Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
26-06-2022 19:16
Static task
static1
Behavioral task
behavioral1
Sample
Quote.js
Resource
win7-20220414-en
General
-
Target
Quote.js
-
Size
333KB
-
MD5
975684a4e4f41819184343aad1824ed8
-
SHA1
3292e50015630dc896151bafb32049a6521f062d
-
SHA256
7e99192187bcad849b96bc9cd69254a2e68fef8ad1c73df7a410ba90ef2b898a
-
SHA512
3c1ebcd24d0305e1685015acf61744f8c8766154309955899309f7bdb7e6c82004201e554aa6f59a68d5c208391478022d4192f8c05631bea64c3e252b26cf11
Malware Config
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Xloader Payload 6 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\bin.exe xloader C:\Users\Admin\AppData\Local\Temp\bin.exe xloader behavioral2/memory/4216-144-0x00000000006F0000-0x000000000071D000-memory.dmp xloader behavioral2/memory/4216-146-0x00000000006F0000-0x000000000071D000-memory.dmp xloader C:\Program Files (x86)\Yr2sdejq8\q2atp0h_r.exe xloader C:\Program Files (x86)\Yr2sdejq8\q2atp0h_r.exe xloader -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
ipconfig.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ipconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\2DLTLHAX = "C:\\Program Files (x86)\\Yr2sdejq8\\q2atp0h_r.exe" ipconfig.exe -
Blocklisted process makes network request 6 IoCs
Processes:
wscript.exeflow pid process 5 1484 wscript.exe 24 1484 wscript.exe 41 1484 wscript.exe 56 1484 wscript.exe 63 1484 wscript.exe 73 1484 wscript.exe -
Executes dropped EXE 2 IoCs
Processes:
bin.exeq2atp0h_r.exepid process 5008 bin.exe 4620 q2atp0h_r.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
bin.exewscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation bin.exe Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jmKZSbFFzi.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jmKZSbFFzi.js wscript.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\jmKZSbFFzi.js\"" wscript.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
bin.exeipconfig.exedescription pid process target process PID 5008 set thread context of 3152 5008 bin.exe Explorer.EXE PID 5008 set thread context of 3152 5008 bin.exe Explorer.EXE PID 4216 set thread context of 3152 4216 ipconfig.exe Explorer.EXE -
Drops file in Program Files directory 4 IoCs
Processes:
ipconfig.exeExplorer.EXEdescription ioc process File opened for modification C:\Program Files (x86)\Yr2sdejq8\q2atp0h_r.exe ipconfig.exe File opened for modification C:\Program Files (x86)\Yr2sdejq8 Explorer.EXE File created C:\Program Files (x86)\Yr2sdejq8\q2atp0h_r.exe Explorer.EXE File opened for modification C:\Program Files (x86)\Yr2sdejq8\q2atp0h_r.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 4216 ipconfig.exe -
Processes:
ipconfig.exedescription ioc process Key created \Registry\User\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
bin.exeipconfig.exeq2atp0h_r.exepid process 5008 bin.exe 5008 bin.exe 5008 bin.exe 5008 bin.exe 5008 bin.exe 5008 bin.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4620 q2atp0h_r.exe 4620 q2atp0h_r.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
