General
Target

QUOTATION.exe

Filesize

810KB

Completed

21-05-2022 03:54

Task

behavioral2

Score
10/10
MD5

f516dea583b4b0f7fcb8d6dd89699f78

SHA1

a7e60518cf65022b9ce54993ba40bca09b3a024c

SHA256

2f1b95fb8123decdb56781dc245603e02ff9a1d2c2962d51fab3946712059a0a

SHA256

d079db285753c2b74f4c2520042f2857a4523c8551da6dcad0ff5e02c28348585cf7ee126b0772977faf89fd4de0bf7cd3c96fea7a5069a5ef3d810df1147b92

Malware Config
Signatures 14

Filter: none

Collection
Credential Access
Defense Evasion
Discovery
Persistence
  • Formbook

    Description

    Formbook is a data stealing malware which is capable of stealing data.

  • Xloader

    Description

    Xloader is a rebranded version of Formbook malware.

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    Description

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    Tags

  • Xloader Payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/1464-137-0x0000000000400000-0x0000000000428000-memory.dmpxloader
    behavioral2/memory/1464-139-0x0000000000400000-0x0000000000428000-memory.dmpxloader
    behavioral2/memory/208-145-0x0000000000610000-0x0000000000638000-memory.dmpxloader
  • Adds policy Run key to start application
    chkdsk.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Runchkdsk.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\YXVHPFCPZDNX = "C:\\Program Files (x86)\\Bobupu\\fbc0tx4hd.exe"chkdsk.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Suspicious use of SetThreadContext
    QUOTATION.exeQUOTATION.exechkdsk.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 4388 set thread context of 14644388QUOTATION.exeQUOTATION.exe
    PID 1464 set thread context of 30361464QUOTATION.exeExplorer.EXE
    PID 208 set thread context of 3036208chkdsk.exeExplorer.EXE
  • Drops file in Program Files directory
    chkdsk.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Program Files (x86)\Bobupu\fbc0tx4hd.exechkdsk.exe
  • Enumerates system info in registry
    chkdsk.exe

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifierchkdsk.exe
  • Modifies Internet Explorer settings
    chkdsk.exe

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\Registry\User\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2chkdsk.exe
  • Suspicious behavior: EnumeratesProcesses
    QUOTATION.exechkdsk.exe

    Reported IOCs

    pidprocess
    1464QUOTATION.exe
    1464QUOTATION.exe
    1464QUOTATION.exe
    1464QUOTATION.exe
    208chkdsk.exe
    208chkdsk.exe
    208chkdsk.exe
    208chkdsk.exe
    208chkdsk.exe
    208chkdsk.exe
    208chkdsk.exe
    208chkdsk.exe
    208chkdsk.exe
    208chkdsk.exe
    208chkdsk.exe
    208chkdsk.exe
    208chkdsk.exe
    208chkdsk.exe
    208chkdsk.exe
    208chkdsk.exe
    208chkdsk.exe
    208chkdsk.exe
  • Suspicious behavior: MapViewOfSection
    QUOTATION.exechkdsk.exe

