Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20250211-en -
resource tags
arch:x64arch:x86image:win10v2004-20250211-enlocale:en-usos:windows10-2004-x64system -
submitted
11/02/2025, 17:30
Static task
static1
Behavioral task
behavioral1
Sample
Request for Quotation.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Request for Quotation.exe
Resource
win10v2004-20250211-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20250207-en
General
-
Target
Request for Quotation.exe
-
Size
1.0MB
-
MD5
3d638b12dd95e2fff1c99065066e737d
-
SHA1
882991b2c481bc5692ea2a190e13d67a622a8897
-
SHA256
c3d0d812c6ff22f5202b68c5635693506887d26ee57e4455a4b939262849a0fa
-
SHA512
3c273a63706d442087295fa0709d0f0f029b038a1d65cd3131ac70b65d5624a696e01d5060cd25ae542dac7e7203965b21e85a1589d240474724e1b2c915f4d9
-
SSDEEP
12288:LzORStC06lt5yuYwfdtPHiRJWJcqRTP8KiHnIt9b8aG8mFT/+AgidpiC:LzOEC045yZ0PiAjRwnITNG5Hgapl
Malware Config
Signatures
-
Guloader family
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Loads dropped DLL 2 IoCs
pid Process 404 Request for Quotation.exe 404 Request for Quotation.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 42 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Request for Quotation.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Request for Quotation.exe Key opened \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Request for Quotation.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Request for Quotation.exe Key opened \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Request for Quotation.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Request for Quotation.exe Key queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook Request for Quotation.exe Key queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook Request for Quotation.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Request for Quotation.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Request for Quotation.exe Key queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook Request for Quotation.exe Key queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook Request for Quotation.exe Key queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Request for Quotation.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Request for Quotation.exe Key queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Request for Quotation.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Request for Quotation.exe Key queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Request for Quotation.exe Key opened \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Request for Quotation.exe Key opened \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Request for Quotation.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Request for Quotation.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Request for Quotation.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Request for Quotation.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook Request for Quotation.exe Key queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Request for Quotation.exe Key queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Request for Quotation.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook Request for Quotation.exe Key opened \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Request for Quotation.exe Key queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook Request for Quotation.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook Request for Quotation.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Request for Quotation.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Request for Quotation.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook Request for Quotation.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Request for Quotation.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Request for Quotation.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook Request for Quotation.exe Key queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Request for Quotation.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Request for Quotation.exe Key queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Request for Quotation.exe Key queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Request for Quotation.exe Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook Request for Quotation.exe Key queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook Request for Quotation.exe Key opened \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Request for Quotation.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 7 drive.google.com 8 drive.google.com -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 3316 Request for Quotation.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 404 Request for Quotation.exe 3316 Request for Quotation.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Request for Quotation.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Request for Quotation.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2892 MicrosoftEdgeUpdate.exe 2892 MicrosoftEdgeUpdate.exe 2892 MicrosoftEdgeUpdate.exe 2892 MicrosoftEdgeUpdate.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 404 Request for Quotation.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2892 MicrosoftEdgeUpdate.exe Token: SeDebugPrivilege 3316 Request for Quotation.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 404 wrote to memory of 3316 404 Request for Quotation.exe 89 PID 404 wrote to memory of 3316 404 Request for Quotation.exe 89 PID 404 wrote to memory of 3316 404 Request for Quotation.exe 89 PID 404 wrote to memory of 3316 404 Request for Quotation.exe 89 -
outlook_office_path 1 IoCs
description ioc Process Key queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Request for Quotation.exe -
outlook_win_path 1 IoCs
description ioc Process Key queried \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Request for Quotation.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3316
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2892
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
1Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD53f176d1ee13b0d7d6bd92e1c7a0b9bae
SHA1fe582246792774c2c9dd15639ffa0aca90d6fd0b
SHA256fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e
SHA5120a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6