bin.exeipconfig.exepid process 5008 bin.exe 5008 bin.exe 5008 bin.exe 5008 bin.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe 4216 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
Processes:
bin.exeExplorer.EXEipconfig.exeq2atp0h_r.exedescription pid process Token: SeDebugPrivilege 5008 bin.exe Token: SeShutdownPrivilege 3152 Explorer.EXE Token: SeCreatePagefilePrivilege 3152 Explorer.EXE Token: SeShutdownPrivilege 3152 Explorer.EXE Token: SeCreatePagefilePrivilege 3152 Explorer.EXE Token: SeDebugPrivilege 4216 ipconfig.exe Token: SeShutdownPrivilege 3152 Explorer.EXE Token: SeCreatePagefilePrivilege 3152 Explorer.EXE Token: SeShutdownPrivilege 3152 Explorer.EXE Token: SeCreatePagefilePrivilege 3152 Explorer.EXE Token: SeShutdownPrivilege 3152 Explorer.EXE Token: SeCreatePagefilePrivilege 3152 Explorer.EXE Token: SeDebugPrivilege 4620 q2atp0h_r.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
wscript.exeExplorer.EXEipconfig.exedescription pid process target process PID 1180 wrote to memory of 1484 1180 wscript.exe wscript.exe PID 1180 wrote to memory of 1484 1180 wscript.exe wscript.exe PID 1180 wrote to memory of 5008 1180 wscript.exe bin.exe PID 1180 wrote to memory of 5008 1180 wscript.exe bin.exe PID 1180 wrote to memory of 5008 1180 wscript.exe bin.exe PID 3152 wrote to memory of 4216 3152 Explorer.EXE ipconfig.exe PID 3152 wrote to memory of 4216 3152 Explorer.EXE ipconfig.exe PID 3152 wrote to memory of 4216 3152 Explorer.EXE ipconfig.exe PID 4216 wrote to memory of 4212 4216 ipconfig.exe cmd.exe PID 4216 wrote to memory of 4212 4216 ipconfig.exe cmd.exe PID 4216 wrote to memory of 4212 4216 ipconfig.exe cmd.exe PID 4216 wrote to memory of 1416 4216 ipconfig.exe cmd.exe PID 4216 wrote to memory of 1416 4216 ipconfig.exe cmd.exe PID 4216 wrote to memory of 1416 4216 ipconfig.exe cmd.exe PID 4216 wrote to memory of 2064 4216 ipconfig.exe cmd.exe PID 4216 wrote to memory of 2064 4216 ipconfig.exe cmd.exe PID 4216 wrote to memory of 2064 4216 ipconfig.exe cmd.exe PID 4216 wrote to memory of 1680 4216 ipconfig.exe Firefox.exe PID 4216 wrote to memory of 1680 4216 ipconfig.exe Firefox.exe PID 4216 wrote to memory of 1680 4216 ipconfig.exe Firefox.exe PID 3152 wrote to memory of 4620 3152 Explorer.EXE q2atp0h_r.exe PID 3152 wrote to memory of 4620 3152 Explorer.EXE q2atp0h_r.exe PID 3152 wrote to memory of 4620 3152 Explorer.EXE q2atp0h_r.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Quote.js2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\jmKZSbFFzi.js"3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\bin.exe"C:\Users\Admin\AppData\Local\Temp\bin.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\SysWOW64\ipconfig.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Gathers network information
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\bin.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\Yr2sdejq8\q2atp0h_r.exe"C:\Program Files (x86)\Yr2sdejq8\q2atp0h_r.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Yr2sdejq8\q2atp0h_r.exeFilesize
177KB
MD5325e9bc40c665d845e9edd875631ec48
