Analysis
-
max time kernel
149s -
max time network
169s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
09-12-2022 07:50
Static task
static1
Behavioral task
behavioral1
Sample
Quotation 2101137.exe
Resource
win7-20220812-en
General
-
Target
Quotation 2101137.exe
-
Size
333KB
-
MD5
f1d95bc5972ece6c0ab4d64bd5c41721
-
SHA1
750d7f9bc16029e5e7229c88c3363e03e2b50e7d
-
SHA256
8cb7736a5f9c3be642d8ee0f07f7a293e210a7bc74cbbc9ba89e483ff22634cb
-
SHA512
1243b8c9c78c2df52cded73add252e0bbc60dcc4c52d3449ac406fdfc1a6b2b55e520aa7c3114b0c43f368f259df424376ad689240c5abaa7c54ff3e557e98aa
-
SSDEEP
6144:9kwb4cTPlzXPps8WC6KeBYfzFRyXxwwqIObWNlpPBV33nxqcI3hEONpJ364lH:P4cTPRXPps55gFaxLAbQTPBVgcI3CAp7
Malware Config
Extracted
formbook
yurm
X06d1tis1GUX/R0g87Ud
BKiZ33D1P766GVXO1ZwV
lAFdjB7CSxGX8Trz
Gc7dWizTVxWX8Trz
tDkr9JAfi1OHAW1PGOageIp4
bCpMtHKU3mVp8BY5sQ==
7WKpsMWt8nsrhJClJeOZNg==
0A9KTlETQ86Cmd8k0o5NP5RwCg==
aJ61paNJztSp42c=
CrgoA8ySIOsytCbO1ZwV
i46SnHYDD9tTIHI=
XFRCRCjtFZeU3x4Rn3xfD5BnPz+RDA==
c4CZghuHvzW9A31gEz0d
QAjzz9qyRRWBNYseAI4M
Jpbmu4A1YvBvN3ruZgiRmJA5BCFd
PfoFXGNFhhuX8Trz
bqCfk0m8ApAl+Tm1Ms5Tb23IT7tS
z7INff7HNALxc5HWq2/ftrVR6A7R1zvTUQ==
m7IShV4LSFxbqxhrVsZ1Ig==
BHRp7q0gtoRuqBRnVsZ1Ig==
SnqEhE/pEKitAVYv+MtfgDwL1EuxZyihRg==
1xpDKRHJ7K/tqQzEfaJvDIeRWI5DZyihRg==
tAQpBfGi8mppxC4LbDQNI945BCFd
nk5kz8aKDecavxHOYeugeIp4
wPYvLS3zK8FvdJFbQVY=
WAATk07VS0xU9Dvx
KdwXaxSYC9G8DG2tUOBR/X3wtEM=
EPQVcwx5eXw9i/E3B9tpP5RwCg==
MN0FmlPPDZiu5zVpA58wA0Q/5F4=
797QsL+c/saMxtZeQFQ=
TISijiWfydvQFQ==
ama7D8Ntnxsr9Gg=
PcnRSFMPjGFm8BY5sQ==
npSIXvRrsj25h91pUHZGbX3wtEM=
0CAJglT6dkKyhZFbQVY=
kL69pLud0pT4Am0=
sG1JDgXWXydt/VHO1ZwV
zxVdYWYhqoHvrt5W2G7a5PL71zEyHIIx
i0Zm9MhPh/vvI3ycVsZ1Ig==
kjRJqKB3nRgihH2kM0E=
/s4LgD5dmCtOBCkprA==
I278sNm5/o/FX2dZBAKYKg==
eP/5flDtVw2X8Trz
Ik9oUEj8hFO6eeK1gJg/xkILDkwPAw==
QIS5jUjlUhtr/VHO1ZwV
RcC5QQyGv0mFC2BnT3igeIp4
NL7LMCoKT93dJWVTHJgywToxAg==
yzhyPgzSYDGthZFbQVY=
PqmV5ObKBpvKUJZYcGg05HtiCA==
/W9bsq7IsDuC
T8LMKrI2jA8BQ4yQVsZ1Ig==
eHof90VMPMXQDQ==
8TSLglnyajdx/VDO1ZwV
ZQYihA2I+rn4g7eQVsZ1Ig==
JCmxphUQ06is5Gc=
H2C6sYYiZPAxoxNnVsZ1Ig==
5NxIrpR6DM2Jd5FbQVY=
vDCXqaJj6Pw2EXA=
CBI+Gdh67Pw2EXA=
zxoDhkPEDpTET7a6Os0tj1BpDBfmYgo=
neEtD8Y0YN7fMV7O1ZwV
W+BPJ/S6QhmScpFbQVY=
iAZaRHA3ZgUpsQvRiZ5XP5RwCg==
CQtXS8LIsDuC
absbox.org
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
etehonor.exeetehonor.exepid process 2008 etehonor.exe 1752 etehonor.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
etehonor.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation etehonor.exe -
Loads dropped DLL 4 IoCs
Processes:
Quotation 2101137.exeetehonor.exesvchost.exepid process 980 Quotation 2101137.exe 980 Quotation 2101137.exe 2008 etehonor.exe 1328 svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
etehonor.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\hvtxxcgqiopcmw = "C:\\Users\\Admin\\AppData\\Roaming\\oigpqgqvlafd\\clbbmvmtrv.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\etehonor.exe\" C:\\Users\\Admin\\AppData" etehonor.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
etehonor.exeetehonor.exesvchost.exedescription pid process target process PID 2008 set thread context of 1752 2008 etehonor.exe etehonor.exe PID 1752 set thread context of 1372 1752 etehonor.exe Explorer.EXE PID 1328 set thread context of 1372 1328 svchost.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
svchost.exedescription ioc process Key created \Registry\User\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 svchost.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
