Malware Analysis Report

2025-05-05 21:47

Sample ID 240829-gpr7zayfkr
Target QUOTATION_AUGQTRA071244PDF.scr.exe
SHA256 9fc616629b68b08d072474a412496c172b8235e30e8868d00e2ecc53d35e7651
Tags
vipkeylogger collection credential_access discovery keylogger stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9fc616629b68b08d072474a412496c172b8235e30e8868d00e2ecc53d35e7651

Threat Level: Known bad

The file QUOTATION_AUGQTRA071244PDF.scr.exe was found to be: Known bad.

Malicious Activity Summary

vipkeylogger collection credential_access discovery keylogger stealer

Suspicious use of NtCreateUserProcessOtherParentProcess

VIPKeylogger

Credentials from Password Stores: Credentials from Web Browsers

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Browser Information Discovery

Unsigned PE

outlook_office_path

outlook_win_path

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-29 05:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-29 05:59

Reported

2024-08-29 06:01

Platform

win7-20240708-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\QUOTATION_AUGQTRA071244PDF.scr.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\QUOTATION_AUGQTRA071244PDF.scr.exe

"C:\Users\Admin\AppData\Local\Temp\QUOTATION_AUGQTRA071244PDF.scr.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2876 -s 1120

Network

Country Destination Domain Proto
US 8.8.8.8:53 filetransfer.io udp
US 172.67.200.96:80 filetransfer.io tcp
US 172.67.200.96:443 filetransfer.io tcp
US 172.67.200.96:443 filetransfer.io tcp
US 8.8.8.8:53 s23.filetransfer.io udp
US 104.21.13.139:443 s23.filetransfer.io tcp

Files

memory/2876-0-0x000007FEF5D93000-0x000007FEF5D94000-memory.dmp

memory/2876-1-0x0000000000160000-0x00000000001C0000-memory.dmp

memory/2876-2-0x000007FEF5D90000-0x000007FEF677C000-memory.dmp

memory/2876-3-0x000007FEF5D93000-0x000007FEF5D94000-memory.dmp

memory/2876-4-0x000000001CB10000-0x000000001CC34000-memory.dmp

memory/2876-5-0x000000001CB10000-0x000000001CC2F000-memory.dmp

memory/2876-6-0x000000001CB10000-0x000000001CC2F000-memory.dmp

memory/2876-18-0x000000001CB10000-0x000000001CC2F000-memory.dmp

memory/2876-26-0x000000001CB10000-0x000000001CC2F000-memory.dmp

memory/2876-8-0x000000001CB10000-0x000000001CC2F000-memory.dmp

memory/2876-10-0x000000001CB10000-0x000000001CC2F000-memory.dmp

memory/2876-58-0x000000001CB10000-0x000000001CC2F000-memory.dmp

memory/2876-12-0x000000001CB10000-0x000000001CC2F000-memory.dmp

memory/2876-16-0x000000001CB10000-0x000000001CC2F000-memory.dmp

memory/2876-22-0x000000001CB10000-0x000000001CC2F000-memory.dmp

memory/2876-24-0x000000001CB10000-0x000000001CC2F000-memory.dmp

memory/2876-28-0x000000001CB10000-0x000000001CC2F000-memory.dmp

memory/2876-34-0x000000001CB10000-0x000000001CC2F000-memory.dmp

memory/2876-40-0x000000001CB10000-0x000000001CC2F000-memory.dmp

memory/2876-38-0x000000001CB10000-0x000000001CC2F000-memory.dmp

memory/2876-36-0x000000001CB10000-0x000000001CC2F000-memory.dmp

memory/2876-44-0x000000001CB10000-0x000000001CC2F000-memory.dmp

memory/2876-42-0x000000001CB10000-0x000000001CC2F000-memory.dmp

memory/2876-32-0x000000001CB10000-0x000000001CC2F000-memory.dmp

memory/2876-30-0x000000001CB10000-0x000000001CC2F000-memory.dmp

memory/2876-20-0x000000001CB10000-0x000000001CC2F000-memory.dmp

memory/2876-14-0x000000001CB10000-0x000000001CC2F000-memory.dmp

memory/2876-46-0x000000001CB10000-0x000000001CC2F000-memory.dmp

memory/2876-48-0x000000001CB10000-0x000000001CC2F000-memory.dmp

memory/2876-52-0x000000001CB10000-0x000000001CC2F000-memory.dmp

memory/2876-68-0x000000001CB10000-0x000000001CC2F000-memory.dmp

memory/2876-66-0x000000001CB10000-0x000000001CC2F000-memory.dmp

memory/2876-64-0x000000001CB10000-0x000000001CC2F000-memory.dmp

memory/2876-62-0x000000001CB10000-0x000000001CC2F000-memory.dmp

memory/2876-60-0x000000001CB10000-0x000000001CC2F000-memory.dmp

memory/2876-56-0x000000001CB10000-0x000000001CC2F000-memory.dmp

memory/2876-54-0x000000001CB10000-0x000000001CC2F000-memory.dmp

memory/2876-50-0x000000001CB10000-0x000000001CC2F000-memory.dmp

memory/2876-1079-0x000007FEF5D90000-0x000007FEF677C000-memory.dmp

memory/2876-1081-0x00000000022C0000-0x000000000230C000-memory.dmp

memory/2876-1080-0x000000001D0B0000-0x000000001D14E000-memory.dmp

memory/2876-1082-0x000007FEF5D90000-0x000007FEF677C000-memory.dmp

memory/2876-1084-0x000000001ACB0000-0x000000001AD04000-memory.dmp

memory/2876-1085-0x000007FEF5D90000-0x000007FEF677C000-memory.dmp

memory/2876-1086-0x000007FEF5D90000-0x000007FEF677C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-29 05:59

