Analysis
-
max time kernel
141s -
max time network
42s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
24-06-2020 13:33
Static task
static1
Behavioral task
behavioral1
Sample
RFQ_6000042792.PDF.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
RFQ_6000042792.PDF.exe
Resource
win10
General
-
Target
RFQ_6000042792.PDF.exe
-
Size
435KB
-
MD5
e9204b04d38a5e0f5fcce7a195e88fe7
-
SHA1
b0b84a3f8afac504d74f75af0d252d30ce7bacdf
-
SHA256
4988b00c252410f05a2bd1d8202739be301c54e4bbac08c4ddbb704a8d660e8d
-
SHA512
9297da618ff863439586b19f04a0ec66b9b5f8be08703a94d727145a326e494b57c4c2e169ae9bbec19e5ff4c17899e453ca4c0194c597960ac2c6dbfbc130de
Malware Config
Signatures
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
RFQ_6000042792.PDF.exedescription pid process target process PID 684 wrote to memory of 1732 684 RFQ_6000042792.PDF.exe RFQ_6000042792.PDF.exe PID 684 wrote to memory of 1732 684 RFQ_6000042792.PDF.exe RFQ_6000042792.PDF.exe PID 684 wrote to memory of 1732 684 RFQ_6000042792.PDF.exe RFQ_6000042792.PDF.exe PID 684 wrote to memory of 1732 684 RFQ_6000042792.PDF.exe RFQ_6000042792.PDF.exe PID 684 wrote to memory of 1832 684 RFQ_6000042792.PDF.exe RFQ_6000042792.PDF.exe PID 684 wrote to memory of 1832 684 RFQ_6000042792.PDF.exe RFQ_6000042792.PDF.exe PID 684 wrote to memory of 1832 684 RFQ_6000042792.PDF.exe RFQ_6000042792.PDF.exe PID 684 wrote to memory of 1832 684 RFQ_6000042792.PDF.exe RFQ_6000042792.PDF.exe PID 684 wrote to memory of 1824 684 RFQ_6000042792.PDF.exe RFQ_6000042792.PDF.exe PID 684 wrote to memory of 1824 684 RFQ_6000042792.PDF.exe RFQ_6000042792.PDF.exe PID 684 wrote to memory of 1824 684 RFQ_6000042792.PDF.exe RFQ_6000042792.PDF.exe PID 684 wrote to memory of 1824 684 RFQ_6000042792.PDF.exe RFQ_6000042792.PDF.exe PID 684 wrote to memory of 1836 684 RFQ_6000042792.PDF.exe RFQ_6000042792.PDF.exe PID 684 wrote to memory of 1836 684 RFQ_6000042792.PDF.exe RFQ_6000042792.PDF.exe PID 684 wrote to memory of 1836 684 RFQ_6000042792.PDF.exe RFQ_6000042792.PDF.exe PID 684 wrote to memory of 1836 684 RFQ_6000042792.PDF.exe RFQ_6000042792.PDF.exe PID 684 wrote to memory of 1776 684 RFQ_6000042792.PDF.exe RFQ_6000042792.PDF.exe PID 684 wrote to memory of 1776 684 RFQ_6000042792.PDF.exe RFQ_6000042792.PDF.exe PID 684 wrote to memory of 1776 684 RFQ_6000042792.PDF.exe RFQ_6000042792.PDF.exe PID 684 wrote to memory of 1776 684 RFQ_6000042792.PDF.exe RFQ_6000042792.PDF.exe PID 684 wrote to memory of 1776 684 RFQ_6000042792.PDF.exe RFQ_6000042792.PDF.exe PID 684 wrote to memory of 1776 684 RFQ_6000042792.PDF.exe RFQ_6000042792.PDF.exe PID 684 wrote to memory of 1776 684 RFQ_6000042792.PDF.exe RFQ_6000042792.PDF.exe PID 684 wrote to memory of 1776 684 RFQ_6000042792.PDF.exe RFQ_6000042792.PDF.exe PID 684 wrote to memory of 1776 684 RFQ_6000042792.PDF.exe RFQ_6000042792.PDF.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RFQ_6000042792.PDF.exeRFQ_6000042792.PDF.exedescription pid process Token: SeDebugPrivilege 684 RFQ_6000042792.PDF.exe Token: SeDebugPrivilege 1776 RFQ_6000042792.PDF.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
RFQ_6000042792.PDF.exeRFQ_6000042792.PDF.exepid process 684 RFQ_6000042792.PDF.exe 684 RFQ_6000042792.PDF.exe 684 RFQ_6000042792.PDF.exe 684 RFQ_6000042792.PDF.exe 684 RFQ_6000042792.PDF.exe 1776 RFQ_6000042792.PDF.exe 1776 RFQ_6000042792.PDF.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
RFQ_6000042792.PDF.exedescription pid process target process PID 684 set thread context of 1776 684 RFQ_6000042792.PDF.exe RFQ_6000042792.PDF.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ_6000042792.PDF.exe"C:\Users\Admin\AppData\Local\Temp\RFQ_6000042792.PDF.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\RFQ_6000042792.PDF.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\RFQ_6000042792.PDF.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\RFQ_6000042792.PDF.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\RFQ_6000042792.PDF.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\RFQ_6000042792.PDF.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1776-0-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1776-1-0x00000000004472DE-mapping.dmp
-
memory/1776-2-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1776-3-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB