Windows Analysis Report QUOTATION_doc.exe

ID:	510346
Product:	CloudBasic
Start time:	18:13:44
Start date:	27.10.2021
Sample:	QUOTATION_doc.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	7c0902852cf17ae5d05ea35d770dcc93
SHA1:	bd57aad081ce20140b226b878091164eaf777e11
SHA256:	a67796ab32ba225ab871923548c5b98147a848edeffb72089724d6131d20dc0c
Filetype:	Win32 Executable (generic) a (10002005/4) 99.24%

Name	Type	MD5	SHA1	SHA256
C:\Users\Public\Libraries\Huptze\Huptze.exe	PE32 executable (GUI) Intel 80386, for MS Windows	7C0902852CF17AE5D05EA35D770DCC93	BD57AAD081CE20140B226B878091164EAF777E11	A67796AB32BA225AB871923548C5B98147A848EDEFFB72089724D6131D20DC0C
C:\Users\Public\Libraries\eztpuH.url	MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\\\Huptze\\Huptze.exe">), ASCII text, with CRLF line terminators	E40C5506522187D4ADA803A75985B159	137895C9759726F7E7B37C6A3952EC71FFC33C6D	21054BD6BFAB6DC1145970A05F28A548EC5522755E7377C2882B674E67FC1B96
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\Huptzeullazkbrfuqvqdlxbsjktmnwu[1]	data	5706CCC115E3F3B69F2DD33634F1A4EC	6B6F6108126B94F84350C961DC6EC1511640EB41	C3F351E325FD7103DD8A32D2FC8460075B3A99A7818F05CFC5B3EB86C6DEA97C

AV Detection:

Found malware configuration

Source: 00000010.00000000.523957704.0000000072480000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.septemberstockevent200.com/ht08/"], "decoy": ["joye.club", "istanbulemlakgalerisi.online", "annikadaniel.love", "oooci.com", "curebase-test.com", "swisstradecenter.com", "hacticum.com", "centercodebase.com", "recbi56ni.com", "mmj0115.xyz", "sharpstead.com", "sprklbeauty.com", "progettogenesi.cloud", "dolinum.com", "amaroqadvisors.com", "traininig.com", "leewaysvcs.com", "nashhomesearch.com", "joy1263.com", "serkanyamac.com", "nursingprogramsforme.com", "huakf.com", "1w3.online", "watermountsteam.top", "tyralruutan.quest", "mattlambert.xyz", "xn--fiqs8sypgfujbl4a.xn--czru2d", "hfgoal.com", "587868.net", "noyoucantridemyonewheel.com", "riewesell.top", "expn.asia", "suplementarsas.com", "item154655544.com", "cdgdentists.com", "deboraverdian.com", "franquiciasexclusivas.tienda", "tminus-10.com", "psychoterapeuta-wroclaw.com", "coachingbywatson.com", "lknitti.net", "belenpison.agency", "facilitetec.com", "99077000.com", "thefitmog.com", "kinmanpowerwashing.com", "escueladelbuenamor.com", "getjoyce.net", "oilelm.com", "maikoufarm.com", "hespresso.net", "timothyschmallrealt.com", "knoxvilleraingutters.com", "roonkingagency.online", "trashwasher.com", "angyfoods.com", "yungbredda.com", "digipoint-entertainment.com", "shangduli.space", "kalaraskincare.com", "ktnsound.xyz", "miabellavita.com", "thenlpmentor.com", "marzhukov.com"]}

Multi AV Scanner detection for submitted file

Source: QUOTATION_doc.exe	Virustotal: Detection: 29%			Perma Link
Source: QUOTATION_doc.exe	ReversingLabs: Detection: 29%

Yara detected FormBook

Source: Yara match	File source: 00000010.00000000.523957704.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.523481465.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.598500416.0000000007B56000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.524496982.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.522931849.0000000072480000.00000040.00000001.sdmp, type: MEMORY

Multi AV Scanner detection for domain / URL

Source: www.septemberstockevent200.com/ht08/

Virustotal: Detection: 7%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Libraries\Huptze\Huptze.exe	Virustotal: Detection: 29%			Perma Link
Source: C:\Users\Public\Libraries\Huptze\Huptze.exe	ReversingLabs: Detection: 29%

Antivirus or Machine Learning detection for unpacked file

Source: 16.0.mobsync.exe.72480000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 16.0.mobsync.exe.72480000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 16.0.mobsync.exe.72480000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 16.0.mobsync.exe.72480000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Source: QUOTATION_doc.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.septemberstockevent200.com/ht08/

URLs found in memory or binary data

Source: explorer.exe, 00000011.00000000.560901848.000000000095C000.00000004.00000020.sdmp

String found in binary or memory: http://www.autoitscript.com/autoit3/J

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: onedrive.live.com

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000010.00000000.523957704.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.523481465.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.598500416.0000000007B56000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.524496982.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.522931849.0000000072480000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000010.00000000.523957704.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000000.523957704.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000000.523481465.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000000.523481465.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000000.598500416.0000000007B56000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000000.598500416.0000000007B56000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000000.524496982.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000000.524496982.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000000.522931849.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000000.522931849.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Initial sample is a PE file and has a suspicious name

Source: initial sample	Static PE information: Filename: QUOTATION_doc.exe
Source: initial sample	Static PE information: Filename: QUOTATION_doc.exe

Uses 32bit PE files

Source: QUOTATION_doc.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI

Yara signature match

Source: 00000011.00000000.624299247.000000000D4FD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000010.00000000.523957704.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000000.523957704.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000000.523481465.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000000.523481465.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000000.598500416.0000000007B56000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000000.598500416.0000000007B56000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000000.524496982.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000000.524496982.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000000.624322018.000000000D502000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000011.00000000.550371526.000000000D4FD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000010.00000000.522931849.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000000.522931849.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: C:\Users\Public\Libraries\eztpuH.url, type: DROPPED	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\QUOTATION_doc.exe	Code function: String function: 022F837C appears 90 times
Source: C:\Users\Public\Libraries\Huptze\Huptze.exe	Code function: String function: 0274A6A0 appears 96 times
Source: C:\Users\Public\Libraries\Huptze\Huptze.exe	Code function: String function: 0274837C appears 104 times
Source: C:\Users\Public\Libraries\Huptze\Huptze.exe	Code function: String function: 021FD424 appears 90 times
Source: C:\Users\Public\Libraries\Huptze\Huptze.exe	Code function: String function: 0274D424 appears 72 times
Source: C:\Users\Public\Libraries\Huptze\Huptze.exe	Code function: String function: 021F837C appears 120 times

PE file contains strange resources

Source: QUOTATION_doc.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Huptze.exe.0.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\user\Desktop\QUOTATION_doc.exe	Memory allocated: 72480000 page execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_doc.exe	Memory allocated: 72480000 page execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_doc.exe	Memory allocated: 72480000 page no access			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_doc.exe	Memory allocated: 72480000 page read and write			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_doc.exe	Memory allocated: 72481000 page read and write			Jump to behavior

Sample is known by Antivirus

Source: QUOTATION_doc.exe	Virustotal: Detection: 29%
Source: QUOTATION_doc.exe	ReversingLabs: Detection: 29%

Sample reads its own file content

Source: C:\Users\user\Desktop\QUOTATION_doc.exe

File read: C:\Users\user\Desktop\QUOTATION_doc.exe

Jump to behavior

Reads software policies

Source: C:\Users\user\Desktop\QUOTATION_doc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\QUOTATION_doc.exe 'C:\Users\user\Desktop\QUOTATION_doc.exe'
Source: C:\Users\user\Desktop\QUOTATION_doc.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\QUOTATION_doc.exe	Process created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\Public\Libraries\Huptze\Huptze.exe 'C:\Users\Public\Libraries\Huptze\Huptze.exe'
Source: C:\Windows\explorer.exe	Process created: C:\Users\Public\Libraries\Huptze\Huptze.exe 'C:\Users\Public\Libraries\Huptze\Huptze.exe'
Source: C:\Users\user\Desktop\QUOTATION_doc.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\Public\Libraries\Huptze\Huptze.exe 'C:\Users\Public\Libraries\Huptze\Huptze.exe'			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\Public\Libraries\Huptze\Huptze.exe 'C:\Users\Public\Libraries\Huptze\Huptze.exe'			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Users\user\Desktop\QUOTATION_doc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Creates files inside the user directory

Source: C:\Users\user\Desktop\QUOTATION_doc.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\Huptzeullazkbrfuqvqdlxbsjktmnwu[1]

