Overview

overview

10

Static

static

1

Quotation.exe

windows7-x64

8

Quotation.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    189s
  • max time network
    206s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-12-2022 15:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quotation.exe

  • Size

    603KB

  • MD5

    bd50419823213f1f7b3a8e74b051b379

  • SHA1

    be3166a203ccbf1ce56ee05420a1972f115d8620

  • SHA256

    a6251f77e4c34d7007b6ac5b9e76fb2905d90eb74cb3b5da23fc11ac437f44ad

  • SHA512

    7e7490dbe4d02f3046494daf45fe9fddbb292855f2546b95d88100d89d61f41c328969f2d59dbd5fffcf61aafc79dd56b5f56e1a9bc74f634b19ff2eff5d5b07

  • SSDEEP

    12288:g4LZz32DiC3u6zioxdrRNd4vHbQeKQMgH7+Wp1bILwwyx:g4lot3u6zxbGRT118Gx

Score
10/10
formbookscsepersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

scse

Decoy

SKpYFyVNT2zunKf0uuM=

FlEHUseI7I5XbrO8fR/XBcS9ZA==

FPuxoUOxkLiATugw

VKdxsDSk0jdT5Kw=

FpqHf9iI/1tl97E=

YGI6sIl3UIxfZvlD+JiUuuLR

oBAEO0suBEAD5aK00A==

RKJqTzg4gQ/Q6DYSuTjDGkwuyl0ik5Kb8w==

VFg9s3W0/Ype8A3cZb+D7g==

hwD+VNd6014nrsaTWm4FBcS9ZA==

zkAdUq1soKYUfZaTqLmL

XVQ9WbRivUIQ477a/hKv+g==

QireF2geizAwmp674AGc5g==

PSTUQxs6j8OATugw

LHJhyy2VbX8NEqf0uuM=

MiY1vg6T3HqATugw

wqkUjaVXnGgBqA==

jUr/eUtSIT01Wegt

PjQidcqKzAbSZICUZb+D7g==

OkAmcv12sUEAIHwFHakzdIo2FPHw

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 56 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:3020
    • C:\Users\Admin\AppData\Local\Temp\Quotation.exe
      "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1716
      • C:\Users\Admin\AppData\Local\Temp\rmuvrasf.exe
        "C:\Users\Admin\AppData\Local\Temp\rmuvrasf.exe" "C:\Users\Admin\AppData\Local\Temp\imfyryryp.au3"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:3916
        • C:\Users\Admin\AppData\Local\Temp\rmuvrasf.exe
          "C:\Users\Admin\AppData\Local\Temp\rmuvrasf.exe"
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:228
    • C:\Windows\SysWOW64\msdt.exe
      "C:\Windows\SysWOW64\msdt.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3712
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:4780

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\imfyryryp.au3
      Filesize

      6KB

      MD5

      d363383e83d1438ade3b5b5fe73f06a5

      SHA1

      a64ef07047b145e51c08911232ab820fae562132

      SHA256

      c50d962c58664b8ef94ae39480079457121bbd0c49c9d4116b9db266b0fd519a

      SHA512

      a0ba15f57bcd35e14f2766f3b33a4ff063ddd1012f2d0b1f0dc5f21f5e40041433673a24e5fa86b55277332035725a658ec5166efdab122bc60c2964db97f266

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\mvomywpsevp.aus
      Filesize

      184KB

      MD5

      dd6ced2fa7218b25a0c6f6dfcc8d740a

      SHA1

      ff8c776722efe714bdce91788adf161e9b2894ae

      SHA256

      b166d9899ea2a0f25582aaee1648334b8dc774f256c09ccc03d9a002933a91e8

      SHA512

      2f6089cfb9dd0281bfa25cd630680e5124447efcc1e6ee9d2e7d078425b3bf42e3ca318742721b50ed87ac343610a8d9a5bd955b8017a4cefc736322af0ef04f

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\nmkww.a
      Filesize

      84KB

      MD5

      57df1892c032c7676fab58f8cbbc621a

      SHA1

      535a9dba3460bce75518e3e70447be027110c20c

      SHA256

      683a57a44efe10ddd23b550cd01a388a7079279935eede5c78b326237b479e06

      SHA512

      088a278daba67721ec8423c6e29e64ae2d9c6ca51640f332092dc7ce8f225d0d4aa2b9cd2bd079b6962aec8b4ed6789761b18ebde452f3da4b3bc9f4ed8ff00e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\rmuvrasf.exe
      Filesize

      872KB

      MD5

      c56b5f0201a3b3de53e561fe76912bfd

      SHA1

      2a4062e10a5de813f5688221dbeb3f3ff33eb417

      SHA256

      237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

      SHA512

      195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\rmuvrasf.exe
      Filesize

      872KB

      MD5

      c56b5f0201a3b3de53e561fe76912bfd

      SHA1

      2a4062e10a5de813f5688221dbeb3f3ff33eb417

      SHA256

      237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

      SHA512

      195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\rmuvrasf.exe
      Filesize

      872KB

      MD5

      c56b5f0201a3b3de53e561fe76912bfd

      SHA1

      2a4062e10a5de813f5688221dbeb3f3ff33eb417

      SHA256

      237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

      SHA512

      195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

      Download Submit
    • memory/228-146-0x0000000000422000-0x0000000000424000-memory.dmp
      Filesize

      8KB

      Download
    • memory/228-149-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/228-140-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/228-141-0x0000000000401000-0x000000000042E000-memory.dmp
      Filesize

      180KB

      Download
    • memory/228-142-0x0000000001790000-0x0000000001ADA000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/228-144-0x0000000001230000-0x0000000001240000-memory.dmp
      Filesize

      64KB

      Download
    • memory/228-143-0x0000000000422000-0x0000000000424000-memory.dmp
      Filesize

      8KB

      Download
    • memory/228-150-0x0000000000401000-0x000000000042E000-memory.dmp
      Filesize

      180KB

      Download
    • memory/228-138-0x0000000000000000-mapping.dmp
      Download
    • memory/228-147-0x00000000034F0000-0x0000000003500000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3020-148-0x0000000008400000-0x000000000852C000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/3020-145-0x0000000002E70000-0x0000000002FA7000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/3020-155-0x0000000008400000-0x000000000852C000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/3020-157-0x0000000008870000-0x00000000089BE000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3020-159-0x0000000008870000-0x00000000089BE000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3712-151-0x0000000000000000-mapping.dmp
      Download
    • memory/3712-152-0x0000000000CA0000-0x0000000000CF7000-memory.dmp
      Filesize

      348KB

      Download
    • memory/3712-153-0x0000000000310000-0x000000000033D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/3712-154-0x00000000026B0000-0x00000000029FA000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/3712-156-0x00000000025F0000-0x000000000267F000-memory.dmp
      Filesize

      572KB

      Download
    • memory/3712-158-0x0000000000310000-0x000000000033D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/3916-132-0x0000000000000000-mapping.dmp
      Download