Analysis
-
max time kernel
70s -
max time network
71s -
platform
windows7_x64 -
resource
win7 -
submitted
30-06-2020 14:33
Static task
static1
Behavioral task
behavioral1
Sample
RFQ.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
RFQ.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
RFQ.exe
-
Size
910KB
-
MD5
3b96b40684f1b7ae1d901e17cfe6bbca
-
SHA1
5ac9d18cdb4a218b17382f8afe157348ecb18f5e
-
SHA256
de2955c99e6c58997641899e6534142f26de80368887da0c4fb501eb1b027308
-
SHA512
30755b94e4482703affcba7f442cea5198d27fc841d915182e994f867832a4e63a369d74cd9537fa910e3f52ad9152d5d547e68559f951d203f5b9fa9211447c
Score
1/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
RFQ.exedescription pid process target process PID 1456 wrote to memory of 1852 1456 RFQ.exe schtasks.exe PID 1456 wrote to memory of 1852 1456 RFQ.exe schtasks.exe PID 1456 wrote to memory of 1852 1456 RFQ.exe schtasks.exe PID 1456 wrote to memory of 1852 1456 RFQ.exe schtasks.exe PID 1456 wrote to memory of 1624 1456 RFQ.exe RFQ.exe PID 1456 wrote to memory of 1624 1456 RFQ.exe RFQ.exe PID 1456 wrote to memory of 1624 1456 RFQ.exe RFQ.exe PID 1456 wrote to memory of 1624 1456 RFQ.exe RFQ.exe PID 1456 wrote to memory of 1636 1456 RFQ.exe RFQ.exe PID 1456 wrote to memory of 1636 1456 RFQ.exe RFQ.exe PID 1456 wrote to memory of 1636 1456 RFQ.exe RFQ.exe PID 1456 wrote to memory of 1636 1456 RFQ.exe RFQ.exe PID 1456 wrote to memory of 1552 1456 RFQ.exe RFQ.exe PID 1456 wrote to memory of 1552 1456 RFQ.exe RFQ.exe PID 1456 wrote to memory of 1552 1456 RFQ.exe RFQ.exe PID 1456 wrote to memory of 1552 1456 RFQ.exe RFQ.exe PID 1456 wrote to memory of 1528 1456 RFQ.exe RFQ.exe PID 1456 wrote to memory of 1528 1456 RFQ.exe RFQ.exe PID 1456 wrote to memory of 1528 1456 RFQ.exe RFQ.exe PID 1456 wrote to memory of 1528 1456 RFQ.exe RFQ.exe PID 1456 wrote to memory of 1524 1456 RFQ.exe RFQ.exe PID 1456 wrote to memory of 1524 1456 RFQ.exe RFQ.exe PID 1456 wrote to memory of 1524 1456 RFQ.exe RFQ.exe PID 1456 wrote to memory of 1524 1456 RFQ.exe RFQ.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RFQ.exedescription pid process Token: SeDebugPrivilege 1456 RFQ.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
RFQ.exepid process 1456 RFQ.exe 1456 RFQ.exe 1456 RFQ.exe 1456 RFQ.exe 1456 RFQ.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ.exe"C:\Users\Admin\AppData\Local\Temp\RFQ.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\izXJLDXQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp163E.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\RFQ.exe"C:\Users\Admin\AppData\Local\Temp\RFQ.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\RFQ.exe"C:\Users\Admin\AppData\Local\Temp\RFQ.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\RFQ.exe"C:\Users\Admin\AppData\Local\Temp\RFQ.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\RFQ.exe"C:\Users\Admin\AppData\Local\Temp\RFQ.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\RFQ.exe"C:\Users\Admin\AppData\Local\Temp\RFQ.exe"2⤵