 netsh.exe 1352 netsh.exe 1352 netsh.exe 1352 netsh.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2004 udefrag.exe Token: SeDebugPrivilege 1352 netsh.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1404 Explorer.EXE 1404 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1404 Explorer.EXE 1404 Explorer.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1156 wrote to memory of 2004 1156 Quotation.exe 27 PID 1156 wrote to memory of 2004 1156 Quotation.exe 27 PID 1156 wrote to memory of 2004 1156 Quotation.exe 27 PID 1156 wrote to memory of 2004 1156 Quotation.exe 27 PID 1404 wrote to memory of 1352 1404 Explorer.EXE 28 PID 1404 wrote to memory of 1352 1404 Explorer.EXE 28 PID 1404 wrote to memory of 1352 1404 Explorer.EXE 28 PID 1404 wrote to memory of 1352 1404 Explorer.EXE 28 PID 1352 wrote to memory of 1692 1352 netsh.exe 32 PID 1352 wrote to memory of 1692 1352 netsh.exe 32 PID 1352 wrote to memory of 1692 1352 netsh.exe 32 PID 1352 wrote to memory of 1692 1352 netsh.exe 32 PID 1352 wrote to memory of 1692 1352 netsh.exe 32
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Users\Admin\AppData\Local\Temp\Quotation.exe"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Users\Admin\AppData\Roaming\UltimateDefrag\udefrag.exeC:\Users\Admin\AppData\Roaming\UltimateDefrag\udefrag.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2004
-
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:1692
-
-