Analysis
-
max time kernel
179s -
max time network
184s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
07-12-2022 09:49
Static task
static1
Behavioral task
behavioral1
Sample
Quote.exe
Resource
win7-20220812-en
General
-
Target
Quote.exe
-
Size
225KB
-
MD5
321f3295b04cccbbcff5a78a19a92c02
-
SHA1
18a59fbe2535105067608b8755aee0c2ec1e495a
-
SHA256
8c011e911b1f66852a1e9b335db2779d320749730155cf63bd2956fd338d6244
-
SHA512
1776e0abd19fa36adee495d6b6a39d233e847d717ce9ac6e3fd40398a80ee693380fc1ae2daefc938f6a36b413ca522f8250f241384ec3680815ec79afb6a8eb
-
SSDEEP
6144:QBn1Mv+a0+CnUDn3zBaySG9PY2B25IuoXqFv:g/a0hUDn1au9A2BiIk
Malware Config
Extracted
formbook
0pnv
UeENxNlh2xN7FieUBpBO5lfm
VvcQB1LzT23hsKXRjUwN
UVO18MGf5AY=
oVF8eOF3t9kzAV7CeQ==
jxtEEGsdit4/yuxAdkB8E7LhuAs=
+Pyb8Pke6z59Fg==
pVcPluOJ7ka2WgGWOCCXNw==
5LDqHC4BbYeYhIb0
7pJjqueb8CWBTHLBDsSrEmnUoCy9ui4=
tB4+XKJLlrcv9ARTgCMfXbLhuAs=
4ZM3rO+R/mKOSkpPOQm3KYs=
sKlboNhxxswqHV+UYA==
Ld8s8DrxSqXbpro=
ZSMbPsuFz+gK3msQZB4=
W99Y4Ho8nu1UFo7EOCCXNw==
p48821D7QKXbpro=
Arvd0En7V5D3r1eofzZ8E7LhuAs=
dBc8LKJhweNJFVW7ewE=
BK3FWptVndAtAV7CeQ==
G9eJAmIDDXLur7g=
nxu6Al8UWnDWmKDRjUwN
5yPqQEHML3qYhIb0
2pE3uj7hJUy5bd0go08F
wn6YnfqXrROCFpsSIMvFO5U=
CL+Jywi+FqXbpro=
V06GqiXeQHvpppvRjUwN
KNEB6Tb2Rm6YhIb0
wGd8dOyi7P4ps1qpOnG4UrLhuAs=
cwP28HQ3FrfVX2rp
sK9sEmQCaoezU+5Y9J+OgZHx
8Jaw9fsyLcnggqc=
XxMeH2Y/domhhy6MDBKJf4fw
aNzOrN933yGrUOtkMcX+rs8u0BY=
v4Feg8uHyIGlYxrm7+f60rwTkQ==
2L9Zkvyz/DyoZo0kq0jJprPhhg==
fwuq900Kfs4a0NkUNgm3KYs=
Q8VlqwKuFmnIRP2WOCCXNw==
0cd3qrJMvA5yIGVoiRY=
iQ2GehTAF0BwU3iifA==
c26YRn43iLEPls9U5J6OgZHx
1oYsn9t1td5UCGVoiRY=
8ou4q+Z75yCJPMe5tUdPbIM=
9bMyW2oMftZNE2VoiRY=
ou+RD5aKu/Ro
qHjuIvPLEC1nGg==
SREDHpw1l+MK3msQZB4=
zDakFWb/b5bVgwyWOCCXNw==
vS5ZJjfR6z59Fg==
59QiIpiWuAx1
QsFvrcVlqco5+gxHd//B7dQ7I1/reg==
urHdIH4dJ4LadvL8
vyeTDncsboHrtVzf56fTR9A9I1/reg==
/H+Im4iDeBvtAV7CeQ==
s04++Auc7PQoAV7CeQ==
gjqoKDz4R26YhIb0
/se5dsGA7A4zy3PKOCCXNw==
0sWCObOKu/Ro
9eOaWvWx9P4yF1agVw17Iw==
XU1kLrZytMb4cMkDi0UF
GoUm3WMJS1qAEWVoiRY=
fDvoqLxmxOwoAV7CeQ==
C/2i3BvTN3GYhIb0
LtvNirJ08BJ2FmVoiRY=
4akhvksFTD6kdHVh966Pwprv
pcmigrationpro.com
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
cmstp.exeflow pid process 7 1136 cmstp.exe -
Executes dropped EXE 2 IoCs
Processes:
ymvuqqpv.exeymvuqqpv.exepid process 1908 ymvuqqpv.exe 624 ymvuqqpv.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ymvuqqpv.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation ymvuqqpv.exe -
Loads dropped DLL 3 IoCs
Processes:
Quote.exeymvuqqpv.execmstp.exepid process 1164 Quote.exe 1908 ymvuqqpv.exe 1136 cmstp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
ymvuqqpv.exeymvuqqpv.execmstp.exedescription pid process target process PID 1908 set thread context of 624 1908 ymvuqqpv.exe ymvuqqpv.exe PID 624 set thread context of 1432 624 ymvuqqpv.exe Explorer.EXE PID 1136 set thread context of 1432 1136 cmstp.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
cmstp.exedescription ioc process Key created \Registry\User\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cmstp.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
ymvuqqpv.execmstp.exepid process 624 ymvuqqpv.exe 624 ymvuqqpv.exe 624 ymvuqqpv.exe 624 ymvuqqpv.exe 1136 cmstp.exe 1136 cmstp.exe 1136 cmstp.exe 1136 cmstp.exe 1136 cmstp.exe 1136 cmstp.exe 1136 cmstp.exe 1136 cmstp.exe 1136 cmstp.exe 1136 cmstp.exe 1136 cmstp.exe 1136 cmstp.exe 1136 cmstp.exe 1136 cmstp.exe 1136 cmstp.exe 1136 cmstp.exe 1136 cmstp.exe 1136 cmstp.exe 1136 cmstp.exe 1136 cmstp.exe 1136 cmstp.exe -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
ymvuqqpv.exeymvuqqpv.execmstp.exepid process 1908 ymvuqqpv.exe 624 ymvuqqpv.exe 624 ymvuqqpv.exe 624 ymvuqqpv.exe 1136 cmstp.exe 1136 cmstp.exe 1136 cmstp.exe 1136 cmstp.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
ymvuqqpv.execmstp.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 624 ymvuqqpv.exe Token: SeDebugPrivilege 1136 cmstp.exe Token: SeShutdownPrivilege 1432 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1432 Explorer.EXE 1432 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1432 Explorer.EXE 1432 Explorer.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
Quote.exeymvuqqpv.exeExplorer.EXEcmstp.exedescription pid process target process PID 1164 wrote to memory of 1908 1164 Quote.exe ymvuqqpv.exe PID 1164 wrote to memory of 1908 1164 Quote.exe ymvuqqpv.exe PID 1164 wrote to memory of 1908 1164 Quote.exe ymvuqqpv.exe PID 1164 wrote to memory of 1908 1164 Quote.exe ymvuqqpv.exe PID 1908 wrote to memory of 624 1908 ymvuqqpv.exe ymvuqqpv.exe PID 1908 wrote to memory of 624 1908 ymvuqqpv.exe ymvuqqpv.exe PID 1908 wrote to memory of 624 1908 ymvuqqpv.exe ymvuqqpv.exe PID 1908 wrote to memory of 624 1908 ymvuqqpv.exe ymvuqqpv.exe PID 1908 wrote to memory of 624 1908 ymvuqqpv.exe ymvuqqpv.exe PID 1432 wrote to memory of 1136 1432 Explorer.EXE cmstp.exe PID 1432 wrote to memory of 1136 1432 Explorer.EXE cmstp.exe PID 1432 wrote to memory of 1136 1432 Explorer.EXE cmstp.exe PID 1432 wrote to memory of 1136 1432 Explorer.EXE cmstp.exe PID 1432 wrote to memory of 1136 1432 Explorer.EXE cmstp.exe PID 1432 wrote to memory of 1136 1432 Explorer.EXE cmstp.exe PID 1432 wrote to memory of 1136 1432 Explorer.EXE cmstp.exe PID 1136 wrote to memory of 1980 1136 cmstp.exe Firefox.exe PID 1136 wrote to memory of 1980 1136 cmstp.exe Firefox.exe PID 1136 wrote to memory of 1980 1136 cmstp.exe Firefox.exe PID 1136 wrote to memory of 1980 1136 cmstp.exe Firefox.exe PID 1136 wrote to memory of 1980 1136 cmstp.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Quote.exe"C:\Users\Admin\AppData\Local\Temp\Quote.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ymvuqqpv.exe"C:\Users\Admin\AppData\Local\Temp\ymvuqqpv.exe" C:\Users\Admin\AppData\Local\Temp\ajpcdhql.cy3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ymvuqqpv.exe"C:\Users\Admin\AppData\Local\Temp\ymvuqqpv.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ajpcdhql.cyFilesize
5KB
MD5cacf272177d2135e35faf3aa93167540
SHA16ea6b033eff2b963d63a2e149b9b7525c41d80ae
SHA25693480c540f9b82fe13ac54ecf95562de42054172efd179d797c4f6c7c97e07cf
SHA512278aff52c4d882cfe98389ea4bcf53ac8d6245c12bb276f521b2852b12f01a241aa9d6e4de84a1c0b7d752f7cb93e1f31e794c82ee35096ba657fec18e5920a2
-
C:\Users\Admin\AppData\Local\Temp\uzhmrrk.wklFilesize
185KB
MD537e9542038b738ed656949c9e64814fc
SHA1b825cea9a9b826857ff404a6bbb4200f7b0dc837
SHA256bd83a9cfee893492264750dd5c3582f86d47d37875ce280fb895c7909c8336dc
SHA51253ce181e8a63de2bcc1cf6521bf6d2e963cab4530e1b4c139cdd4800fa0b131566036b0215904e03077075a4e13e4158010789f6f27d28c839d2ec6a06007583
-