SHA16f325ce61e9d8916cced15919cbd84fce584e14f
SHA256c3b9bd6a3c03e763f6255c275cbb3a068de6feef7417d18b7a3e92c6b28753e5
SHA51202760fc7cd93075f8fdb35e0a87dfee062c718fe03a28408da6a03d37eb6e39a3388c0c01611cee8d28422b930346c92f4242538a29daa8ad0a3b5cdf8d69dc4
-
C:\Program Files (x86)\Yr2sdejq8\q2atp0h_r.exeFilesize
177KB
MD5325e9bc40c665d845e9edd875631ec48
SHA16f325ce61e9d8916cced15919cbd84fce584e14f
SHA256c3b9bd6a3c03e763f6255c275cbb3a068de6feef7417d18b7a3e92c6b28753e5
SHA51202760fc7cd93075f8fdb35e0a87dfee062c718fe03a28408da6a03d37eb6e39a3388c0c01611cee8d28422b930346c92f4242538a29daa8ad0a3b5cdf8d69dc4
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
C:\Users\Admin\AppData\Local\Temp\bin.exeFilesize
177KB
MD5325e9bc40c665d845e9edd875631ec48
SHA16f325ce61e9d8916cced15919cbd84fce584e14f
SHA256c3b9bd6a3c03e763f6255c275cbb3a068de6feef7417d18b7a3e92c6b28753e5
SHA51202760fc7cd93075f8fdb35e0a87dfee062c718fe03a28408da6a03d37eb6e39a3388c0c01611cee8d28422b930346c92f4242538a29daa8ad0a3b5cdf8d69dc4
-
C:\Users\Admin\AppData\Local\Temp\bin.exeFilesize
177KB
MD5325e9bc40c665d845e9edd875631ec48
SHA16f325ce61e9d8916cced15919cbd84fce584e14f
SHA256c3b9bd6a3c03e763f6255c275cbb3a068de6feef7417d18b7a3e92c6b28753e5
SHA51202760fc7cd93075f8fdb35e0a87dfee062c718fe03a28408da6a03d37eb6e39a3388c0c01611cee8d28422b930346c92f4242538a29daa8ad0a3b5cdf8d69dc4
-
C:\Users\Admin\AppData\Roaming\jmKZSbFFzi.jsFilesize
5KB
MD59863c73f15497e207b6cc2bb6a6b478f
SHA14c6fb94ac90f82ed1597b49ff325bf3f4ab57f1e
SHA256412723906aba11c0c59dd6c68ae931cfa576d0ca669679b23d16769b82a1a81d
SHA512aed1e675dd8c2a4b95d437862f074675bd2fc8eea1ab99dc9075fecda41bdc394288eb72ab9a1f34877313ae0dd6003c2c868a17187c59c76f0fd8d6037a7ccc
-
memory/1416-149-0x0000000000000000-mapping.dmp
-
memory/1484-130-0x0000000000000000-mapping.dmp
-
memory/2064-151-0x0000000000000000-mapping.dmp
-
memory/3152-147-0x0000000002B50000-0x0000000002C79000-memory.dmpFilesize
1.2MB
-
memory/3152-137-0x00000000084D0000-0x0000000008671000-memory.dmpFilesize
1.6MB
-
memory/3152-139-0x0000000008AB0000-0x0000000008C52000-memory.dmpFilesize
1.6MB
-
memory/3152-148-0x0000000002B50000-0x0000000002C79000-memory.dmpFilesize
1.2MB
-
memory/4212-141-0x0000000000000000-mapping.dmp
-
memory/4216-142-0x0000000000620000-0x000000000062B000-memory.dmpFilesize
44KB
-
memory/4216-146-0x00000000006F0000-0x000000000071D000-memory.dmpFilesize
180KB
-
memory/4216-145-0x0000000000CF0000-0x0000000000D80000-memory.dmpFilesize
576KB
-
memory/4216-144-0x00000000006F0000-0x000000000071D000-memory.dmpFilesize
180KB
-
memory/4216-143-0x0000000000EA0000-0x00000000011EA000-memory.dmpFilesize
3.3MB
-
memory/4216-140-0x0000000000000000-mapping.dmp
-
memory/4620-153-0x0000000000000000-mapping.dmp
-
memory/4620-156-0x0000000000EB0000-0x00000000011FA000-memory.dmpFilesize
3.3MB
-
memory/5008-138-0x0000000000E60000-0x0000000000E71000-memory.dmpFilesize
68KB
-
memory/5008-136-0x0000000000A60000-0x0000000000A71000-memory.dmpFilesize
68KB
-
memory/5008-135-0x0000000000AA0000-0x0000000000DEA000-memory.dmpFilesize
3.3MB
-
memory/5008-132-0x0000000000000000-mapping.dmp