Analysis
-
max time kernel
190s -
max time network
206s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 07:36
Static task
static1
Behavioral task
behavioral1
Sample
Quote.js
Resource
win7-20221111-en
General
-
Target
Quote.js
-
Size
346KB
-
MD5
21199ca311ff9236a22bc04871f49361
-
SHA1
14bf80cebe0fe6945ab146eb481a40d62df5f1d1
-
SHA256
fcc21d800f2cd942cbb2777c40a8ebf831e7fce2e6c8c77d5fa8fd4e3709bd01
-
SHA512
2696c74bae8749f26af0483807395356a0224c2124ac956cbb48e8026a705cc3bc1cc8056991385284636e4982dbaefb5a4887901459e41ff02bd0975f5927a0
-
SSDEEP
6144:So6tITpn1wYXxLJCZQk5s1TAriIgnywLzTp1vQo:76tSJ1tXGaka1TArinBHtZ/
Malware Config
Extracted
formbook
4.1
c0e5
educao.pet
e-race.store
clitzhyper.com
webcheetahtech.online
akkarr.online
odevillage.fit
yaignav.site
191u.us
misionartv.store
leadingpastor.com
claudio-vega.store
9mck753.com
system-reminder.live
landsharesfg.net
lmcsf.top
mkstoreacesse.com
2023.domains
yb8.mobi
2q02f4fyxg7ybb18.digital
logtray.shop
asroycsitorus.com
coisasdeemariia.site
bezbanov.shop
clickzoononline.shop
nzlabour.party
airbnb.melbourne
myvea.online
toutsurimmo.email
kh888.vip
opposestorm.shop
broearn.info
korendietspecials.mom
6yhg2wnh.cfd
ergskin.com
projetlemet.com
dannyyomtobian.com
guidesmail.xyz
beavertonbjj.net
tyrannic442596.biz
joycasino-sga.top
yueyin.art
cliff23.site
smoothapperal.com
youknowthedrill.xyz
mabanaft.group
pessimisticreassurance.top
nhzd.mom
leb26867.top
dorsalrims.xyz
brewhousebikes.com
highthunder.online
philosofinance.online
esafw.shop
bayengineeringsolutions.site
xn--lbsolues-x0a4l.com
1wtgz.top
play168kh.app
bathroomshelf.net
rorol.top
nwxusmods.com
chinawhitebelfast.com
dronebox.shop
boamiz.store
tiannongtuan.com
ludrogheda.com
Signatures
-
Formbook payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\bin.exe formbook C:\Users\Admin\AppData\Local\Temp\bin.exe formbook behavioral1/memory/1136-70-0x0000000000090000-0x00000000000BF000-memory.dmp formbook -
Blocklisted process makes network request 5 IoCs
Processes:
wscript.exeflow pid process 5 268 wscript.exe 6 268 wscript.exe 8 268 wscript.exe 12 268 wscript.exe 15 268 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
bin.exepid process 1924 bin.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VeuzKgGKjI.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VeuzKgGKjI.js wscript.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
bin.exerundll32.exedescription pid process target process PID 1924 set thread context of 1264 1924 bin.exe Explorer.EXE PID 1924 set thread context of 1264 1924 bin.exe Explorer.EXE PID 1136 set thread context of 1264 1136 rundll32.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
bin.exerundll32.exepid process 1924 bin.exe 1924 bin.exe 1924 bin.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1264 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
bin.exerundll32.exepid process 1924 bin.exe 1924 bin.exe 1924 bin.exe 1924 bin.exe 1136 rundll32.exe 1136 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
bin.exerundll32.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1924 bin.exe Token: SeDebugPrivilege 1136 rundll32.exe Token: SeShutdownPrivilege 1264 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1264 Explorer.EXE 1264 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1264 Explorer.EXE 1264 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
wscript.exebin.exerundll32.exedescription pid process target process PID 1140 wrote to memory of 268 1140 wscript.exe wscript.exe PID 1140 wrote to memory of 268 1140 wscript.exe wscript.exe PID 1140 wrote to memory of 268 1140 wscript.exe wscript.exe PID 1140 wrote to memory of 1924 1140 wscript.exe bin.exe PID 1140 wrote to memory of 1924 1140 wscript.exe bin.exe PID 1140 wrote to memory of 1924 1140 wscript.exe bin.exe PID 1140 wrote to memory of 1924 1140 wscript.exe bin.exe PID 1924 wrote to memory of 1136 1924 bin.exe rundll32.exe PID 1924 wrote to memory of 1136 1924 bin.exe rundll32.exe PID 1924 wrote to memory of 1136 1924 bin.exe rundll32.exe PID 1924 wrote to memory of 1136 1924 bin.exe rundll32.exe PID 1924 wrote to memory of 1136 1924 bin.exe rundll32.exe PID 1924 wrote to memory of 1136 1924 bin.exe rundll32.exe PID 1924 wrote to memory of 1136 1924 bin.exe rundll32.exe PID 1136 wrote to memory of 2028 1136 rundll32.exe cmd.exe PID 1136 wrote to memory of 2028 1136 rundll32.exe cmd.exe PID 1136 wrote to memory of 2028 1136 rundll32.exe cmd.exe PID 1136 wrote to memory of 2028 1136 rundll32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1264 -
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Quote.js2⤵
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\VeuzKgGKjI.js"3⤵
- Blocklisted process makes network request
- Drops startup file
PID:268 -
C:\Users\Admin\AppData\Local\Temp\bin.exe"C:\Users\Admin\AppData\Local\Temp\bin.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\bin.exe"5⤵PID:2028
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\bin.exeFilesize
185KB
MD5d3ac8e00dd791752d47327d53cdb2515
SHA15f820ebe7772a56d71096356443b858ae0b52276
SHA256e3bdaf1daee2ad35479c213122391cb3d27f193896aef414ce6edb516c0133aa
SHA5124f181b863e792212507b48374b232ccffa0528a915f3f41529205a3da5c6ce2c8063ad50b57f5ec2bb0e1126eb4d2ab9eb34036d014d633c0eecf3771fff3579
-
C:\Users\Admin\AppData\Local\Temp\bin.exeFilesize
185KB
MD5d3ac8e00dd791752d47327d53cdb2515
SHA15f820ebe7772a56d71096356443b858ae0b52276
SHA256e3bdaf1daee2ad35479c213122391cb3d27f193896aef414ce6edb516c0133aa
SHA5124f181b863e792212507b48374b232ccffa0528a915f3f41529205a3da5c6ce2c8063ad50b57f5ec2bb0e1126eb4d2ab9eb34036d014d633c0eecf3771fff3579
-
C:\Users\Admin\AppData\Roaming\VeuzKgGKjI.jsFilesize
5KB
MD53c661d811eda2031bebf350dc0f16603
SHA175ef6bda3f82dd858b1a4b768f24189aa10b94f1
SHA256c15eb52fe816bba6b41b2bec0c7f7e08d6e2dfefff39201bc36f6b4e6fd711b8
SHA512b66e03028f723307382092fe3d9683c8599a0227f50d46839ec70f6479c38af05514136c22e5cc03d72e2923384b08aebd699c9f0dfe92b738e667f306e4eb4f
-
memory/268-55-0x0000000000000000-mapping.dmp
-
memory/1136-70-0x0000000000090000-0x00000000000BF000-memory.dmpFilesize
188KB
-
memory/1136-66-0x0000000075DF1000-0x0000000075DF3000-memory.dmpFilesize
8KB
-
memory/1136-73-0x00000000009A0000-0x0000000000A34000-memory.dmpFilesize
592KB
-
memory/1136-71-0x0000000002240000-0x0000000002543000-memory.dmpFilesize
3.0MB
-
memory/1136-69-0x0000000000340000-0x000000000034E000-memory.dmpFilesize
56KB
-
memory/1136-65-0x0000000000000000-mapping.dmp
-
memory/1140-54-0x000007FEFC201000-0x000007FEFC203000-memory.dmpFilesize
8KB
-
memory/1264-72-0x0000000004F40000-0x000000000501B000-memory.dmpFilesize
876KB
-
memory/1264-64-0x0000000004F40000-0x000000000501B000-memory.dmpFilesize
876KB
-
memory/1264-62-0x0000000006CF0000-0x0000000006E49000-memory.dmpFilesize
1.3MB
-
memory/1264-74-0x0000000006B80000-0x0000000006C68000-memory.dmpFilesize
928KB
-
memory/1264-75-0x0000000006B80000-0x0000000006C68000-memory.dmpFilesize
928KB
-
memory/1924-57-0x0000000000000000-mapping.dmp
-
memory/1924-63-0x00000000002C0000-0x00000000002D5000-memory.dmpFilesize
84KB
-
memory/1924-60-0x00000000007C0000-0x0000000000AC3000-memory.dmpFilesize
3.0MB
-
memory/1924-61-0x0000000000130000-0x0000000000145000-memory.dmpFilesize
84KB
-
memory/2028-68-0x0000000000000000-mapping.dmp