Analysis
-
max time kernel
135s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03-10-2022 05:31
Static task
static1
Behavioral task
behavioral1
Sample
Request for Quote (Waseda University) 05- 09-2022.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Request for Quote (Waseda University) 05- 09-2022.exe
Resource
win10v2004-20220812-en
General
-
Target
Request for Quote (Waseda University) 05- 09-2022.exe
-
Size
558KB
-
MD5
a1e9139a63b33375b3c2ab70b8fed769
-
SHA1
da835d5d7ca257b776a8616b365e41084724771c
-
SHA256
60e1a6a93ad368ac92dd0f02f2416e1a0eb5cd3d441a2df8704225bd94fbaad2
-
SHA512
43b9e35aa0713ec56876f7bca3e7af9c0a7828b0b6867ea15b609aeed7445501d9546b8ae2908c736b55dbc790dd651e0709de33bd70d4c2b226a69b4afe0a3a
-
SSDEEP
12288:40SKoJ47FnSzRDnhfbrf+rwr5Do1Q3buie+Dhhr0ZTPHnIDqmhQmuH:lLocFnS1Dnhf2k1JfeeXr0ZHIFK
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
Request for Quote (Waseda University) 05- 09-2022.exeRequest for Quote (Waseda University) 05- 09-2022.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe Request for Quote (Waseda University) 05- 09-2022.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe Request for Quote (Waseda University) 05- 09-2022.exe -
Loads dropped DLL 2 IoCs
Processes:
Request for Quote (Waseda University) 05- 09-2022.exepid process 1720 Request for Quote (Waseda University) 05- 09-2022.exe 1720 Request for Quote (Waseda University) 05- 09-2022.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Request for Quote (Waseda University) 05- 09-2022.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Request for Quote (Waseda University) 05- 09-2022.exe Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Request for Quote (Waseda University) 05- 09-2022.exe Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Request for Quote (Waseda University) 05- 09-2022.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
Processes:
Request for Quote (Waseda University) 05- 09-2022.exepid process 1792 Request for Quote (Waseda University) 05- 09-2022.exe 1792 Request for Quote (Waseda University) 05- 09-2022.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
Request for Quote (Waseda University) 05- 09-2022.exeRequest for Quote (Waseda University) 05- 09-2022.exepid process 1720 Request for Quote (Waseda University) 05- 09-2022.exe 1792 Request for Quote (Waseda University) 05- 09-2022.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Request for Quote (Waseda University) 05- 09-2022.exedescription pid process target process PID 1720 set thread context of 1792 1720 Request for Quote (Waseda University) 05- 09-2022.exe Request for Quote (Waseda University) 05- 09-2022.exe -
Drops file in Program Files directory 1 IoCs
Processes:
Request for Quote (Waseda University) 05- 09-2022.exedescription ioc process File opened for modification C:\Program Files (x86)\Common Files\Pterygopharyngeal\Magnoliers.Ral Request for Quote (Waseda University) 05- 09-2022.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Request for Quote (Waseda University) 05- 09-2022.exepid process 1720 Request for Quote (Waseda University) 05- 09-2022.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Request for Quote (Waseda University) 05- 09-2022.exedescription pid process Token: SeDebugPrivilege 1792 Request for Quote (Waseda University) 05- 09-2022.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
Request for Quote (Waseda University) 05- 09-2022.exedescription pid process target process PID 1720 wrote to memory of 1792 1720 Request for Quote (Waseda University) 05- 09-2022.exe Request for Quote (Waseda University) 05- 09-2022.exe PID 1720 wrote to memory of 1792 1720 Request for Quote (Waseda University) 05- 09-2022.exe Request for Quote (Waseda University) 05- 09-2022.exe PID 1720 wrote to memory of 1792 1720 Request for Quote (Waseda University) 05- 09-2022.exe Request for Quote (Waseda University) 05- 09-2022.exe PID 1720 wrote to memory of 1792 1720 Request for Quote (Waseda University) 05- 09-2022.exe Request for Quote (Waseda University) 05- 09-2022.exe PID 1720 wrote to memory of 1792 1720 Request for Quote (Waseda University) 05- 09-2022.exe Request for Quote (Waseda University) 05- 09-2022.exe -
outlook_office_path 1 IoCs
Processes:
Request for Quote (Waseda University) 05- 09-2022.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Request for Quote (Waseda University) 05- 09-2022.exe -
outlook_win_path 1 IoCs
Processes:
Request for Quote (Waseda University) 05- 09-2022.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Request for Quote (Waseda University) 05- 09-2022.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Request for Quote (Waseda University) 05- 09-2022.exe"C:\Users\Admin\AppData\Local\Temp\Request for Quote (Waseda University) 05- 09-2022.exe"1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Request for Quote (Waseda University) 05- 09-2022.exe"C:\Users\Admin\AppData\Local\Temp\Request for Quote (Waseda University) 05- 09-2022.exe"2⤵
- Checks QEMU agent file
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsd5B2D.tmp\Math.dllFilesize
169KB
MD566f2ce4302893b92295223ed9b5e5e5e
SHA1e27dc596fe1e2fa5416f3f490c6f2f0b9b5b3077
SHA2562b05d1dfcf3a57ac6e6ef326611a13f8934b9c56d4e75d65d5e301d2793e09bb
SHA51238aa695cd86d38af41dfe444faf46707e28141ed1fea636d515fc785a15eadc560a6a30270fde2e5a759dec4d1ff4ee22b5079fd21312eff5974cac76b9720b7
-
\Users\Admin\AppData\Local\Temp\nsd5B2D.tmp\System.dllFilesize
11KB
MD52e07bbddc0912b77cac77afe9d9035ee
SHA133a4646191dd25c034b5223ebfed761969301710
SHA25697ace5ce4e05225db3c1345a2d1b5fa7d2281bb51fc5aa2d34c186befa9e000f
SHA51256c5793b01a1e5c356db005d9833d4c6f703204cff5dbb4613620cd1a90ef5acf91c3e7654295e9f63732a104d83fb471483c188449d75d8c009a81a544fe388
-
memory/1720-71-0x0000000077560000-0x00000000776E0000-memory.dmpFilesize
1.5MB
-
memory/1720-57-0x0000000002500000-0x000000000314A000-memory.dmpFilesize
12.3MB
-
memory/1720-59-0x0000000077380000-0x0000000077529000-memory.dmpFilesize
1.7MB
-
memory/1720-60-0x0000000077560000-0x00000000776E0000-memory.dmpFilesize
1.5MB
-
memory/1720-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmpFilesize
8KB
-
memory/1720-63-0x0000000077560000-0x00000000776E0000-memory.dmpFilesize
1.5MB
-
memory/1792-62-0x00000000004034F0-mapping.dmp
-
memory/1792-65-0x00000000001C0000-0x00000000002C0000-memory.dmpFilesize
1024KB
-
memory/1792-68-0x00000000001C0000-0x00000000002C0000-memory.dmpFilesize
1024KB
-
memory/1792-69-0x0000000077380000-0x0000000077529000-memory.dmpFilesize
1.7MB
-
memory/1792-70-0x0000000077560000-0x00000000776E0000-memory.dmpFilesize
1.5MB
-
memory/1792-64-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB