Analysis
-
max time kernel
79s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
05-09-2022 07:41
Static task
static1
Behavioral task
behavioral1
Sample
Request for Quote (Waseda University) 05- 09-2022.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Request for Quote (Waseda University) 05- 09-2022.exe
Resource
win10v2004-20220812-en
General
-
Target
Request for Quote (Waseda University) 05- 09-2022.exe
-
Size
558KB
-
MD5
a1e9139a63b33375b3c2ab70b8fed769
-
SHA1
da835d5d7ca257b776a8616b365e41084724771c
-
SHA256
60e1a6a93ad368ac92dd0f02f2416e1a0eb5cd3d441a2df8704225bd94fbaad2
-
SHA512
43b9e35aa0713ec56876f7bca3e7af9c0a7828b0b6867ea15b609aeed7445501d9546b8ae2908c736b55dbc790dd651e0709de33bd70d4c2b226a69b4afe0a3a
-
SSDEEP
12288:40SKoJ47FnSzRDnhfbrf+rwr5Do1Q3buie+Dhhr0ZTPHnIDqmhQmuH:lLocFnS1Dnhf2k1JfeeXr0ZHIFK
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
Request for Quote (Waseda University) 05- 09-2022.exeRequest for Quote (Waseda University) 05- 09-2022.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe Request for Quote (Waseda University) 05- 09-2022.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe Request for Quote (Waseda University) 05- 09-2022.exe -
Loads dropped DLL 2 IoCs
Processes:
Request for Quote (Waseda University) 05- 09-2022.exepid process 2016 Request for Quote (Waseda University) 05- 09-2022.exe 2016 Request for Quote (Waseda University) 05- 09-2022.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Request for Quote (Waseda University) 05- 09-2022.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Request for Quote (Waseda University) 05- 09-2022.exe Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Request for Quote (Waseda University) 05- 09-2022.exe Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Request for Quote (Waseda University) 05- 09-2022.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
Processes:
Request for Quote (Waseda University) 05- 09-2022.exepid process 676 Request for Quote (Waseda University) 05- 09-2022.exe 676 Request for Quote (Waseda University) 05- 09-2022.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
Request for Quote (Waseda University) 05- 09-2022.exeRequest for Quote (Waseda University) 05- 09-2022.exepid process 2016 Request for Quote (Waseda University) 05- 09-2022.exe 676 Request for Quote (Waseda University) 05- 09-2022.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Request for Quote (Waseda University) 05- 09-2022.exedescription pid process target process PID 2016 set thread context of 676 2016 Request for Quote (Waseda University) 05- 09-2022.exe Request for Quote (Waseda University) 05- 09-2022.exe -
Drops file in Program Files directory 1 IoCs
Processes:
Request for Quote (Waseda University) 05- 09-2022.exedescription ioc process File opened for modification C:\Program Files (x86)\Common Files\Pterygopharyngeal\Magnoliers.Ral Request for Quote (Waseda University) 05- 09-2022.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Request for Quote (Waseda University) 05- 09-2022.exepid process 2016 Request for Quote (Waseda University) 05- 09-2022.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
Request for Quote (Waseda University) 05- 09-2022.exepid process 676 Request for Quote (Waseda University) 05- 09-2022.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Request for Quote (Waseda University) 05- 09-2022.exedescription pid process Token: SeDebugPrivilege 676 Request for Quote (Waseda University) 05- 09-2022.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
