Analysis

  • max time kernel
    148s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    06-02-2022 15:54

General

  • Target

    Quotation.exe

  • Size

    1.2MB

  • MD5

    ca3395b17a2f8092f2f5054a06eccbee

  • SHA1

    bbcec44150facad7ee24c6c69329456fdd4cb011

  • SHA256

    a35a739a11186937e37899ee065f6c1832f27ec88a182079f7a8f2d57884184b

  • SHA512

    738c278d8cab458fb60e93433cd4e78799898602bdb24694f2e49ee17df6c1e2c0a56697ef4e9cfda12a03a895504176e6f9c1312c0272a7937e65877acb7e48

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

vns

Decoy

sparkspressworld.com

everydayresidency.com

thebosscollectionn.com

milkweedmagic.com

worklesshours.com

romeosfurnituremadera.com

unclepetesproduce.com

athleticamackay.com

9nhl.com

powellassetmanagement.com

jxlamp.com

onpointpetproducts.com

buymysoft.com

nazertrader.com

goprj.com

keeptalkservice.com

aolei1688.com

donstackl.com

almasorchids.com

pj5bwn.com

Signatures

  • Babadeda

    Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.

  • Babadeda Crypter 2 IoCs
  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook Payload 2 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1404
    • C:\Users\Admin\AppData\Local\Temp\Quotation.exe
      "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1156
      • C:\Users\Admin\AppData\Roaming\UltimateDefrag\udefrag.exe
        C:\Users\Admin\AppData\Roaming\UltimateDefrag\udefrag.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2004
    • C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\SysWOW64\netsh.exe"
      2⤵
      • Adds policy Run key to start application
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1352
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:1692

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1156-54-0x0000000075AB1000-0x0000000075AB3000-memory.dmp

      Filesize

      8KB

    • memory/1352-64-0x00000000010E0000-0x00000000010FB000-memory.dmp

      Filesize

      108KB

    • memory/1352-65-0x0000000000080000-0x00000000000AE000-memory.dmp

      Filesize

      184KB

    • memory/1352-69-0x0000000000EC0000-0x0000000000F53000-memory.dmp

      Filesize

      588KB

    • memory/1352-66-0x0000000000A40000-0x0000000000D43000-memory.dmp

      Filesize

      3.0MB

    • memory/1404-67-0x0000000004990000-0x0000000004A59000-memory.dmp

      Filesize

      804KB

    • memory/1404-70-0x00000000075F0000-0x0000000007778000-memory.dmp

      Filesize

      1.5MB

    • memory/2004-62-0x0000000000460000-0x0000000000474000-memory.dmp

      Filesize

      80KB

    • memory/2004-61-0x00000000023B0000-0x00000000026B3000-memory.dmp

      Filesize

      3.0MB

    • memory/2004-60-0x0000000000E40000-0x0000000000FB0000-memory.dmp

      Filesize

      1.4MB