General
Target

QUOTATION.exe

Filesize

810KB

Completed

21-05-2022 03:55

Task

behavioral1

Score
10/10
MD5

f516dea583b4b0f7fcb8d6dd89699f78

SHA1

a7e60518cf65022b9ce54993ba40bca09b3a024c

SHA256

2f1b95fb8123decdb56781dc245603e02ff9a1d2c2962d51fab3946712059a0a

SHA256

d079db285753c2b74f4c2520042f2857a4523c8551da6dcad0ff5e02c28348585cf7ee126b0772977faf89fd4de0bf7cd3c96fea7a5069a5ef3d810df1147b92

Malware Config
Signatures 15

Filter: none

Defense Evasion
Persistence
  • Formbook

    Description

    Formbook is a data stealing malware which is capable of stealing data.

  • Xloader

    Description

    Xloader is a rebranded version of Formbook malware.

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    Description

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    Tags

  • Xloader Payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1632-63-0x000000000041C790-mapping.dmpxloader
    behavioral1/memory/1632-62-0x0000000000400000-0x0000000000428000-memory.dmpxloader
    behavioral1/memory/1632-65-0x0000000000400000-0x0000000000428000-memory.dmpxloader
    behavioral1/memory/1084-73-0x0000000000080000-0x00000000000A8000-memory.dmpxloader
  • Adds policy Run key to start application
    mstsc.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Runmstsc.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\JTH0NRUHVFE = "C:\\Program Files (x86)\\Zwnuxv4rh\\colorcplg0h.exe"mstsc.exe
  • Deletes itself
    cmd.exe

    Reported IOCs

    pidprocess
    320cmd.exe
  • Suspicious use of SetThreadContext
    QUOTATION.exeQUOTATION.exemstsc.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1304 set thread context of 16321304QUOTATION.exeQUOTATION.exe
    PID 1632 set thread context of 12681632QUOTATION.exeExplorer.EXE
    PID 1084 set thread context of 12681084mstsc.exeExplorer.EXE
  • Drops file in Program Files directory
    mstsc.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Program Files (x86)\Zwnuxv4rh\colorcplg0h.exemstsc.exe
  • Modifies Internet Explorer settings
    mstsc.exe

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\Registry\User\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2mstsc.exe
  • Suspicious behavior: EnumeratesProcesses
    QUOTATION.exemstsc.exe

    Reported IOCs

    pidprocess
    1632QUOTATION.exe
    1632QUOTATION.exe
    1084mstsc.exe
    1084mstsc.exe
    1084mstsc.exe
    1084mstsc.exe
    1084mstsc.exe
    1084mstsc.exe
    1084mstsc.exe
    1084mstsc.exe
    1084mstsc.exe
  • Suspicious behavior: MapViewOfSection
    QUOTATION.exemstsc.exe

    Reported IOCs

    pidprocess
    1632QUOTATION.exe
    1632QUOTATION.exe
    1632QUOTATION.exe
    1084mstsc.exe
    1084mstsc.exe
    1084mstsc.exe
    1084mstsc.exe
  • Suspicious use of AdjustPrivilegeToken
    QUOTATION.exemstsc.exeExplorer.EXE

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1632QUOTATION.exe
    Token: SeDebugPrivilege1084mstsc.exe
    Token: SeShutdownPrivilege1268Explorer.EXE
  • Suspicious use of FindShellTrayWindow
    Explorer.EXE

    Reported IOCs

    pidprocess
    1268Explorer.EXE
    1268Explorer.EXE
  • Suspicious use of SendNotifyMessage
    Explorer.EXE