Reported

2024-08-29 06:01

Platform

win10v2004-20240802-en

Max time kernel

133s

Max time network

148s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 344 created 3548 N/A C:\Users\Admin\AppData\Local\Temp\QUOTATION_AUGQTRA071244PDF.scr.exe C:\Windows\Explorer.EXE

VIPKeylogger

stealer keylogger vipkeylogger

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Browser Information Discovery

discovery

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\QUOTATION_AUGQTRA071244PDF.scr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\QUOTATION_AUGQTRA071244PDF.scr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\QUOTATION_AUGQTRA071244PDF.scr.exe

"C:\Users\Admin\AppData\Local\Temp\QUOTATION_AUGQTRA071244PDF.scr.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 filetransfer.io udp
US 172.67.200.96:80 filetransfer.io tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 96.200.67.172.in-addr.arpa udp
US 172.67.200.96:443 filetransfer.io tcp
US 8.8.8.8:53 s23.filetransfer.io udp
US 104.21.13.139:443 s23.filetransfer.io tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 139.13.21.104.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 checkip.dyndns.org udp
US 193.122.130.0:80 checkip.dyndns.org tcp
US 8.8.8.8:53 0.130.122.193.in-addr.arpa udp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 104.21.67.152:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 152.67.21.104.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/344-0-0x000001D2A3B90000-0x000001D2A3BF0000-memory.dmp

memory/344-1-0x00007FFF5D963000-0x00007FFF5D965000-memory.dmp

memory/344-2-0x00007FFF5D960000-0x00007FFF5E421000-memory.dmp

memory/344-3-0x000001D2BE330000-0x000001D2BE454000-memory.dmp

memory/344-41-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp

memory/344-39-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp

memory/344-5-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp

memory/344-37-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp

memory/344-67-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp

memory/344-65-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp

memory/344-61-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp

memory/344-59-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp

memory/344-57-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp

memory/344-55-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp

memory/344-54-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp

memory/344-49-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp

memory/344-47-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp

memory/344-45-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp

memory/344-43-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp

memory/344-35-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp

memory/344-33-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp

memory/344-31-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp

memory/344-29-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp

memory/344-23-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp

memory/344-21-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp

memory/344-15-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp

memory/344-13-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp

memory/344-63-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp

memory/344-11-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp

memory/344-9-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp

memory/344-51-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp

memory/344-7-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp

memory/344-27-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp

memory/344-25-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp

memory/344-4-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp

memory/344-19-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp

memory/344-17-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp

memory/344-1078-0x00007FFF5D960000-0x00007FFF5E421000-memory.dmp

memory/344-1079-0x000001D2BE450000-0x000001D2BE4EE000-memory.dmp

memory/344-1080-0x000001D2A4080000-0x000001D2A40CC000-memory.dmp

memory/344-1085-0x00007FFF5D960000-0x00007FFF5E421000-memory.dmp

memory/344-1084-0x00007FFF5D960000-0x00007FFF5E421000-memory.dmp

memory/344-1086-0x00007FFF5D960000-0x00007FFF5E421000-memory.dmp

memory/344-1087-0x00007FFF5D963000-0x00007FFF5D965000-memory.dmp

memory/344-1088-0x00007FFF5D960000-0x00007FFF5E421000-memory.dmp

memory/344-1090-0x000001D2BE4F0000-0x000001D2BE544000-memory.dmp

memory/344-1092-0x00007FFF5D960000-0x00007FFF5E421000-memory.dmp

memory/4552-1093-0x00000240C2C20000-0x00000240C2C6B000-memory.dmp

memory/4552-1094-0x00007FFF5D963000-0x00007FFF5D965000-memory.dmp

memory/4552-1095-0x00000240C47B0000-0x00000240C47F6000-memory.dmp

memory/4552-1096-0x00007FFF5D960000-0x00007FFF5E421000-memory.dmp

memory/4552-1097-0x00007FFF5D960000-0x00007FFF5E421000-memory.dmp

memory/4552-1098-0x00007FFF5D960000-0x00007FFF5E421000-memory.dmp

memory/4552-1099-0x00007FFF5D960000-0x00007FFF5E421000-memory.dmp

memory/4552-1100-0x00000240DD500000-0x00000240DD6C2000-memory.dmp

memory/4552-1101-0x00000240DD1D0000-0x00000240DD220000-memory.dmp