Overview

overview

7

Static

static

RFQ 096300.exe

windows7_x64

7

RFQ 096300.exe

windows10_x64

5

Analysis

  • max time kernel
    147s
  • max time network
    126s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    13-07-2020 07:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RFQ 096300.exe

  • Size

    368KB

  • MD5

    802c413ef3a40b505e5b8e2e0fc7bada

  • SHA1

    02f663db266a9151430cc3433b1497b170971769

  • SHA256

    7f4d53805b50624cb5e92857423661c3aef89e24c4ca63e79fdf62cbe2cb694c

  • SHA512

    d9e76abb4840e9d9f253c9ec710fafd69fad38c66097e9143269279ba48a668165402a46854f2052e520535299a6f410b34f0e23a4ca0ec9e398c4ff5a85a453

Score
5/10

Malware Config

Signatures

  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2984
    • C:\Users\Admin\AppData\Local\Temp\RFQ 096300.exe
      "C:\Users\Admin\AppData\Local\Temp\RFQ 096300.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      PID:732
      • C:\Users\Admin\AppData\Local\Temp\RFQ 096300.exe
        "{path}"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        PID:1248
    • C:\Windows\SysWOW64\raserver.exe
      "C:\Windows\SysWOW64\raserver.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      PID:3668
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\RFQ 096300.exe"
        3⤵
          PID:488
    • C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
      C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
      1⤵
        PID:2620

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/488-5-0x0000000000000000-mapping.dmp
        Download
      • memory/1248-0-0x0000000000400000-0x000000000042D000-memory.dmp
        Filesize

        180KB

        Download
      • memory/1248-1-0x000000000041E2A0-mapping.dmp
        Download
      • memory/2984-7-0x0000000001000000-0x00000000010E3000-memory.dmp
        Filesize

        908KB

        Download
      • memory/3668-2-0x0000000000000000-mapping.dmp
        Download
      • memory/3668-3-0x0000000000B00000-0x0000000000B1F000-memory.dmp
        Filesize

        124KB

        Download
      • memory/3668-4-0x0000000000B00000-0x0000000000B1F000-memory.dmp
        Filesize

        124KB

        Download
      • memory/3668-6-0x0000000005640000-0x0000000005721000-memory.dmp
        Filesize

        900KB

        Download