9eb46ce54466b221c7f56d3af4c22be517472189d7e907ead1b4c3fa4cfeb831

General

Target

RFQ.scr
Size

323KB
MD5

ea7a70eb4f75f34597cea8f569a39543
SHA1

e91593b1a0e7df15765b33250477f584f12d42c0
SHA256

9eb46ce54466b221c7f56d3af4c22be517472189d7e907ead1b4c3fa4cfeb831
SHA512

46efe034cdc453dd4bb6c6a00256e341943eae5d05f2d2ca3c445919114d5f3d1aa499f6d989c9c73ea0c78749916bd4a9f8909db88057d3a76d87bf77e09594

Score

8^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	1356	RFQ.scr
Token: SeDebugPrivilege	1384	winscreen.exe
Token: SeDebugPrivilege	1232	AddInProcess32.exe
Token: 33	1232	AddInProcess32.exe
Token: SeIncBasePriorityPrivilege	1232	AddInProcess32.exe
Token: 33	1232	AddInProcess32.exe
Token: SeIncBasePriorityPrivilege	1232	AddInProcess32.exe
Token: 33	1232	AddInProcess32.exe
Token: SeIncBasePriorityPrivilege	1232	AddInProcess32.exe
Token: 33	1232	AddInProcess32.exe
Token: SeIncBasePriorityPrivilege	1232	AddInProcess32.exe
Token: 33	1232	AddInProcess32.exe
Token: SeIncBasePriorityPrivilege	1232	AddInProcess32.exe
Token: 33	1232	AddInProcess32.exe
Token: SeIncBasePriorityPrivilege	1232	AddInProcess32.exe
Token: 33	1232	AddInProcess32.exe
Token: SeIncBasePriorityPrivilege	1232	AddInProcess32.exe
Token: 33	1232	AddInProcess32.exe
Token: SeIncBasePriorityPrivilege	1232	AddInProcess32.exe
Token: 33	1232	AddInProcess32.exe
Token: SeIncBasePriorityPrivilege	1232	AddInProcess32.exe
Token: 33	1232	AddInProcess32.exe
Token: SeIncBasePriorityPrivilege	1232	AddInProcess32.exe
Token: 33	1232	AddInProcess32.exe
Token: SeIncBasePriorityPrivilege	1232	AddInProcess32.exe
Token: 33	1232	AddInProcess32.exe
Token: SeIncBasePriorityPrivilege	1232	AddInProcess32.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1356	RFQ.scr
1356	RFQ.scr
1356	RFQ.scr
1384	winscreen.exe
1384	winscreen.exe
1384	winscreen.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1356 wrote to memory of 324	1356	RFQ.scr	24
PID 1356 wrote to memory of 324	1356	RFQ.scr	24
PID 1356 wrote to memory of 324	1356	RFQ.scr	24
PID 1356 wrote to memory of 324	1356	RFQ.scr	24
PID 324 wrote to memory of 1616	324	cmd.exe	26
PID 324 wrote to memory of 1616	324	cmd.exe	26
PID 324 wrote to memory of 1616	324	cmd.exe	26
PID 324 wrote to memory of 1616	324	cmd.exe	26
PID 1356 wrote to memory of 1384	1356	RFQ.scr	27
PID 1356 wrote to memory of 1384	1356	RFQ.scr	27
PID 1356 wrote to memory of 1384	1356	RFQ.scr	27
PID 1356 wrote to memory of 1384	1356	RFQ.scr	27
PID 1384 wrote to memory of 1232	1384	winscreen.exe	30
PID 1384 wrote to memory of 1232	1384	winscreen.exe	30
PID 1384 wrote to memory of 1232	1384	winscreen.exe	30
PID 1384 wrote to memory of 1232	1384	winscreen.exe	30
PID 1384 wrote to memory of 1232	1384	winscreen.exe	30
PID 1384 wrote to memory of 1232	1384	winscreen.exe	30
PID 1384 wrote to memory of 1232	1384	winscreen.exe	30
PID 1384 wrote to memory of 1232	1384	winscreen.exe	30
PID 1384 wrote to memory of 1232	1384	winscreen.exe	30

Loads dropped DLL 2 IoCs

pid	Process
1356	RFQ.scr
1384	winscreen.exe

Executes dropped EXE 2 IoCs

pid	Process
1384	winscreen.exe
1232	AddInProcess32.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1384 set thread context of 1232	1384	winscreen.exe	30

Adds Run entry to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\winscreen = "C:\\Windows\\system32\\pcalua.exe -a C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\winscreen.exe"	reg.exe

C:\Users\Admin\AppData\Local\Temp\RFQ.scr
"C:\Users\Admin\AppData\Local\Temp\RFQ.scr" /S
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
PID:1356
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v winscreen /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\winscreen.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:324
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v winscreen /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\winscreen.exe"
    3⤵
    - Adds Run entry to start application
    PID:1616
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\winscreen.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\winscreen.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - Loads dropped DLL
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1384
- - C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
    "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Executes dropped EXE
    PID:1232

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1232-14-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1232-17-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1232-18-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing