Analysis
-
max time kernel
174s -
max time network
192s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 00:52
Static task
static1
Behavioral task
behavioral1
Sample
Quotation.exe
Resource
win7-20220414-en
General
-
Target
Quotation.exe
-
Size
378KB
-
MD5
f3cf72f1ae6aa14ad0da0ee454e42bfb
-
SHA1
93c3d771808d2c5a4ad34e9cebe3fab5da335069
-
SHA256
3837dc32928e8556207e8dafb872968279682dc4a848d09f73823818d2fb7dff
-
SHA512
4a52b43f19bdfbb4614ae510c0e1aea414d676ce7d5b0120c66e14c791498d9ee9e458aafe74885f7b62e355139bacb46541f92eddc6b85836dcb4dc36cb984a
Malware Config
Extracted
formbook
3.9
m6x
990939.top
dhluxuryconsulting.com
muapnvnsfr.com
homder.com
valveiran.com
alkhaleejtrading.net
jekweiss.com
kevinklasmanmusic.com
buyilovebacon.com
nq227.com
cryptrproject.com
medicine.mba
nufilter.info
highway99restorations.com
phytohealthkits.com
accentuatephotography.com
tradeclimber.com
yasseralm.com
ito-agri.com
divandaman.com
raihtn.site
solyetrfademven.com
tepire.net
cointicket.online
johnhevank.com
pxskin.com
528jr.net
kovachnation.com
marstroy.info
1xsort.com
ugrowvancouverisland.com
sprintstats.com
furkankarakus.com
seo-caen.net
yclm1051.com
floydcountybaseball.com
privewin5.com
donaldjtrumpjr.chat
coloral.biz
xj9x.com
stichtingkind.com
tv16429.info
forgatheredhealth.com
waldheim-heslach.com
huimin26.com
mxfbyym.com
goveritas.com
newexpertise.biz
qqfyt.com
invictussociety.com
mmgan19.com
meileefu.com
profitpk.com
koolkitchendezigns.com
tubesluitmachine.com
mypussy.online
land8531.com
zhekou115.com
greenlandeventsntours.com
sydneycohn.net
bibs-bobs.com
zghz6688.com
wujing.group
motoucai.com
hearxy.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3192-132-0x00000000005B0000-0x00000000005DA000-memory.dmp formbook behavioral2/memory/4784-138-0x0000000000640000-0x000000000066A000-memory.dmp formbook -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
cmmon32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cmmon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\LNID-6VHQVFX = "C:\\Program Files (x86)\\Hf0-lwv\\update5jclxnd.exe" cmmon32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
Quotation.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 Quotation.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Quotation.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Quotation.execmmon32.exedescription pid process target process PID 3192 set thread context of 3148 3192 Quotation.exe Explorer.EXE PID 4784 set thread context of 3148 4784 cmmon32.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
cmmon32.exedescription ioc process File opened for modification C:\Program Files (x86)\Hf0-lwv\update5jclxnd.exe cmmon32.exe -
Processes:
cmmon32.exedescription ioc process Key created \Registry\User\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cmmon32.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
Quotation.execmmon32.exepid process 3192 Quotation.exe 3192 Quotation.exe 3192 Quotation.exe 3192 Quotation.exe 4784 cmmon32.exe 4784 cmmon32.exe 4784 cmmon32.exe 4784 cmmon32.exe 4784 cmmon32.exe 4784 cmmon32.exe 4784 cmmon32.exe 4784 cmmon32.exe 4784 cmmon32.exe 4784 cmmon32.exe 4784 cmmon32.exe 4784 cmmon32.exe 4784 cmmon32.exe 4784 cmmon32.exe 4784 cmmon32.exe 4784 cmmon32.exe 4784 cmmon32.exe 4784 cmmon32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3148 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Quotation.execmmon32.exepid process 3192 Quotation.exe 3192 Quotation.exe 3192 Quotation.exe 4784 cmmon32.exe 4784 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
Quotation.execmmon32.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 3192 Quotation.exe Token: SeDebugPrivilege 4784 cmmon32.exe Token: SeShutdownPrivilege 3148 Explorer.EXE Token: SeCreatePagefilePrivilege 3148 Explorer.EXE Token: SeShutdownPrivilege 3148 Explorer.EXE Token: SeCreatePagefilePrivilege 3148 Explorer.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Explorer.EXEcmmon32.exedescription pid process target process PID 3148 wrote to memory of 4784 3148 Explorer.EXE cmmon32.exe PID 3148 wrote to memory of 4784 3148 Explorer.EXE cmmon32.exe PID 3148 wrote to memory of 4784 3148 Explorer.EXE cmmon32.exe PID 4784 wrote to memory of 4528 4784 cmmon32.exe cmd.exe PID 4784 wrote to memory of 4528 4784 cmmon32.exe cmd.exe PID 4784 wrote to memory of 4528 4784 cmmon32.exe cmd.exe PID 4784 wrote to memory of 3656 4784 cmmon32.exe cmd.exe PID 4784 wrote to memory of 3656 4784 cmmon32.exe cmd.exe PID 4784 wrote to memory of 3656 4784 cmmon32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Quotation.exe"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"2⤵
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
memory/3148-135-0x00000000032C0000-0x00000000033E3000-memory.dmpFilesize
1.1MB
-
memory/3148-142-0x00000000086F0000-0x0000000008839000-memory.dmpFilesize
1.3MB
-
memory/3192-131-0x00000000052D0000-0x0000000005874000-memory.dmpFilesize
5.6MB
-
memory/3192-132-0x00000000005B0000-0x00000000005DA000-memory.dmpFilesize
168KB
-
memory/3192-133-0x0000000005880000-0x0000000005BCA000-memory.dmpFilesize
3.3MB
-
memory/3192-134-0x0000000000A00000-0x0000000000A14000-memory.dmpFilesize
80KB
-
memory/3192-130-0x0000000000180000-0x00000000001E4000-memory.dmpFilesize
400KB
-
memory/3656-143-0x0000000000000000-mapping.dmp
-
memory/4528-140-0x0000000000000000-mapping.dmp
-
memory/4784-136-0x0000000000000000-mapping.dmp
-
memory/4784-141-0x0000000002400000-0x0000000002493000-memory.dmpFilesize
588KB
-
memory/4784-139-0x0000000002670000-0x00000000029BA000-memory.dmpFilesize
3.3MB
-
memory/4784-138-0x0000000000640000-0x000000000066A000-memory.dmpFilesize
168KB
-
memory/4784-137-0x0000000000EE0000-0x0000000000EEC000-memory.dmpFilesize
48KB