067b9d06a47a9ca284129833cf4d79dae27bb36c6bccef4bb6ef01bd649db763

Analysis

max time kernel
123s
max time network
109s
platform
windows10_x64
resource
win10
submitted
16/07/2020, 13:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

RFQ.exe
Size

559KB
MD5

7e62c5ed8c54d09ab424814681b2384f
SHA1

7fac903f9a95f97f694150c159da7340dcc5b3d3
SHA256

067b9d06a47a9ca284129833cf4d79dae27bb36c6bccef4bb6ef01bd649db763
SHA512

37a0c727d3d6119b4208f938ea2505c8fff9a094dcb173168fd041eb28812aa02a1f7e66dadf178f24a182c2717c8645a923565834a29e12d33f081d44577f96

Score

10^/10

spyware

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.yandex.ru
Port:
587
Username:
[email protected]
Password:
@jaffinmarknma@344

Signatures

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3588 wrote to memory of 1004	3588	RFQ.exe	72
PID 3588 wrote to memory of 1004	3588	RFQ.exe	72
PID 3588 wrote to memory of 1004	3588	RFQ.exe	72
PID 3588 wrote to memory of 3720	3588	RFQ.exe	74
PID 3588 wrote to memory of 3720	3588	RFQ.exe	74
PID 3588 wrote to memory of 3720	3588	RFQ.exe	74
PID 3588 wrote to memory of 3720	3588	RFQ.exe	74
PID 3588 wrote to memory of 3720	3588	RFQ.exe	74
PID 3588 wrote to memory of 3720	3588	RFQ.exe	74
PID 3588 wrote to memory of 3720	3588	RFQ.exe	74
PID 3588 wrote to memory of 3720	3588	RFQ.exe	74

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3588 set thread context of 3720	3588	RFQ.exe	74

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3720	RFQ.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3720	RFQ.exe
3720	RFQ.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1004	schtasks.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081

C:\Users\Admin\AppData\Local\Temp\RFQ.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:3588
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SIuseiZals" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFF3B.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1004
- C:\Users\Admin\AppData\Local\Temp\RFQ.exe
  "{path}"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:3720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3720-6-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download