    Reported IOCs

    pidprocess
    1268Explorer.EXE
    1268Explorer.EXE
  • Suspicious use of WriteProcessMemory
    QUOTATION.exeExplorer.EXEmstsc.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1304 wrote to memory of 16321304QUOTATION.exeQUOTATION.exe
    PID 1304 wrote to memory of 16321304QUOTATION.exeQUOTATION.exe
    PID 1304 wrote to memory of 16321304QUOTATION.exeQUOTATION.exe
    PID 1304 wrote to memory of 16321304QUOTATION.exeQUOTATION.exe
    PID 1304 wrote to memory of 16321304QUOTATION.exeQUOTATION.exe
    PID 1304 wrote to memory of 16321304QUOTATION.exeQUOTATION.exe
    PID 1304 wrote to memory of 16321304QUOTATION.exeQUOTATION.exe
    PID 1268 wrote to memory of 10841268Explorer.EXEmstsc.exe
    PID 1268 wrote to memory of 10841268Explorer.EXEmstsc.exe
    PID 1268 wrote to memory of 10841268Explorer.EXEmstsc.exe
    PID 1268 wrote to memory of 10841268Explorer.EXEmstsc.exe
    PID 1084 wrote to memory of 3201084mstsc.execmd.exe
    PID 1084 wrote to memory of 3201084mstsc.execmd.exe
    PID 1084 wrote to memory of 3201084mstsc.execmd.exe
    PID 1084 wrote to memory of 3201084mstsc.execmd.exe
    PID 1084 wrote to memory of 15041084mstsc.exeFirefox.exe
    PID 1084 wrote to memory of 15041084mstsc.exeFirefox.exe
    PID 1084 wrote to memory of 15041084mstsc.exeFirefox.exe
    PID 1084 wrote to memory of 15041084mstsc.exeFirefox.exe
    PID 1084 wrote to memory of 15041084mstsc.exeFirefox.exe
Processes 6
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of FindShellTrayWindow
    Suspicious use of SendNotifyMessage
    Suspicious use of WriteProcessMemory
    PID:1268
    • C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe
      "C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe"
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1304
      • C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe
        "C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe"
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        PID:1632
    • C:\Windows\SysWOW64\mstsc.exe
      "C:\Windows\SysWOW64\mstsc.exe"
      Adds policy Run key to start application
      Suspicious use of SetThreadContext
      Drops file in Program Files directory
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1084
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe"
        Deletes itself
        PID:320
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        PID:1504
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • memory/320-71-0x0000000000000000-mapping.dmp

                      • memory/1084-74-0x0000000002130000-0x0000000002433000-memory.dmp

                      • memory/1084-73-0x0000000000080000-0x00000000000A8000-memory.dmp

                      • memory/1084-72-0x0000000000490000-0x0000000000594000-memory.dmp

                      • memory/1084-75-0x0000000002060000-0x00000000020EF000-memory.dmp

                      • memory/1084-69-0x0000000000000000-mapping.dmp

                      • memory/1268-76-0x00000000063C0000-0x00000000064A3000-memory.dmp

                      • memory/1268-68-0x0000000004D50000-0x0000000004E24000-memory.dmp

                      • memory/1304-55-0x0000000076531000-0x0000000076533000-memory.dmp

                      • memory/1304-56-0x0000000000390000-0x00000000003A0000-memory.dmp

                      • memory/1304-57-0x0000000004B60000-0x0000000004BC8000-memory.dmp

                      • memory/1304-58-0x0000000002000000-0x000000000203E000-memory.dmp

                      • memory/1304-54-0x0000000000880000-0x0000000000950000-memory.dmp

                      • memory/1632-67-0x00000000000B0000-0x00000000000C0000-memory.dmp

                      • memory/1632-65-0x0000000000400000-0x0000000000428000-memory.dmp

                      • memory/1632-62-0x0000000000400000-0x0000000000428000-memory.dmp

                      • memory/1632-63-0x000000000041C790-mapping.dmp

                      • memory/1632-60-0x0000000000400000-0x0000000000428000-memory.dmp

                      • memory/1632-59-0x0000000000400000-0x0000000000428000-memory.dmp

                      • memory/1632-66-0x0000000000BF0000-0x0000000000EF3000-memory.dmp