    Reported IOCs

    pidprocess
    1464QUOTATION.exe
    1464QUOTATION.exe
    1464QUOTATION.exe
    208chkdsk.exe
    208chkdsk.exe
    208chkdsk.exe
    208chkdsk.exe
  • Suspicious use of AdjustPrivilegeToken
    QUOTATION.exechkdsk.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1464QUOTATION.exe
    Token: SeDebugPrivilege208chkdsk.exe
  • Suspicious use of WriteProcessMemory
    QUOTATION.exeExplorer.EXEchkdsk.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 4388 wrote to memory of 14644388QUOTATION.exeQUOTATION.exe
    PID 4388 wrote to memory of 14644388QUOTATION.exeQUOTATION.exe
    PID 4388 wrote to memory of 14644388QUOTATION.exeQUOTATION.exe
    PID 4388 wrote to memory of 14644388QUOTATION.exeQUOTATION.exe
    PID 4388 wrote to memory of 14644388QUOTATION.exeQUOTATION.exe
    PID 4388 wrote to memory of 14644388QUOTATION.exeQUOTATION.exe
    PID 3036 wrote to memory of 2083036Explorer.EXEchkdsk.exe
    PID 3036 wrote to memory of 2083036Explorer.EXEchkdsk.exe
    PID 3036 wrote to memory of 2083036Explorer.EXEchkdsk.exe
    PID 208 wrote to memory of 4172208chkdsk.execmd.exe
    PID 208 wrote to memory of 4172208chkdsk.execmd.exe
    PID 208 wrote to memory of 4172208chkdsk.execmd.exe
    PID 208 wrote to memory of 3736208chkdsk.execmd.exe
    PID 208 wrote to memory of 3736208chkdsk.execmd.exe
    PID 208 wrote to memory of 3736208chkdsk.execmd.exe
    PID 208 wrote to memory of 4112208chkdsk.exeFirefox.exe
    PID 208 wrote to memory of 4112208chkdsk.exeFirefox.exe
    PID 208 wrote to memory of 4112208chkdsk.exeFirefox.exe
Processes 7
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    Suspicious use of WriteProcessMemory
    PID:3036
    • C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe
      "C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe"
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:4388
      • C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe
        "C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe"
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        PID:1464
    • C:\Windows\SysWOW64\chkdsk.exe
      "C:\Windows\SysWOW64\chkdsk.exe"
      Adds policy Run key to start application
      Suspicious use of SetThreadContext
      Drops file in Program Files directory
      Enumerates system info in registry
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:208
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe"
        PID:4172
      • C:\Windows\SysWOW64\cmd.exe
        /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
        PID:3736
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        PID:4112
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Privilege Escalation
                Replay Monitor
                00:00 00:00
                Downloads
                • C:\Users\Admin\AppData\Local\Temp\DB1

                  MD5

                  b608d407fc15adea97c26936bc6f03f6

                  SHA1

                  953e7420801c76393902c0d6bb56148947e41571

                  SHA256

                  b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

                  SHA512

                  cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

                • memory/208-148-0x0000000000CE0000-0x0000000000D6F000-memory.dmp

                • memory/208-147-0x0000000001040000-0x000000000138A000-memory.dmp

                • memory/208-145-0x0000000000610000-0x0000000000638000-memory.dmp

                • memory/208-144-0x0000000000CD0000-0x0000000000CDA000-memory.dmp

                • memory/208-143-0x0000000000000000-mapping.dmp

                • memory/1464-136-0x0000000000000000-mapping.dmp

                • memory/1464-137-0x0000000000400000-0x0000000000428000-memory.dmp

                • memory/1464-139-0x0000000000400000-0x0000000000428000-memory.dmp

                • memory/1464-142-0x0000000001500000-0x0000000001510000-memory.dmp

                • memory/1464-141-0x0000000001A80000-0x0000000001DCA000-memory.dmp

                • memory/3036-140-0x0000000007F20000-0x000000000809F000-memory.dmp

                • memory/3036-149-0x0000000002720000-0x00000000027BE000-memory.dmp

                • memory/3736-150-0x0000000000000000-mapping.dmp

                • memory/4172-146-0x0000000000000000-mapping.dmp

                • memory/4388-133-0x0000000005B10000-0x0000000005BA2000-memory.dmp

                • memory/4388-132-0x00000000060C0000-0x0000000006664000-memory.dmp

                • memory/4388-131-0x0000000005A70000-0x0000000005B0C000-memory.dmp

                • memory/4388-135-0x0000000005D40000-0x0000000005D96000-memory.dmp

                • memory/4388-134-0x0000000005A40000-0x0000000005A4A000-memory.dmp

                • memory/4388-130-0x0000000000FE0000-0x00000000010B0000-memory.dmp