Jump to behavior

Classification label

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/3@4/0

Reads ini files

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Parts of this applications are using Borland Delphi (Probably coded in Delphi)

Source: C:\Users\user\Desktop\QUOTATION_doc.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_doc.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_doc.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\Public\Libraries\Huptze\Huptze.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\Public\Libraries\Huptze\Huptze.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Found detection on Joe Sandbox Cloud Basic with higher score

Source: QUOTATION_doc.exe

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Reads the hosts file

Source: C:\Users\user\Desktop\QUOTATION_doc.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_doc.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_doc.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Submission file is bigger than most known malware samples

Source: QUOTATION_doc.exe

Static file information: File size 1052672 > 1048576

Data Obfuscation:

Yara detected DBatLoader

Source: Yara match	File source: 00000015.00000002.631255655.00000000021A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.632108057.00000000026F0000.00000004.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\QUOTATION_doc.exe	Code function: 0_3_022FA58E push eax; ret		0_3_022FA5C0
Source: C:\Users\user\Desktop\QUOTATION_doc.exe	Code function: 0_3_022FA58E push eax; ret		0_3_022FA5C0
Source: C:\Users\user\Desktop\QUOTATION_doc.exe	Code function: 0_3_022FA58E push eax; ret		0_3_022FA5C0
Source: C:\Users\user\Desktop\QUOTATION_doc.exe	Code function: 0_3_022FA58E push eax; ret		0_3_022FA5C0
Source: C:\Users\user\Desktop\QUOTATION_doc.exe	Code function: 0_3_022FA58E push eax; ret		0_3_022FA5C0
Source: C:\Users\user\Desktop\QUOTATION_doc.exe	Code function: 0_3_022FA58E push eax; ret		0_3_022FA5C0
Source: C:\Users\user\Desktop\QUOTATION_doc.exe	Code function: 0_3_022FA58E push eax; ret		0_3_022FA5C0
Source: C:\Users\user\Desktop\QUOTATION_doc.exe	Code function: 0_3_022FA58E push eax; ret		0_3_022FA5C0
Source: C:\Users\user\Desktop\QUOTATION_doc.exe	Code function: 0_3_022FA58E push eax; ret		0_3_022FA5C0
Source: C:\Users\user\Desktop\QUOTATION_doc.exe	Code function: 0_3_022FA58E push eax; ret		0_3_022FA5C0
Source: C:\Users\user\Desktop\QUOTATION_doc.exe	Code function: 0_3_022FA58E push eax; ret		0_3_022FA5C0
Source: C:\Users\user\Desktop\QUOTATION_doc.exe	Code function: 0_3_022FA58E push eax; ret		0_3_022FA5C0
Source: C:\Users\user\Desktop\QUOTATION_doc.exe	Code function: 0_3_022FA584 push eax; ret		0_3_022FA5C0
Source: C:\Users\user\Desktop\QUOTATION_doc.exe	Code function: 0_3_022FA584 push eax; ret		0_3_022FA5C0
Source: C:\Users\user\Desktop\QUOTATION_doc.exe	Code function: 0_3_022FA584 push eax; ret		0_3_022FA5C0
Source: C:\Users\user\Desktop\QUOTATION_doc.exe	Code function: 0_3_022FA584 push eax; ret		0_3_022FA5C0
Source: C:\Users\user\Desktop\QUOTATION_doc.exe	Code function: 0_3_022FA584 push eax; ret		0_3_022FA5C0
Source: C:\Users\user\Desktop\QUOTATION_doc.exe	Code function: 0_3_022FA584 push eax; ret		0_3_022FA5C0
Source: C:\Users\user\Desktop\QUOTATION_doc.exe	Code function: 0_3_022FA584 push eax; ret		0_3_022FA5C0
Source: C:\Users\user\Desktop\QUOTATION_doc.exe	Code function: 0_3_022FA584 push eax; ret		0_3_022FA5C0
Source: C:\Users\user\Desktop\QUOTATION_doc.exe	Code function: 0_3_022FA584 push eax; ret		0_3_022FA5C0
Source: C:\Users\user\Desktop\QUOTATION_doc.exe	Code function: 0_3_022FA584 push eax; ret		0_3_022FA5C0
Source: C:\Users\user\Desktop\QUOTATION_doc.exe	Code function: 0_3_022FA584 push eax; ret		0_3_022FA5C0
Source: C:\Users\user\Desktop\QUOTATION_doc.exe	Code function: 0_3_022FA584 push eax; ret		0_3_022FA5C0

