Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
26-06-2022 19:16
General
-
Target
Quote.js
-
Size
333KB
-
MD5
975684a4e4f41819184343aad1824ed8
-
SHA1
3292e50015630dc896151bafb32049a6521f062d
-
SHA256
7e99192187bcad849b96bc9cd69254a2e68fef8ad1c73df7a410ba90ef2b898a
-
SHA512
3c1ebcd24d0305e1685015acf61744f8c8766154309955899309f7bdb7e6c82004201e554aa6f59a68d5c208391478022d4192f8c05631bea64c3e252b26cf11
Malware Config
Signatures
-
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
-
Xloader
Xloader is a rebranded version of Formbook malware.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Xloader Payload 6 IoCs
-
Adds policy Run key to start application 2 TTPs 2 IoCs
-
Blocklisted process makes network request 6 IoCs
-
Executes dropped EXE 2 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
-
Suspicious behavior: MapViewOfSection 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 13 IoCs
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Quote.js2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\jmKZSbFFzi.js"3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\bin.exe"C:\Users\Admin\AppData\Local\Temp\bin.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\SysWOW64\ipconfig.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Gathers network information
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\bin.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\Yr2sdejq8\q2atp0h_r.exe"C:\Program Files (x86)\Yr2sdejq8\q2atp0h_r.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Yr2sdejq8\q2atp0h_r.exeFilesize
177KB
MD5325e9bc40c665d845e9edd875631ec48
SHA16f325ce61e9d8916cced15919cbd84fce584e14f
SHA256c3b9bd6a3c03e763f6255c275cbb3a068de6feef7417d18b7a3e92c6b28753e5
SHA51202760fc7cd93075f8fdb35e0a87dfee062c718fe03a28408da6a03d37eb6e39a3388c0c01611cee8d28422b930346c92f4242538a29daa8ad0a3b5cdf8d69dc4
-
C:\Program Files (x86)\Yr2sdejq8\q2atp0h_r.exeFilesize
177KB
MD5325e9bc40c665d845e9edd875631ec48
SHA16f325ce61e9d8916cced15919cbd84fce584e14f
SHA256c3b9bd6a3c03e763f6255c275cbb3a068de6feef7417d18b7a3e92c6b28753e5
SHA51202760fc7cd93075f8fdb35e0a87dfee062c718fe03a28408da6a03d37eb6e39a3388c0c01611cee8d28422b930346c92f4242538a29daa8ad0a3b5cdf8d69dc4
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
C:\Users\Admin\AppData\Local\Temp\bin.exeFilesize
177KB
MD5325e9bc40c665d845e9edd875631ec48
SHA16f325ce61e9d8916cced15919cbd84fce584e14f
SHA256c3b9bd6a3c03e763f6255c275cbb3a068de6feef7417d18b7a3e92c6b28753e5
SHA51202760fc7cd93075f8fdb35e0a87dfee062c718fe03a28408da6a03d37eb6e39a3388c0c01611cee8d28422b930346c92f4242538a29daa8ad0a3b5cdf8d69dc4
-
C:\Users\Admin\AppData\Local\Temp\bin.exeFilesize
177KB
MD5325e9bc40c665d845e9edd875631ec48
SHA16f325ce61e9d8916cced15919cbd84fce584e14f
SHA256c3b9bd6a3c03e763f6255c275cbb3a068de6feef7417d18b7a3e92c6b28753e5
SHA51202760fc7cd93075f8fdb35e0a87dfee062c718fe03a28408da6a03d37eb6e39a3388c0c01611cee8d28422b930346c92f4242538a29daa8ad0a3b5cdf8d69dc4
-
C:\Users\Admin\AppData\Roaming\jmKZSbFFzi.jsFilesize
5KB
MD59863c73f15497e207b6cc2bb6a6b478f
SHA14c6fb94ac90f82ed1597b49ff325bf3f4ab57f1e
SHA256412723906aba11c0c59dd6c68ae931cfa576d0ca669679b23d16769b82a1a81d
SHA512aed1e675dd8c2a4b95d437862f074675bd2fc8eea1ab99dc9075fecda41bdc394288eb72ab9a1f34877313ae0dd6003c2c868a17187c59c76f0fd8d6037a7ccc
-
memory/1416-149-0x0000000000000000-mapping.dmp
-
memory/1484-130-0x0000000000000000-mapping.dmp
-
memory/2064-151-0x0000000000000000-mapping.dmp
-
memory/3152-147-0x0000000002B50000-0x0000000002C79000-memory.dmpFilesize
1.2MB
-
memory/3152-137-0x00000000084D0000-0x0000000008671000-memory.dmpFilesize
1.6MB
-
memory/3152-139-0x0000000008AB0000-0x0000000008C52000-memory.dmpFilesize
1.6MB
-
memory/3152-148-0x0000000002B50000-0x0000000002C79000-memory.dmpFilesize
1.2MB
-
memory/4212-141-0x0000000000000000-mapping.dmp
-
memory/4216-142-0x0000000000620000-0x000000000062B000-memory.dmpFilesize
44KB
-
memory/4216-146-0x00000000006F0000-0x000000000071D000-memory.dmpFilesize
180KB
-
memory/4216-145-0x0000000000CF0000-0x0000000000D80000-memory.dmpFilesize
576KB
-
memory/4216-144-0x00000000006F0000-0x000000000071D000-memory.dmpFilesize
180KB
-
memory/4216-143-0x0000000000EA0000-0x00000000011EA000-memory.dmpFilesize
3.3MB
-
memory/4216-140-0x0000000000000000-mapping.dmp
-
memory/4620-153-0x0000000000000000-mapping.dmp
-
memory/4620-156-0x0000000000EB0000-0x00000000011FA000-memory.dmpFilesize
3.3MB
-
memory/5008-138-0x0000000000E60000-0x0000000000E71000-memory.dmpFilesize
68KB
-
memory/5008-136-0x0000000000A60000-0x0000000000A71000-memory.dmpFilesize
68KB
-
memory/5008-135-0x0000000000AA0000-0x0000000000DEA000-memory.dmpFilesize
3.3MB
-
memory/5008-132-0x0000000000000000-mapping.dmp