etehonor.exesvchost.exepid process 1752 etehonor.exe 1752 etehonor.exe 1752 etehonor.exe 1752 etehonor.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
etehonor.exeetehonor.exesvchost.exepid process 2008 etehonor.exe 1752 etehonor.exe 1752 etehonor.exe 1752 etehonor.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe 1328 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
etehonor.exesvchost.exedescription pid process Token: SeDebugPrivilege 1752 etehonor.exe Token: SeDebugPrivilege 1328 svchost.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1372 Explorer.EXE 1372 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1372 Explorer.EXE 1372 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
Quotation 2101137.exeetehonor.exeExplorer.EXEsvchost.exedescription pid process target process PID 980 wrote to memory of 2008 980 Quotation 2101137.exe etehonor.exe PID 980 wrote to memory of 2008 980 Quotation 2101137.exe etehonor.exe PID 980 wrote to memory of 2008 980 Quotation 2101137.exe etehonor.exe PID 980 wrote to memory of 2008 980 Quotation 2101137.exe etehonor.exe PID 2008 wrote to memory of 1752 2008 etehonor.exe etehonor.exe PID 2008 wrote to memory of 1752 2008 etehonor.exe etehonor.exe PID 2008 wrote to memory of 1752 2008 etehonor.exe etehonor.exe PID 2008 wrote to memory of 1752 2008 etehonor.exe etehonor.exe PID 2008 wrote to memory of 1752 2008 etehonor.exe etehonor.exe PID 1372 wrote to memory of 1328 1372 Explorer.EXE svchost.exe PID 1372 wrote to memory of 1328 1372 Explorer.EXE svchost.exe PID 1372 wrote to memory of 1328 1372 Explorer.EXE svchost.exe PID 1372 wrote to memory of 1328 1372 Explorer.EXE svchost.exe PID 1328 wrote to memory of 560 1328 svchost.exe Firefox.exe PID 1328 wrote to memory of 560 1328 svchost.exe Firefox.exe PID 1328 wrote to memory of 560 1328 svchost.exe Firefox.exe PID 1328 wrote to memory of 560 1328 svchost.exe Firefox.exe PID 1328 wrote to memory of 560 1328 svchost.exe Firefox.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quotation 2101137.exe"C:\Users\Admin\AppData\Local\Temp\Quotation 2101137.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:980 -
C:\Users\Admin\AppData\Local\Temp\etehonor.exe"C:\Users\Admin\AppData\Local\Temp\etehonor.exe" C:\Users\Admin\AppData\Local\Temp\qmhavanmg.g2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Users\Admin\AppData\Local\Temp\etehonor.exe"C:\Users\Admin\AppData\Local\Temp\etehonor.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1752
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:560
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\etehonor.exeFilesize
276KB
MD5b981aa3af96113599f9952f0c380a8b0
SHA18386d407ad52e511e50965554b8552d53a39178e
SHA256a69001c5b0942e4ccd287b980c4e21ac24f3de0a360e83583be90e5c31dd39c3
SHA5127597db69d6474edbf10ba6ed1ef16cacfb8a7b804cb77ab7fb2b901abac95851b04fdf9f675a1c35e81080a481761f8d20ce1cf35618c5e4558ba42d159ada62
-
C:\Users\Admin\AppData\Local\Temp\etehonor.exeFilesize
276KB
MD5b981aa3af96113599f9952f0c380a8b0
SHA18386d407ad52e511e50965554b8552d53a39178e
SHA256a69001c5b0942e4ccd287b980c4e21ac24f3de0a360e83583be90e5c31dd39c3
SHA5127597db69d6474edbf10ba6ed1ef16cacfb8a7b804cb77ab7fb2b901abac95851b04fdf9f675a1c35e81080a481761f8d20ce1cf35618c5e4558ba42d159ada62
-
C:\Users\Admin\AppData\Local\Temp\etehonor.exeFilesize
276KB
MD5b981aa3af96113599f9952f0c380a8b0
