Analysis
-
max time kernel
149s -
max time network
116s -
platform
windows7_x64 -
resource
win7 -
submitted
13-07-2020 06:20
Static task
static1
Behavioral task
behavioral1
Sample
Pfz2O0m5k-july2020-RFQ.exe
Resource
win7
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Pfz2O0m5k-july2020-RFQ.exe
Resource
win10v200430
0 signatures
0 seconds
General
-
Target
Pfz2O0m5k-july2020-RFQ.exe
-
Size
395KB
-
MD5
b6076c3f3c090e88a79b3ab2398cb2a5
-
SHA1
a88f5b2d7f7c9c9c1f015ed7c659656fa752df02
-
SHA256
1520c196804649d5a465a2003046210148f70d50e926366300214cea9ef15719
-
SHA512
195b4e1ee8a7239d5d46cda19b43f17175ce1d7c25889d0a7152d4501c37f917baee8c9c27c91585eed139b42320d1fe0e5999166d47166fb01ae37025267a5b
Malware Config
Signatures
-
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
Pfz2O0m5k-july2020-RFQ.exesystray.exepid process 1040 Pfz2O0m5k-july2020-RFQ.exe 1040 Pfz2O0m5k-july2020-RFQ.exe 1040 Pfz2O0m5k-july2020-RFQ.exe 1040 Pfz2O0m5k-july2020-RFQ.exe 1504 systray.exe 1504 systray.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Pfz2O0m5k-july2020-RFQ.exeExplorer.EXEsystray.exedescription pid process target process PID 1584 wrote to memory of 1040 1584 Pfz2O0m5k-july2020-RFQ.exe Pfz2O0m5k-july2020-RFQ.exe PID 1584 wrote to memory of 1040 1584 Pfz2O0m5k-july2020-RFQ.exe Pfz2O0m5k-july2020-RFQ.exe PID 1584 wrote to memory of 1040 1584 Pfz2O0m5k-july2020-RFQ.exe Pfz2O0m5k-july2020-RFQ.exe PID 1584 wrote to memory of 1040 1584 Pfz2O0m5k-july2020-RFQ.exe Pfz2O0m5k-july2020-RFQ.exe PID 1584 wrote to memory of 1040 1584 Pfz2O0m5k-july2020-RFQ.exe Pfz2O0m5k-july2020-RFQ.exe PID 1584 wrote to memory of 1040 1584 Pfz2O0m5k-july2020-RFQ.exe Pfz2O0m5k-july2020-RFQ.exe PID 1584 wrote to memory of 1040 1584 Pfz2O0m5k-july2020-RFQ.exe Pfz2O0m5k-july2020-RFQ.exe PID 1276 wrote to memory of 1504 1276 Explorer.EXE systray.exe PID 1276 wrote to memory of 1504 1276 Explorer.EXE systray.exe PID 1276 wrote to memory of 1504 1276 Explorer.EXE systray.exe PID 1276 wrote to memory of 1504 1276 Explorer.EXE systray.exe PID 1504 wrote to memory of 1368 1504 systray.exe cmd.exe PID 1504 wrote to memory of 1368 1504 systray.exe cmd.exe PID 1504 wrote to memory of 1368 1504 systray.exe cmd.exe PID 1504 wrote to memory of 1368 1504 systray.exe cmd.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
Pfz2O0m5k-july2020-RFQ.exesystray.exepid process 1040 Pfz2O0m5k-july2020-RFQ.exe 1040 Pfz2O0m5k-july2020-RFQ.exe 1040 Pfz2O0m5k-july2020-RFQ.exe 1504 systray.exe 1504 systray.exe 1504 systray.exe 1504 systray.exe 1504 systray.exe 1504 systray.exe 1504 systray.exe 1504 systray.exe 1504 systray.exe 1504 systray.exe 1504 systray.exe 1504 systray.exe 1504 systray.exe 1504 systray.exe 1504 systray.exe 1504 systray.exe 1504 systray.exe 1504 systray.exe 1504 systray.exe 1504 systray.exe 1504 systray.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Pfz2O0m5k-july2020-RFQ.exesystray.exedescription pid process Token: SeDebugPrivilege 1040 Pfz2O0m5k-july2020-RFQ.exe Token: SeDebugPrivilege 1504 systray.exe -
Processes:
Explorer.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE -
Suspicious use of SetThreadContext 4 IoCs
Processes:
Pfz2O0m5k-july2020-RFQ.exePfz2O0m5k-july2020-RFQ.exesystray.exedescription pid process target process PID 1584 set thread context of 1040 1584 Pfz2O0m5k-july2020-RFQ.exe Pfz2O0m5k-july2020-RFQ.exe PID 1040 set thread context of 1276 1040 Pfz2O0m5k-july2020-RFQ.exe Explorer.EXE PID 1040 set thread context of 1276 1040 Pfz2O0m5k-july2020-RFQ.exe Explorer.EXE PID 1504 set thread context of 1276 1504 systray.exe Explorer.EXE -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1368 cmd.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
Explorer.EXEpid process 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- Checks whether UAC is enabled
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\Pfz2O0m5k-july2020-RFQ.exe"C:\Users\Admin\AppData\Local\Temp\Pfz2O0m5k-july2020-RFQ.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\Pfz2O0m5k-july2020-RFQ.exe"{path}"3⤵
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Pfz2O0m5k-july2020-RFQ.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1040-2-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1040-3-0x000000000041B680-mapping.dmp
-
memory/1276-4-0x0000000004130000-0x0000000004200000-memory.dmpFilesize
832KB
-
memory/1368-7-0x0000000000000000-mapping.dmp
-
memory/1504-5-0x0000000000000000-mapping.dmp
-
memory/1504-6-0x00000000005A0000-0x00000000005A5000-memory.dmpFilesize
20KB
-
memory/1504-8-0x0000000001EC0000-0x0000000001F99000-memory.dmpFilesize
868KB
-
memory/1584-1-0x0000000000000000-0x0000000000000000-disk.dmp