Analysis
-
max time kernel
132s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03/11/2024, 02:43
Static task
static1
Behavioral task
behavioral1
Sample
Quote.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Quote.exe
Resource
win10v2004-20241007-en
General
-
Target
Quote.exe
-
Size
1.1MB
-
MD5
60d6f1cde4cfe076d86d2f298f724f05
-
SHA1
f019ff4751d1518f322291c6fbae7229efef0cf9
-
SHA256
f35d39b293f66612de5c9607630a64de7748f5e468d63133b26180125d19a249
-
SHA512
bb330517a4bb14e7b155b0dc8fd790ac03eddda6ec75beb3ad7e967ec64453be5309a8f508e15a2c91a53a141317f34744eb792b2fee90e1dd75ef86da21cfa4
-
SSDEEP
24576:sqDEvCTbMWu7rQYlBQcBiT6rprG8aDBBwwjN1UCJ:sTvC/MTQYxsWR7aDBBVjNd
Malware Config
Signatures
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 21 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1420 set thread context of 2680 1420 Quote.exe 94 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Quote.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2680 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1420 Quote.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2680 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
pid Process 1420 Quote.exe 1420 Quote.exe 1420 Quote.exe 1420 Quote.exe 1420 Quote.exe 1420 Quote.exe 1420 Quote.exe 1420 Quote.exe 1420 Quote.exe 1420 Quote.exe 1420 Quote.exe 1420 Quote.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 1420 Quote.exe 1420 Quote.exe 1420 Quote.exe 1420 Quote.exe 1420 Quote.exe 1420 Quote.exe 1420 Quote.exe 1420 Quote.exe 1420 Quote.exe 1420 Quote.exe 1420 Quote.exe 1420 Quote.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1420 wrote to memory of 2680 1420 Quote.exe 94 PID 1420 wrote to memory of 2680 1420 Quote.exe 94 PID 1420 wrote to memory of 2680 1420 Quote.exe 94 PID 1420 wrote to memory of 2680 1420 Quote.exe 94 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quote.exe"C:\Users\Admin\AppData\Local\Temp\Quote.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\Quote.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2680
-