SHA18386d407ad52e511e50965554b8552d53a39178e
SHA256a69001c5b0942e4ccd287b980c4e21ac24f3de0a360e83583be90e5c31dd39c3
SHA5127597db69d6474edbf10ba6ed1ef16cacfb8a7b804cb77ab7fb2b901abac95851b04fdf9f675a1c35e81080a481761f8d20ce1cf35618c5e4558ba42d159ada62
-
C:\Users\Admin\AppData\Local\Temp\kirym.lFilesize
185KB
MD59d9035fe8ddef2d013a41f6fe112413e
SHA1b52dbfa2abd28ceefd50305715e6f852f7f30d31
SHA256d6ac740ed55c3acbbfd751a97d8f0bab636a7ed093962599174cad423d2a4f01
SHA512ef4df1daf8728d834194ef02371145db6cf683e690614d9b65c2a2c0f390a678d7ad081cba62efbd8a596a03f0c68b62ff47edef306d3324bc9e6b3f9cdd6682
-
C:\Users\Admin\AppData\Local\Temp\qmhavanmg.gFilesize
7KB
MD5ede276b4d64c9a9dd29c4d5df7eae7a2
SHA14030970ffbc2f222787f5ad36d944e99e22339bc
SHA2568478e027683e7a4546afda0573a0e098be7a585b5f6a1691f643f4e2de38c8e1
SHA5127daed8eb66ed11ae8699e495fd76f91ab36ed5e6fe19ebb1e783ea7bb3466c2c6a96580f1167af5de901dfb85e0cec0cad5f6eaeb15cc9880c6bf46ce61fbaa4
-
\Users\Admin\AppData\Local\Temp\etehonor.exeFilesize
276KB
MD5b981aa3af96113599f9952f0c380a8b0
SHA18386d407ad52e511e50965554b8552d53a39178e
SHA256a69001c5b0942e4ccd287b980c4e21ac24f3de0a360e83583be90e5c31dd39c3
SHA5127597db69d6474edbf10ba6ed1ef16cacfb8a7b804cb77ab7fb2b901abac95851b04fdf9f675a1c35e81080a481761f8d20ce1cf35618c5e4558ba42d159ada62
-
\Users\Admin\AppData\Local\Temp\etehonor.exeFilesize
276KB
MD5b981aa3af96113599f9952f0c380a8b0
SHA18386d407ad52e511e50965554b8552d53a39178e
SHA256a69001c5b0942e4ccd287b980c4e21ac24f3de0a360e83583be90e5c31dd39c3
SHA5127597db69d6474edbf10ba6ed1ef16cacfb8a7b804cb77ab7fb2b901abac95851b04fdf9f675a1c35e81080a481761f8d20ce1cf35618c5e4558ba42d159ada62
-
\Users\Admin\AppData\Local\Temp\etehonor.exeFilesize
276KB
MD5b981aa3af96113599f9952f0c380a8b0
SHA18386d407ad52e511e50965554b8552d53a39178e
SHA256a69001c5b0942e4ccd287b980c4e21ac24f3de0a360e83583be90e5c31dd39c3
SHA5127597db69d6474edbf10ba6ed1ef16cacfb8a7b804cb77ab7fb2b901abac95851b04fdf9f675a1c35e81080a481761f8d20ce1cf35618c5e4558ba42d159ada62
-
\Users\Admin\AppData\Local\Temp\sqlite3.dllFilesize
904KB
MD55e5ba61531d74e45b11cadb79e7394a1
SHA1677224e14aac9dd35f367d5eb1704b36e69356b8
SHA25699e91ae250c955bd403ec1a2321d6b11fcb715bdcc7cb3f63ffb46b349afde5c
SHA512712bfe419ba97ecf0ec8323a68743013e8c767da9d986f74ab94d2a395c3086cac2a5823048e0022d3bbcebb55281b9e1f8c87fdc9295c70cc5521b57850bf46
-
memory/980-54-0x0000000075811000-0x0000000075813000-memory.dmpFilesize
8KB
-
memory/1328-73-0x0000000000080000-0x00000000000AD000-memory.dmpFilesize
180KB
-
memory/1328-75-0x00000000004B0000-0x000000000053F000-memory.dmpFilesize
572KB
-
memory/1328-77-0x0000000000080000-0x00000000000AD000-memory.dmpFilesize
180KB
-
memory/1328-74-0x0000000000690000-0x0000000000993000-memory.dmpFilesize
3.0MB
-
memory/1328-72-0x0000000000340000-0x0000000000348000-memory.dmpFilesize
32KB
-
memory/1328-71-0x0000000000000000-mapping.dmp
-
memory/1372-70-0x00000000070D0000-0x00000000071F5000-memory.dmpFilesize
1.1MB
-
memory/1372-76-0x0000000007200000-0x0000000007341000-memory.dmpFilesize
1.3MB
-
memory/1372-79-0x0000000007200000-0x0000000007341000-memory.dmpFilesize
1.3MB
-
memory/1752-69-0x0000000000290000-0x00000000002A0000-memory.dmpFilesize
64KB
-
memory/1752-64-0x00000000004012B0-mapping.dmp
-
memory/1752-68-0x00000000008F0000-0x0000000000BF3000-memory.dmpFilesize
3.0MB
-
memory/1752-66-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1752-67-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2008-57-0x0000000000000000-mapping.dmp