Request for Quote (Waseda University) 05- 09-2022.exedescription pid process target process PID 2016 wrote to memory of 676 2016 Request for Quote (Waseda University) 05- 09-2022.exe Request for Quote (Waseda University) 05- 09-2022.exe PID 2016 wrote to memory of 676 2016 Request for Quote (Waseda University) 05- 09-2022.exe Request for Quote (Waseda University) 05- 09-2022.exe PID 2016 wrote to memory of 676 2016 Request for Quote (Waseda University) 05- 09-2022.exe Request for Quote (Waseda University) 05- 09-2022.exe PID 2016 wrote to memory of 676 2016 Request for Quote (Waseda University) 05- 09-2022.exe Request for Quote (Waseda University) 05- 09-2022.exe PID 2016 wrote to memory of 676 2016 Request for Quote (Waseda University) 05- 09-2022.exe Request for Quote (Waseda University) 05- 09-2022.exe -
outlook_office_path 1 IoCs
Processes:
Request for Quote (Waseda University) 05- 09-2022.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Request for Quote (Waseda University) 05- 09-2022.exe -
outlook_win_path 1 IoCs
Processes:
Request for Quote (Waseda University) 05- 09-2022.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Request for Quote (Waseda University) 05- 09-2022.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Request for Quote (Waseda University) 05- 09-2022.exe"C:\Users\Admin\AppData\Local\Temp\Request for Quote (Waseda University) 05- 09-2022.exe"1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Request for Quote (Waseda University) 05- 09-2022.exe"C:\Users\Admin\AppData\Local\Temp\Request for Quote (Waseda University) 05- 09-2022.exe"2⤵
- Checks QEMU agent file
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nst16FD.tmp\Math.dllFilesize
169KB
MD566f2ce4302893b92295223ed9b5e5e5e
SHA1e27dc596fe1e2fa5416f3f490c6f2f0b9b5b3077
SHA2562b05d1dfcf3a57ac6e6ef326611a13f8934b9c56d4e75d65d5e301d2793e09bb
SHA51238aa695cd86d38af41dfe444faf46707e28141ed1fea636d515fc785a15eadc560a6a30270fde2e5a759dec4d1ff4ee22b5079fd21312eff5974cac76b9720b7
-
\Users\Admin\AppData\Local\Temp\nst16FD.tmp\System.dllFilesize
11KB
MD52e07bbddc0912b77cac77afe9d9035ee
SHA133a4646191dd25c034b5223ebfed761969301710
SHA25697ace5ce4e05225db3c1345a2d1b5fa7d2281bb51fc5aa2d34c186befa9e000f
SHA51256c5793b01a1e5c356db005d9833d4c6f703204cff5dbb4613620cd1a90ef5acf91c3e7654295e9f63732a104d83fb471483c188449d75d8c009a81a544fe388
-
memory/676-66-0x00000000001C0000-0x00000000002C0000-memory.dmpFilesize
1024KB
-
memory/676-69-0x00000000772B0000-0x0000000077459000-memory.dmpFilesize
1.7MB
-
memory/676-77-0x00000000001C0000-0x00000000002C0000-memory.dmpFilesize
1024KB
-
memory/676-61-0x00000000004034F0-mapping.dmp
-
memory/676-62-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/676-76-0x0000000077490000-0x0000000077610000-memory.dmpFilesize
1.5MB
-
memory/676-75-0x0000000077490000-0x0000000077610000-memory.dmpFilesize
1.5MB
-
memory/676-72-0x00000000001C0000-0x00000000002C0000-memory.dmpFilesize
1024KB
-
memory/676-70-0x0000000077490000-0x0000000077610000-memory.dmpFilesize
1.5MB
-
memory/2016-63-0x0000000003400000-0x000000000353B000-memory.dmpFilesize
1.2MB
-
memory/2016-54-0x0000000075661000-0x0000000075663000-memory.dmpFilesize
8KB
-
memory/2016-71-0x0000000077490000-0x0000000077610000-memory.dmpFilesize
1.5MB
-
memory/2016-65-0x0000000077490000-0x0000000077610000-memory.dmpFilesize
1.5MB
-
memory/2016-73-0x0000000003400000-0x000000000353B000-memory.dmpFilesize
1.2MB
-
memory/2016-74-0x0000000077490000-0x0000000077610000-memory.dmpFilesize
1.5MB
-
memory/2016-64-0x0000000077490000-0x0000000077610000-memory.dmpFilesize
1.5MB
-
memory/2016-57-0x0000000003400000-0x000000000353B000-memory.dmpFilesize
1.2MB
-
memory/2016-58-0x00000000772B0000-0x0000000077459000-memory.dmpFilesize
1.7MB