Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows7_x64 -
resource
win7 -
submitted
07-07-2020 08:25
Static task
static1
Behavioral task
behavioral2
Sample
RFQ.exe
Resource
win10v200430
General
-
Target
RFQ.exe
-
Size
490KB
-
MD5
9449d066959e11c4280aa710ff4f1c39
-
SHA1
39e3577f65c77b6ba89df51a818be5ce8bebf877
-
SHA256
eb1f506f0927ee91a647c5522fff201da5e4ab2e4e4ddd7e89d77baec78a2b4d
-
SHA512
95a652277fc1da21aa36e01226f48eef3caf47f082418627a9dc1bbb1acf1b5893630eca7bda6b4a8a8bde02ba7e28f09ec0677aa832227ed4794f0524063649
Malware Config
Signatures
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
RFQ.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools RFQ.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RFQ.exeRFQ.exedescription pid process Token: SeDebugPrivilege 900 RFQ.exe Token: SeDebugPrivilege 1684 RFQ.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
RFQ.exeRFQ.exepid process 900 RFQ.exe 900 RFQ.exe 1684 RFQ.exe 1684 RFQ.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
RFQ.exedescription pid process target process PID 900 set thread context of 1684 900 RFQ.exe RFQ.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
RFQ.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RFQ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion RFQ.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
RFQ.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions RFQ.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
RFQ.exedescription pid process target process PID 900 wrote to memory of 1080 900 RFQ.exe schtasks.exe PID 900 wrote to memory of 1080 900 RFQ.exe schtasks.exe PID 900 wrote to memory of 1080 900 RFQ.exe schtasks.exe PID 900 wrote to memory of 1080 900 RFQ.exe schtasks.exe PID 900 wrote to memory of 1536 900 RFQ.exe RFQ.exe PID 900 wrote to memory of 1536 900 RFQ.exe RFQ.exe PID 900 wrote to memory of 1536 900 RFQ.exe RFQ.exe PID 900 wrote to memory of 1536 900 RFQ.exe RFQ.exe PID 900 wrote to memory of 1524 900 RFQ.exe RFQ.exe PID 900 wrote to memory of 1524 900 RFQ.exe RFQ.exe PID 900 wrote to memory of 1524 900 RFQ.exe RFQ.exe PID 900 wrote to memory of 1524 900 RFQ.exe RFQ.exe PID 900 wrote to memory of 1684 900 RFQ.exe RFQ.exe PID 900 wrote to memory of 1684 900 RFQ.exe RFQ.exe PID 900 wrote to memory of 1684 900 RFQ.exe RFQ.exe PID 900 wrote to memory of 1684 900 RFQ.exe RFQ.exe PID 900 wrote to memory of 1684 900 RFQ.exe RFQ.exe PID 900 wrote to memory of 1684 900 RFQ.exe RFQ.exe PID 900 wrote to memory of 1684 900 RFQ.exe RFQ.exe PID 900 wrote to memory of 1684 900 RFQ.exe RFQ.exe PID 900 wrote to memory of 1684 900 RFQ.exe RFQ.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
RFQ.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum RFQ.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 RFQ.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ.exe"C:\Users\Admin\AppData\Local\Temp\RFQ.exe"1⤵
- Looks for VMWare Tools registry key
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Checks BIOS information in registry
- Looks for VirtualBox Guest Additions in registry
- Suspicious use of WriteProcessMemory
- Maps connected drives based on registry
PID:900 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YSdANLhUxD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6C49.tmp"2⤵
- Creates scheduled task(s)
PID:1080 -
C:\Users\Admin\AppData\Local\Temp\RFQ.exe"C:\Users\Admin\AppData\Local\Temp\RFQ.exe"2⤵PID:1536
-
C:\Users\Admin\AppData\Local\Temp\RFQ.exe"C:\Users\Admin\AppData\Local\Temp\RFQ.exe"2⤵PID:1524
-
C:\Users\Admin\AppData\Local\Temp\RFQ.exe"C:\Users\Admin\AppData\Local\Temp\RFQ.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1684