Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
26-09-2022 12:52
Static task
static1
Behavioral task
behavioral1
Sample
Quotation.pif.exe
Resource
win7-20220901-en
General
-
Target
Quotation.pif.exe
-
Size
991KB
-
MD5
59d24bcc44a883d21a48b2d368a1ff45
-
SHA1
d933aac89872b6a5f60901563b19c6715a0d007a
-
SHA256
5032a3dbc97f17dba5cf4a7dc67a6c9ae6293a344d9d9433d63e8cd180226927
-
SHA512
9281ea610f54c4df7f849d4c9e9021b6b3983a04ce0c6606db587d8d3b412de0494a1717adc9e701947ddd97f40216768d40af96983ad95449040e5bccbdecaf
-
SSDEEP
12288:dHeyEXo6MY++34Ot1UzDMHvRJUHoPYFoBMmTA0+bB/jIyBXRsZZ4wiPWL1QORWl5:m/DkM1nHvRJ9PYqs0+5FXk+P41Q7BBz
Malware Config
Extracted
formbook
nhg6
FSZGb3Of7ECMIOG9mh1ql/w=
DAPP3Pm63eo+zg==
khOZTuClxYsKQsZALgy3ob9TFAk=
5uWol2f/RF3CAwFd
P70LqPOi2iE9g4vpPH1Lk8E0K6tC
KBRl7TSt3eo+zg==
rqedJWUJXKkDbORa
lpORtIg8lvMKbJ77PQW9kes=
Qinv+gsohAIooqyTcfUYgZ/IVxQ=
J0L2ggPAiE2gxm4=
r/I6qOGI5noJCghf
khJg6HKM6l9okVK+pg==
HRMTK/6p3eo+zg==
HqMiuv2JaKYJCghf
+FzGYtsGTpK46OkKkh5C
BBrOUpUY91R/r8gkPwrcuw==
klWfn2smdNcqog581h6vX7px
t8uvr7+R7IPaHSOH1hqvX7px
bHdghkj64OjzY2hOLa/WObrRkkeJjQ==
s3/smhoylh1J0mPS4aDHBDRyJw==
Eu3Z//8qkb4Pgnxjs7KvX7px
Du/M2tykfsrvKI21BL4=
PSM470DF9TZfxg==
g8+4SOr4WukPPHaaxWhV
Wp6eQXMJ4vcGbPvJGeO4K2cjEQM=
sUu3agUQbwZBjWbTrA==
cD2jpmsR7f74LQOoiG5H
3uWfnmL43kmM0eYKkh5C
D8hIaSK6nOYyvuwKkh5C
2jukR8PuW9opgKsne71aPJfpk2rYfuk6bQ==
8Kn8jxXXsvtDzvYKkh5C
PBS059Wedb7mSnjpPdLzU7s0K6tC
/RMCOf+e9YCnIxQSu2marA==
wkO7TZc1jPoLNcOp4vUglpKzLw==
0IEGMPKlhU2gxm4=
2T8RCBr43vVVaf5I
fljAttGHXHWMq8RIqzxMpxG/r+LsFTk=
/og98Tea9nueONlLQD2egqUdkAs=
DakWt1Bc6TFTzA==
h1O9avS4iE2gxm4=
uu4WRzneVStU1w==
LsZmJl8YeP5Vaf5I
nHdkkYug/oK87Hcp0JSQyxC7qOLsFTk=
2oURQhXaNMIXkEcjayLqQmcjEQM=
NfVyM2uD3eo+zg==
nT20ZP8fheL5IiV4xhqvX7px
dbeCkGH4309r5gp24CCvX7px
72jolSNVrfj/NBu/Bn/evQ==
jGtO0Rey6DhVmKwRUtGvX7px
RPd7qXExmzSGlZHVuw==
X70pwhG0S4qZv2w=
9xPzBiP3SNEaU1KuDFRMtE3fYMons6VE
gXVziEtEmsbg/SeBwQGIoKj8tK01jw==
+B9xAkQQb+wSkhl/T08gEjAs9IugoA9I
KMgonCDitr/U/aiSc/bZdfnSjepK
belockUJb/okrNEwgBdDjsA0K6tC
FGDUFuN9k03/08Ks/bw=
nRGNPr25BpzvAXbgwJJK
7awA/seC0Uhr3dLAHB1ql/w=
glK6Uc2Mzma3/E196bQ=
O4Jwj11Xqv9IjWbTrA==
s++5zMnzj8z2aWY=
eJN2bFImkiB4xOAKkh5C
xsaRhotGVStU1w==
liuhejing.org
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
NETSTAT.EXEpid process 1704 NETSTAT.EXE -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Quotation.pif.exeRegSvcs.exeNETSTAT.EXEdescription pid process target process PID 1468 set thread context of 1552 1468 Quotation.pif.exe RegSvcs.exe PID 1552 set thread context of 1424 1552 RegSvcs.exe Explorer.EXE PID 1704 set thread context of 1424 1704 NETSTAT.EXE Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 1704 NETSTAT.EXE -
Processes:
NETSTAT.EXEdescription ioc process Key created \Registry\User\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
Quotation.pif.exeRegSvcs.exepowershell.exeNETSTAT.EXEpid process 1468 Quotation.pif.exe 1468 Quotation.pif.exe 1552 RegSvcs.exe 1552 RegSvcs.exe 1552 RegSvcs.exe 1552 RegSvcs.exe 592 powershell.exe 1704 NETSTAT.EXE 1704 NETSTAT.EXE 1704 NETSTAT.EXE 1704 NETSTAT.EXE 1704 NETSTAT.EXE 1704 NETSTAT.EXE 1704 NETSTAT.EXE 1704 NETSTAT.EXE 1704 NETSTAT.EXE 1704 NETSTAT.EXE 1704 NETSTAT.EXE 1704 NETSTAT.EXE 1704 NETSTAT.EXE 1704 NETSTAT.EXE 1704 NETSTAT.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1424 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
RegSvcs.exeNETSTAT.EXEpid process 1552 RegSvcs.exe 1552 RegSvcs.exe 1552 RegSvcs.exe 1704 NETSTAT.EXE 1704 NETSTAT.EXE 1704 NETSTAT.EXE 1704 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Quotation.pif.exeRegSvcs.exepowershell.exeNETSTAT.EXEdescription pid process Token: SeDebugPrivilege 1468 Quotation.pif.exe Token: SeDebugPrivilege 1552 RegSvcs.exe Token: SeDebugPrivilege 592 powershell.exe Token: SeDebugPrivilege 1704 NETSTAT.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1424 Explorer.EXE 1424 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1424 Explorer.EXE 1424 Explorer.EXE -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
Quotation.pif.exeExplorer.EXENETSTAT.EXEdescription pid process target process PID 1468 wrote to memory of 592 1468 Quotation.pif.exe powershell.exe PID 1468 wrote to memory of 592 1468 Quotation.pif.exe powershell.exe PID 1468 wrote to memory of 592 1468 Quotation.pif.exe powershell.exe PID 1468 wrote to memory of 592 1468 Quotation.pif.exe powershell.exe PID 1468 wrote to memory of 1368 1468 Quotation.pif.exe schtasks.exe PID 1468 wrote to memory of 1368 1468 Quotation.pif.exe schtasks.exe PID 1468 wrote to memory of 1368 1468 Quotation.pif.exe schtasks.exe PID 1468 wrote to memory of 1368 1468 Quotation.pif.exe schtasks.exe PID 1468 wrote to memory of 1552 1468 Quotation.pif.exe RegSvcs.exe PID 1468 wrote to memory of 1552 1468 Quotation.pif.exe RegSvcs.exe PID 1468 wrote to memory of 1552 1468 Quotation.pif.exe RegSvcs.exe PID 1468 wrote to memory of 1552 1468 Quotation.pif.exe RegSvcs.exe PID 1468 wrote to memory of 1552 1468 Quotation.pif.exe RegSvcs.exe PID 1468 wrote to memory of 1552 1468 Quotation.pif.exe RegSvcs.exe PID 1468 wrote to memory of 1552 1468 Quotation.pif.exe RegSvcs.exe PID 1468 wrote to memory of 1552 1468 Quotation.pif.exe RegSvcs.exe PID 1468 wrote to memory of 1552 1468 Quotation.pif.exe RegSvcs.exe PID 1468 wrote to memory of 1552 1468 Quotation.pif.exe RegSvcs.exe PID 1424 wrote to memory of 1704 1424 Explorer.EXE NETSTAT.EXE PID 1424 wrote to memory of 1704 1424 Explorer.EXE NETSTAT.EXE PID 1424 wrote to memory of 1704 1424 Explorer.EXE NETSTAT.EXE PID 1424 wrote to memory of 1704 1424 Explorer.EXE NETSTAT.EXE PID 1704 wrote to memory of 1848 1704 NETSTAT.EXE Firefox.exe PID 1704 wrote to memory of 1848 1704 NETSTAT.EXE Firefox.exe PID 1704 wrote to memory of 1848 1704 NETSTAT.EXE Firefox.exe PID 1704 wrote to memory of 1848 1704 NETSTAT.EXE Firefox.exe PID 1704 wrote to memory of 1848 1704 NETSTAT.EXE Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Quotation.pif.exe"C:\Users\Admin\AppData\Local\Temp\Quotation.pif.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\OJGfLeUSALnpf.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OJGfLeUSALnpf" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB932.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Gathers network information
