Analysis
-
max time kernel
121s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03/11/2024, 02:43
Static task
static1
Behavioral task
behavioral1
Sample
Quote.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Quote.exe
Resource
win10v2004-20241007-en
General
-
Target
Quote.exe
-
Size
1.1MB
-
MD5
60d6f1cde4cfe076d86d2f298f724f05
-
SHA1
f019ff4751d1518f322291c6fbae7229efef0cf9
-
SHA256
f35d39b293f66612de5c9607630a64de7748f5e468d63133b26180125d19a249
-
SHA512
bb330517a4bb14e7b155b0dc8fd790ac03eddda6ec75beb3ad7e967ec64453be5309a8f508e15a2c91a53a141317f34744eb792b2fee90e1dd75ef86da21cfa4
-
SSDEEP
24576:sqDEvCTbMWu7rQYlBQcBiT6rprG8aDBBwwjN1UCJ:sTvC/MTQYxsWR7aDBBVjNd
Malware Config
Signatures
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2216 set thread context of 2900 2216 Quote.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Quote.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2900 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2216 Quote.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2900 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 29 IoCs
pid Process 2216 Quote.exe 2216 Quote.exe 2216 Quote.exe 2216 Quote.exe 2216 Quote.exe 2216 Quote.exe 2216 Quote.exe 2216 Quote.exe 2216 Quote.exe 2216 Quote.exe 2216 Quote.exe 2216 Quote.exe 2216 Quote.exe 2216 Quote.exe 2216 Quote.exe 2216 Quote.exe 2216 Quote.exe 2216 Quote.exe 2216 Quote.exe 2216 Quote.exe 2216 Quote.exe 2216 Quote.exe 2216 Quote.exe 2216 Quote.exe 2216 Quote.exe 2216 Quote.exe 2216 Quote.exe 2216 Quote.exe 2216 Quote.exe -
Suspicious use of SendNotifyMessage 29 IoCs
pid Process 2216 Quote.exe 2216 Quote.exe 2216 Quote.exe 2216 Quote.exe 2216 Quote.exe 2216 Quote.exe 2216 Quote.exe 2216 Quote.exe 2216 Quote.exe 2216 Quote.exe 2216 Quote.exe 2216 Quote.exe 2216 Quote.exe 2216 Quote.exe 2216 Quote.exe 2216 Quote.exe 2216 Quote.exe 2216 Quote.exe 2216 Quote.exe 2216 Quote.exe 2216 Quote.exe 2216 Quote.exe 2216 Quote.exe 2216 Quote.exe 2216 Quote.exe 2216 Quote.exe 2216 Quote.exe 2216 Quote.exe 2216 Quote.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2216 wrote to memory of 2900 2216 Quote.exe 30 PID 2216 wrote to memory of 2900 2216 Quote.exe 30 PID 2216 wrote to memory of 2900 2216 Quote.exe 30 PID 2216 wrote to memory of 2900 2216 Quote.exe 30 PID 2216 wrote to memory of 2900 2216 Quote.exe 30 PID 2216 wrote to memory of 2900 2216 Quote.exe 30 PID 2216 wrote to memory of 2900 2216 Quote.exe 30 PID 2216 wrote to memory of 2900 2216 Quote.exe 30 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quote.exe"C:\Users\Admin\AppData\Local\Temp\Quote.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\Quote.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2900
-