Overview

overview

7

Static

static

RFQ 096300.exe

windows7_x64

7

RFQ 096300.exe

windows10_x64

5

Analysis

  • max time kernel
    151s
  • max time network
    22s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    13-07-2020 07:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RFQ 096300.exe

  • Size

    368KB

  • MD5

    802c413ef3a40b505e5b8e2e0fc7bada

  • SHA1

    02f663db266a9151430cc3433b1497b170971769

  • SHA256

    7f4d53805b50624cb5e92857423661c3aef89e24c4ca63e79fdf62cbe2cb694c

  • SHA512

    d9e76abb4840e9d9f253c9ec710fafd69fad38c66097e9143269279ba48a668165402a46854f2052e520535299a6f410b34f0e23a4ca0ec9e398c4ff5a85a453

Score
7/10

Malware Config

Signatures

  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Deletes itself 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1304
    • C:\Users\Admin\AppData\Local\Temp\RFQ 096300.exe
      "C:\Users\Admin\AppData\Local\Temp\RFQ 096300.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      • Suspicious use of AdjustPrivilegeToken
      PID:376
      • C:\Users\Admin\AppData\Local\Temp\RFQ 096300.exe
        "{path}"
        3⤵
          PID:1832
        • C:\Users\Admin\AppData\Local\Temp\RFQ 096300.exe
          "{path}"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetThreadContext
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:1844
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\SysWOW64\explorer.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        • Suspicious use of AdjustPrivilegeToken
        PID:1776
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\RFQ 096300.exe"
          3⤵
          • Deletes itself
          PID:324

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/324-4-0x0000000000000000-mapping.dmp
      Download
    • memory/1776-2-0x0000000000000000-mapping.dmp
      Download
    • memory/1776-3-0x0000000000E50000-0x00000000010D1000-memory.dmp
      Filesize

      2.5MB

      Download
    • memory/1776-5-0x00000000033C0000-0x00000000034DF000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/1844-0-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/1844-1-0x000000000041E2A0-mapping.dmp
      Download