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\QUOTATION_doc.exe

File created: C:\Users\Public\Libraries\Huptze\Huptze.exe

Jump to dropped file

Boot Survival:

Creates an autostart registry key

Source: C:\Users\user\Desktop\QUOTATION_doc.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Huptze			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_doc.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Huptze			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\QUOTATION_doc.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\QUOTATION_doc.exe	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\Libraries\Huptze\Huptze.exe	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\Libraries\Huptze\Huptze.exe	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\SysWOW64\mobsync.exe	RDTSC instruction interceptor: First address: 0000000072488604 second address: 000000007248860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\mobsync.exe	RDTSC instruction interceptor: First address: 000000007248899E second address: 00000000724889A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Queries a list of all running processes

Source: C:\Windows\SysWOW64\mobsync.exe

Process information queried: ProcessInformation

Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: explorer.exe, 00000011.00000000.546571356.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000011.00000000.601959319.00000000083E9000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000011.00000000.584670896.00000000062E0000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000011.00000000.586385186.0000000006414000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000011.00000000.601959319.00000000083E9000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000011.00000000.586385186.0000000006414000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000011.00000000.600240165.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 00000011.00000000.549013567.0000000008678000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}1SPS0
Source: explorer.exe, 00000011.00000000.600240165.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000011.00000000.546571356.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
Source: Huptze.exe, 00000015.00000002.630029726.0000000000808000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: explorer.exe, 00000011.00000000.560901848.000000000095C000.00000004.00000020.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G

Anti Debugging:

Enables debug privileges

Source: C:\Windows\SysWOW64\mobsync.exe

Process token adjusted: Debug

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\mobsync.exe

Process queried: DebugPort

Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\QUOTATION_doc.exe

Code function: 0_3_022F9EE0 LdrInitializeThunk,

0_3_022F9EE0

HIPS / PFW / Operating System Protection Evasion:

Maps a DLL or memory area into another process

Source: C:\Windows\SysWOW64\mobsync.exe

Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\QUOTATION_doc.exe	Memory written: C:\Windows\System32\svchost.exe base: 72480000			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_doc.exe	Memory written: C:\Windows\System32\svchost.exe base: 2440000			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_doc.exe	Memory written: C:\Windows\System32\svchost.exe base: 2450000			Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\QUOTATION_doc.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 72480000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_doc.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2440000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_doc.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2450000 protect: page execute and read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\QUOTATION_doc.exe

Memory written: C:\Windows\System32\svchost.exe base: 72480000 value starts with: 4D5A

Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\QUOTATION_doc.exe

Thread created: C:\Windows\System32\svchost.exe EIP: 2450000

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\QUOTATION_doc.exe

Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p

Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: explorer.exe, 00000011.00000002.642961549.0000000000EE0000.00000002.00020000.sdmp, Huptze.exe, 00000014.00000002.631158026.0000000000E70000.00000002.00020000.sdmp, Huptze.exe, 00000015.00000002.630849928.0000000000D90000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000011.00000000.560363495.00000000008B8000.00000004.00000020.sdmp, Huptze.exe, 00000014.00000002.631158026.0000000000E70000.00000002.00020000.sdmp, Huptze.exe, 00000015.00000002.630849928.0000000000D90000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000011.00000002.642961549.0000000000EE0000.00000002.00020000.sdmp, Huptze.exe, 00000014.00000002.631158026.0000000000E70000.00000002.00020000.sdmp, Huptze.exe, 00000015.00000002.630849928.0000000000D90000.00000002.00020000.sdmp	Binary or memory string: &Program Manager
Source: explorer.exe, 00000011.00000002.642961549.0000000000EE0000.00000002.00020000.sdmp, Huptze.exe, 00000014.00000002.631158026.0000000000E70000.00000002.00020000.sdmp, Huptze.exe, 00000015.00000002.630849928.0000000000D90000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 00000010.00000000.523957704.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.523481465.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.598500416.0000000007B56000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.524496982.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.522931849.0000000072480000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 00000010.00000000.523957704.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.523481465.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.598500416.0000000007B56000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.524496982.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.522931849.0000000072480000.00000040.00000001.sdmp, type: MEMORY