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpB932.tmpFilesize
1KB
MD5a9d509f3b1842578f4ac9af2fb75817b
SHA162258bfc9868742920c9ec19c230706e603d616a
SHA256f120cc869960b4adbb055f62f9e4856450d7e618397e3643fb8dfd825a490cda
SHA512c3cd3e3c6f83893938cd946b02d6354d5a765904206ab332e20b22dc9938bd20be7c446edfe573807bc2f10a5db9b3e1416a4226322f25fa335821a9b575a5fc
-
\Users\Admin\AppData\Local\Temp\sqlite3.dllFilesize
831KB
MD505ace2f6d9bef6fd9bbd05ee5262a1f2
SHA15cce2228e0d9c6cc913cf551e0bf7c76ed74ff59
SHA256002459f4d4758011b4d7f36935f1fe323494b847f8c173a551076a3d30475ebc
SHA5121e717a66a72eb626727144fa7458f472ada54fd1be37072c9e740945e34ba94025737aef44e54752c50c5b79a583c6a91a0d8043bf1bf7c3e7cab8537207f9fc
-
memory/592-71-0x000000006F0D0000-0x000000006F67B000-memory.dmpFilesize
5.7MB
-
memory/592-59-0x0000000000000000-mapping.dmp
-
memory/592-77-0x000000006F0D0000-0x000000006F67B000-memory.dmpFilesize
5.7MB
-
memory/1368-60-0x0000000000000000-mapping.dmp
-
memory/1424-86-0x00000000099B0000-0x0000000009B1F000-memory.dmpFilesize
1.4MB
-
memory/1424-76-0x0000000006D70000-0x0000000006F04000-memory.dmpFilesize
1.6MB
-
memory/1424-83-0x00000000099B0000-0x0000000009B1F000-memory.dmpFilesize
1.4MB
-
memory/1468-57-0x00000000008E0000-0x00000000008EC000-memory.dmpFilesize
48KB
-
memory/1468-58-0x0000000007CC0000-0x0000000007D88000-memory.dmpFilesize
800KB
-
memory/1468-56-0x00000000008D0000-0x00000000008E4000-memory.dmpFilesize
80KB
-
memory/1468-63-0x0000000008560000-0x00000000085D0000-memory.dmpFilesize
448KB
-
memory/1468-54-0x0000000000EB0000-0x0000000000FAE000-memory.dmpFilesize
1016KB
-
memory/1468-55-0x0000000076BA1000-0x0000000076BA3000-memory.dmpFilesize
8KB
-
memory/1552-70-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1552-68-0x00000000004012B0-mapping.dmp
-
memory/1552-74-0x0000000000AC0000-0x0000000000DC3000-memory.dmpFilesize
3.0MB
-
memory/1552-75-0x00000000000C0000-0x00000000000D0000-memory.dmpFilesize
64KB
-
memory/1552-67-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1552-73-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/1552-65-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1552-64-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1552-72-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1704-84-0x0000000000080000-0x00000000000AD000-memory.dmpFilesize
180KB
-
memory/1704-82-0x0000000000530000-0x00000000005BF000-memory.dmpFilesize
572KB
-
memory/1704-81-0x00000000022E0000-0x00000000025E3000-memory.dmpFilesize
3.0MB
-
memory/1704-80-0x0000000000080000-0x00000000000AD000-memory.dmpFilesize
180KB
-
memory/1704-79-0x00000000008A0000-0x00000000008A9000-memory.dmpFilesize
36KB
-
memory/1704-78-0x0000000000000000-mapping.dmp