Analysis

  • max time kernel
    146s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    10-07-2020 07:33

General

  • Target

    RFQ-Felype Castro from Brazil.exe

  • Size

    505KB

  • MD5

    63aa1a0f5b295d759ec4b2a0823bdb8d

  • SHA1

    f29ead5094b0354aad5e70f52e1a800cc5c8fb31

  • SHA256

    91f4fdc2687907e6f6ff98c2302371175ba51abe8776c7f33e61a33e08b097a3

  • SHA512

    2ea2c570d707f6699a806b4cf8283503192b899d2ef8f065cf532b56b3d3753c3a7c201b00987b94bda68fd2525e8cbfbadf10bf81b72798ad5ae97cb9fc68be

Malware Config

Signatures

  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Deletes itself 1 IoCs
  • Adds Run entry to start application 2 TTPs 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of SendNotifyMessage
    • Checks whether UAC is enabled
    • Suspicious use of WriteProcessMemory
    • Suspicious use of FindShellTrayWindow
    PID:1304
    • C:\Users\Admin\AppData\Local\Temp\RFQ-Felype Castro from Brazil.exe
      "C:\Users\Admin\AppData\Local\Temp\RFQ-Felype Castro from Brazil.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1296
      • C:\Users\Admin\AppData\Local\Temp\RFQ-Felype Castro from Brazil.exe
        "{path}"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1228
    • C:\Windows\SysWOW64\ipconfig.exe
      "C:\Windows\SysWOW64\ipconfig.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Modifies Internet Explorer settings
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Adds Run entry to start application
      PID:1740
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\RFQ-Felype Castro from Brazil.exe"
        3⤵
        • Deletes itself
        PID:1792

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\50N8002E\50Nlogim.jpeg

  • C:\Users\Admin\AppData\Roaming\50N8002E\50Nlogri.ini

  • C:\Users\Admin\AppData\Roaming\50N8002E\50Nlogrv.ini

  • memory/1228-2-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1228-3-0x000000000041B680-mapping.dmp

  • memory/1296-1-0x0000000000000000-0x0000000000000000-disk.dmp

  • memory/1740-4-0x0000000000000000-mapping.dmp

  • memory/1740-5-0x0000000000A10000-0x0000000000A1A000-memory.dmp

    Filesize

    40KB

  • memory/1740-7-0x0000000000600000-0x00000000006C2000-memory.dmp

    Filesize

    776KB

  • memory/1740-8-0x0000000076890000-0x000000007689C000-memory.dmp

    Filesize

    48KB

  • memory/1740-9-0x0000000074E20000-0x0000000074F3D000-memory.dmp

    Filesize

    1.1MB

  • memory/1792-6-0x0000000000000000-mapping.dmp