C:\Users\Admin\AppData\Local\Temp\ymvuqqpv.exeFilesize
13KB
MD503de537afe7cd5629ac193ec751781da
SHA1f538844fb828c89c57f0a38cb104c9494a579a72
SHA256285d3ad53a34aee72b74016f675e15b85d508411c3bf54a6c961c86a5e15d89e
SHA512dc2cf6b16007c7ec4e2d15649a73c0f8b74e455bfecb8aeb2f3cebc454bd38f68bbfa8d0aeeefc06937d2e781b29ac611d8472ae1454cf2f42c77577cdd48fec
-
C:\Users\Admin\AppData\Local\Temp\ymvuqqpv.exeFilesize
13KB
MD503de537afe7cd5629ac193ec751781da
SHA1f538844fb828c89c57f0a38cb104c9494a579a72
SHA256285d3ad53a34aee72b74016f675e15b85d508411c3bf54a6c961c86a5e15d89e
SHA512dc2cf6b16007c7ec4e2d15649a73c0f8b74e455bfecb8aeb2f3cebc454bd38f68bbfa8d0aeeefc06937d2e781b29ac611d8472ae1454cf2f42c77577cdd48fec
-
C:\Users\Admin\AppData\Local\Temp\ymvuqqpv.exeFilesize
13KB
MD503de537afe7cd5629ac193ec751781da
SHA1f538844fb828c89c57f0a38cb104c9494a579a72
SHA256285d3ad53a34aee72b74016f675e15b85d508411c3bf54a6c961c86a5e15d89e
SHA512dc2cf6b16007c7ec4e2d15649a73c0f8b74e455bfecb8aeb2f3cebc454bd38f68bbfa8d0aeeefc06937d2e781b29ac611d8472ae1454cf2f42c77577cdd48fec
-
\Users\Admin\AppData\Local\Temp\sqlite3.dllFilesize
831KB
MD505ace2f6d9bef6fd9bbd05ee5262a1f2
SHA15cce2228e0d9c6cc913cf551e0bf7c76ed74ff59
SHA256002459f4d4758011b4d7f36935f1fe323494b847f8c173a551076a3d30475ebc
SHA5121e717a66a72eb626727144fa7458f472ada54fd1be37072c9e740945e34ba94025737aef44e54752c50c5b79a583c6a91a0d8043bf1bf7c3e7cab8537207f9fc
-
\Users\Admin\AppData\Local\Temp\ymvuqqpv.exeFilesize
13KB
MD503de537afe7cd5629ac193ec751781da
SHA1f538844fb828c89c57f0a38cb104c9494a579a72
SHA256285d3ad53a34aee72b74016f675e15b85d508411c3bf54a6c961c86a5e15d89e
SHA512dc2cf6b16007c7ec4e2d15649a73c0f8b74e455bfecb8aeb2f3cebc454bd38f68bbfa8d0aeeefc06937d2e781b29ac611d8472ae1454cf2f42c77577cdd48fec
-
\Users\Admin\AppData\Local\Temp\ymvuqqpv.exeFilesize
13KB
MD503de537afe7cd5629ac193ec751781da
SHA1f538844fb828c89c57f0a38cb104c9494a579a72
SHA256285d3ad53a34aee72b74016f675e15b85d508411c3bf54a6c961c86a5e15d89e
SHA512dc2cf6b16007c7ec4e2d15649a73c0f8b74e455bfecb8aeb2f3cebc454bd38f68bbfa8d0aeeefc06937d2e781b29ac611d8472ae1454cf2f42c77577cdd48fec
-
memory/624-66-0x0000000000840000-0x0000000000B43000-memory.dmpFilesize
3.0MB
-
memory/624-67-0x0000000000422000-0x0000000000424000-memory.dmpFilesize
8KB
-
memory/624-64-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/624-65-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/624-62-0x00000000004012B0-mapping.dmp
-
memory/624-68-0x0000000000080000-0x0000000000090000-memory.dmpFilesize
64KB
-
memory/1136-72-0x0000000000300000-0x0000000000318000-memory.dmpFilesize
96KB
-
memory/1136-70-0x0000000000000000-mapping.dmp
-
memory/1136-74-0x0000000002030000-0x0000000002333000-memory.dmpFilesize
3.0MB
-
memory/1136-73-0x0000000000090000-0x00000000000BD000-memory.dmpFilesize
180KB
-
memory/1136-75-0x0000000000320000-0x00000000003AF000-memory.dmpFilesize
572KB
-
memory/1136-77-0x0000000000090000-0x00000000000BD000-memory.dmpFilesize
180KB
-
memory/1164-54-0x0000000075DA1000-0x0000000075DA3000-memory.dmpFilesize
8KB
-
memory/1432-69-0x0000000006920000-0x0000000006A1F000-memory.dmpFilesize
1020KB
-
memory/1432-76-0x0000000006A20000-0x0000000006B15000-memory.dmpFilesize
980KB
-
memory/1432-78-0x0000000006A20000-0x0000000006B15000-memory.dmpFilesize
980KB
-
memory/1908-56-0x0000000000000000-mapping.dmp