91f4fdc2687907e6f6ff98c2302371175ba51abe8776c7f33e61a33e08b097a3

General

Target

RFQ-Felype Castro from Brazil.exe
Size

505KB
MD5

63aa1a0f5b295d759ec4b2a0823bdb8d
SHA1

f29ead5094b0354aad5e70f52e1a800cc5c8fb31
SHA256

91f4fdc2687907e6f6ff98c2302371175ba51abe8776c7f33e61a33e08b097a3
SHA512

2ea2c570d707f6699a806b4cf8283503192b899d2ef8f065cf532b56b3d3753c3a7c201b00987b94bda68fd2525e8cbfbadf10bf81b72798ad5ae97cb9fc68be

Score

7^/10

evasion trojan persistence spyware

Malware Config

Signatures

Suspicious use of SetThreadContext 3 IoCs

Processes:

RFQ-Felype Castro from Brazil.exeRFQ-Felype Castro from Brazil.exeipconfig.exe

description	pid	process	target process
PID 1296 set thread context of 1228	1296	RFQ-Felype Castro from Brazil.exe	RFQ-Felype Castro from Brazil.exe
PID 1228 set thread context of 1304	1228	RFQ-Felype Castro from Brazil.exe	Explorer.EXE
PID 1740 set thread context of 1304	1740	ipconfig.exe	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

RFQ-Felype Castro from Brazil.exeipconfig.exe

pid	process
1228	RFQ-Felype Castro from Brazil.exe
1228	RFQ-Felype Castro from Brazil.exe
1228	RFQ-Felype Castro from Brazil.exe
1740	ipconfig.exe
1740	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

ipconfig.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-910373003-3952921535-3480519689-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	ipconfig.exe

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1304 Explorer.EXE
1304 Explorer.EXE
1304 Explorer.EXE
1304 Explorer.EXE
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Explorer.EXE

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE
Drops file in Program Files directory 1 IoCs

Processes:

ipconfig.exe

description ioc process

File opened for modification C:\Program Files (x86)\Mulz\ThumbCache_bc00fwh.exe ipconfig.exe

pid	process
1304	Explorer.EXE
1304	Explorer.EXE
1304	Explorer.EXE
1304	Explorer.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Explorer.EXE

description	ioc	process
File opened for modification	C:\Program Files (x86)\Mulz\ThumbCache_bc00fwh.exe	ipconfig.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

RFQ-Felype Castro from Brazil.exeExplorer.EXEipconfig.exe

description	pid	process	target process
PID 1296 wrote to memory of 1228	1296	RFQ-Felype Castro from Brazil.exe	RFQ-Felype Castro from Brazil.exe
PID 1296 wrote to memory of 1228	1296	RFQ-Felype Castro from Brazil.exe	RFQ-Felype Castro from Brazil.exe
PID 1296 wrote to memory of 1228	1296	RFQ-Felype Castro from Brazil.exe	RFQ-Felype Castro from Brazil.exe
PID 1296 wrote to memory of 1228	1296	RFQ-Felype Castro from Brazil.exe	RFQ-Felype Castro from Brazil.exe
PID 1296 wrote to memory of 1228	1296	RFQ-Felype Castro from Brazil.exe	RFQ-Felype Castro from Brazil.exe
PID 1296 wrote to memory of 1228	1296	RFQ-Felype Castro from Brazil.exe	RFQ-Felype Castro from Brazil.exe
PID 1296 wrote to memory of 1228	1296	RFQ-Felype Castro from Brazil.exe	RFQ-Felype Castro from Brazil.exe
PID 1304 wrote to memory of 1740	1304	Explorer.EXE	ipconfig.exe
PID 1304 wrote to memory of 1740	1304	Explorer.EXE	ipconfig.exe
PID 1304 wrote to memory of 1740	1304	Explorer.EXE	ipconfig.exe
PID 1304 wrote to memory of 1740	1304	Explorer.EXE	ipconfig.exe
PID 1740 wrote to memory of 1792	1740	ipconfig.exe	cmd.exe
PID 1740 wrote to memory of 1792	1740	ipconfig.exe	cmd.exe
PID 1740 wrote to memory of 1792	1740	ipconfig.exe	cmd.exe
PID 1740 wrote to memory of 1792	1740	ipconfig.exe	cmd.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

RFQ-Felype Castro from Brazil.exeipconfig.exe

pid	process
1228	RFQ-Felype Castro from Brazil.exe
1228	RFQ-Felype Castro from Brazil.exe
1740	ipconfig.exe
1740	ipconfig.exe
1740	ipconfig.exe
1740	ipconfig.exe
1740	ipconfig.exe
1740	ipconfig.exe
1740	ipconfig.exe
1740	ipconfig.exe
1740	ipconfig.exe
1740	ipconfig.exe
1740	ipconfig.exe
1740	ipconfig.exe
1740	ipconfig.exe
1740	ipconfig.exe
1740	ipconfig.exe
1740	ipconfig.exe
1740	ipconfig.exe
1740	ipconfig.exe
1740	ipconfig.exe
1740	ipconfig.exe
1740	ipconfig.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

RFQ-Felype Castro from Brazil.exeipconfig.exe

description pid process

Token: SeDebugPrivilege 1228 RFQ-Felype Castro from Brazil.exe
Token: SeDebugPrivilege 1740 ipconfig.exe
Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

Explorer.EXE

pid process

1304 Explorer.EXE
1304 Explorer.EXE
1304 Explorer.EXE
1304 Explorer.EXE
1304 Explorer.EXE
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1792 cmd.exe

description	pid	process
Token: SeDebugPrivilege	1228	RFQ-Felype Castro from Brazil.exe
Token: SeDebugPrivilege	1740	ipconfig.exe

pid	process
1304	Explorer.EXE
1304	Explorer.EXE
1304	Explorer.EXE
1304	Explorer.EXE
1304	Explorer.EXE

pid	process
1792	cmd.exe

Adds Run entry to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ipconfig.exe

description	ioc	process
Key created	\Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	ipconfig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LTXD9TK0WF5 = "C:\\Program Files (x86)\\Mulz\\ThumbCache_bc00fwh.exe"	ipconfig.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SendNotifyMessage
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
PID:1304

C:\Users\Admin\AppData\Local\Temp\RFQ-Felype Castro from Brazil.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ-Felype Castro from Brazil.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1296

C:\Users\Admin\AppData\Local\Temp\RFQ-Felype Castro from Brazil.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1228

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Modifies Internet Explorer settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Adds Run entry to start application
PID:1740

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\RFQ-Felype Castro from Brazil.exe"
3⤵
- Deletes itself
PID:1792

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\50N8002E\50Nlogim.jpeg

Download Submit
C:\Users\Admin\AppData\Roaming\50N8002E\50Nlogri.ini

Download Submit
C:\Users\Admin\AppData\Roaming\50N8002E\50Nlogrv.ini

Download Submit
memory/1228-2-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1228-3-0x000000000041B680-mapping.dmp

Download
memory/1296-1-0x0000000000000000-0x0000000000000000-disk.dmp

Download
memory/1740-4-0x0000000000000000-mapping.dmp

Download
memory/1740-5-0x0000000000A10000-0x0000000000A1A000-memory.dmp

Filesize
40KB

Download
memory/1740-7-0x0000000000600000-0x00000000006C2000-memory.dmp

Filesize
776KB

Download
memory/1740-8-0x0000000076890000-0x000000007689C000-memory.dmp

Filesize
48KB

Download
memory/1740-9-0x0000000074E20000-0x0000000074F3D000-memory.dmp

Filesize
1.1MB

Download
memory/1792-6-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads