Overview

overview

10

Static

static

Quotation.exe

windows7_x64

10

Quotation.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    134s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 00:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quotation.exe

  • Size

    378KB

  • MD5

    f3cf72f1ae6aa14ad0da0ee454e42bfb

  • SHA1

    93c3d771808d2c5a4ad34e9cebe3fab5da335069

  • SHA256

    3837dc32928e8556207e8dafb872968279682dc4a848d09f73823818d2fb7dff

  • SHA512

    4a52b43f19bdfbb4614ae510c0e1aea414d676ce7d5b0120c66e14c791498d9ee9e458aafe74885f7b62e355139bacb46541f92eddc6b85836dcb4dc36cb984a

Score
10/10
formbookm6xpersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

m6x

Decoy

990939.top

dhluxuryconsulting.com

muapnvnsfr.com

homder.com

valveiran.com

alkhaleejtrading.net

jekweiss.com

kevinklasmanmusic.com

buyilovebacon.com

nq227.com

cryptrproject.com

medicine.mba

nufilter.info

highway99restorations.com

phytohealthkits.com

accentuatephotography.com

tradeclimber.com

yasseralm.com

ito-agri.com

divandaman.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Formbook Payload 2 IoCs
    rat
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1272
    • C:\Users\Admin\AppData\Local\Temp\Quotation.exe
      "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
      2⤵
      • Maps connected drives based on registry
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      PID:1964
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      2⤵
      • Adds policy Run key to start application
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1384
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        3⤵
        • Deletes itself
        PID:1260

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\N98A4CAW\N98logim.jpeg
    Filesize

    63KB

    MD5

    9abf6d069a3729c2e53e45bb65ce5ad6

    SHA1

    669b31e1ad5265c2076a64d5ead370590d1177d0

    SHA256

    31a40a60f865037ef83fa03fe0388db16e37a6e0bf78ee48199ca81317951f87

    SHA512

    b607e8387addeb7b1d53c47db9cc9d12ac9d2b61b07fd0a0d5abeb7af53d6bf31a9cb0a0d2b40a8e2140ae5bf0004d8d18cc128d684d358d676033cb1f252fd5

    Download Submit
  • C:\Users\Admin\AppData\Roaming\N98A4CAW\N98logri.ini
    Filesize

    40B

    MD5

    d63a82e5d81e02e399090af26db0b9cb

    SHA1

    91d0014c8f54743bba141fd60c9d963f869d76c9

    SHA256

    eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

    SHA512

    38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

    Download Submit
  • C:\Users\Admin\AppData\Roaming\N98A4CAW\N98logrv.ini
    Filesize

    40B

    MD5

    ba3b6bc807d4f76794c4b81b09bb9ba5

    SHA1

    24cb89501f0212ff3095ecc0aba97dd563718fb1

    SHA256

    6eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507

    SHA512

    ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf

    Download Submit
  • memory/1260-64-0x0000000000000000-mapping.dmp
    Download
  • memory/1272-60-0x0000000006020000-0x000000000614C000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/1272-69-0x0000000007190000-0x00000000072C7000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/1384-66-0x0000000000080000-0x00000000000AA000-memory.dmp
    Filesize

    168KB

    Download
  • memory/1384-61-0x0000000000000000-mapping.dmp
    Download
  • memory/1384-62-0x00000000756E1000-0x00000000756E3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1384-63-0x0000000073F91000-0x0000000073F93000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1384-65-0x0000000000640000-0x00000000008C1000-memory.dmp
    Filesize

    2.5MB

    Download
  • memory/1384-67-0x0000000002480000-0x0000000002783000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1384-68-0x00000000021B0000-0x0000000002243000-memory.dmp
    Filesize

    588KB

    Download
  • memory/1964-59-0x0000000000DA0000-0x0000000000DB4000-memory.dmp
    Filesize

    80KB

    Download
  • memory/1964-54-0x0000000000EF0000-0x0000000000F54000-memory.dmp
    Filesize

    400KB

    Download
  • memory/1964-58-0x0000000005470000-0x0000000005773000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1964-57-0x0000000000C70000-0x0000000000C9A000-memory.dmp
    Filesize

    168KB

    Download
  • memory/1964-56-0x00000000007E0000-0x0000000000814000-memory.dmp
    Filesize

    208KB

    Download
  • memory/1964-55-0x00000000007A0000-0x00000000007E4000-memory.dmp
    Filesize

    272KB

    Download