Analysis
-
max time kernel
131s -
max time network
27s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
13-07-2020 11:19
Static task
static1
Behavioral task
behavioral1
Sample
urgent RFQ.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
urgent RFQ.exe
Resource
win10
General
-
Target
urgent RFQ.exe
-
Size
947KB
-
MD5
d7c96a638ddd3e123acef5e714e72c9b
-
SHA1
4e0279affabf56d08f0a50d75659c92ac9585280
-
SHA256
3d5aeffd916cfcb16b015b3c74992fe47870be047c7bbb82204204a3a22e2b1f
-
SHA512
f39a5ba23d888514376283089ed9775bca0e05ac4212abb6a7cd02d219e3bffa4c173d4ae437336adf755fd9d667066881a3cce8351b5f74e28890d0b857b598
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
urgent RFQ.exedescription pid process Token: SeDebugPrivilege 904 urgent RFQ.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
urgent RFQ.exedescription pid process target process PID 1020 wrote to memory of 904 1020 urgent RFQ.exe urgent RFQ.exe PID 1020 wrote to memory of 904 1020 urgent RFQ.exe urgent RFQ.exe PID 1020 wrote to memory of 904 1020 urgent RFQ.exe urgent RFQ.exe PID 1020 wrote to memory of 904 1020 urgent RFQ.exe urgent RFQ.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
urgent RFQ.exepid process 1020 urgent RFQ.exe -
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
Processes:
resource yara_rule behavioral1/memory/904-0-0x0000000000400000-0x00000000004AD000-memory.dmp upx behavioral1/memory/904-2-0x0000000000400000-0x00000000004AD000-memory.dmp upx behavioral1/memory/904-3-0x0000000000400000-0x00000000004AD000-memory.dmp upx -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
urgent RFQ.exeurgent RFQ.exepid process 1020 urgent RFQ.exe 904 urgent RFQ.exe 904 urgent RFQ.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
urgent RFQ.exedescription pid process target process PID 1020 set thread context of 904 1020 urgent RFQ.exe urgent RFQ.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\urgent RFQ.exe"C:\Users\Admin\AppData\Local\Temp\urgent RFQ.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
PID:1020 -
C:\Users\Admin\AppData\Local\Temp\urgent RFQ.exe"C:\Users\Admin\AppData\Local\Temp\urgent RFQ.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:904