Analysis
-
max time kernel
49s -
max time network
14s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
19-01-2021 12:55
Static task
static1
Behavioral task
behavioral1
Sample
January RFQ..exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
January RFQ..exe
-
Size
1.5MB
-
MD5
cc13b6f169803d95f021b0ae44ffe5cb
-
SHA1
fbe82085f8df30bd7968c54afcd583bcb9bdc8dc
-
SHA256
99a42bd8c8cfb6b3b69162c2f3f657b3b3972dd353338ff17accb1c9afcd5892
-
SHA512
df35b54a1833d848ba052fe6c389ad3e08ad3962f7d98f17858cf20afe92d499058f54efb7a7138f99b1abc9df9aecaa10bcbd18bb4112ad60eb093ad4caf1b0
Score
1/10
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
January RFQ..exepid process 1056 January RFQ..exe 1056 January RFQ..exe 1056 January RFQ..exe 1056 January RFQ..exe 1056 January RFQ..exe 1056 January RFQ..exe 1056 January RFQ..exe 1056 January RFQ..exe 1056 January RFQ..exe 1056 January RFQ..exe 1056 January RFQ..exe 1056 January RFQ..exe 1056 January RFQ..exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
January RFQ..exedescription pid process Token: SeDebugPrivilege 1056 January RFQ..exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
January RFQ..exedescription pid process target process PID 1056 wrote to memory of 1340 1056 January RFQ..exe January RFQ..exe PID 1056 wrote to memory of 1340 1056 January RFQ..exe January RFQ..exe PID 1056 wrote to memory of 1340 1056 January RFQ..exe January RFQ..exe PID 1056 wrote to memory of 1340 1056 January RFQ..exe January RFQ..exe PID 1056 wrote to memory of 380 1056 January RFQ..exe January RFQ..exe PID 1056 wrote to memory of 380 1056 January RFQ..exe January RFQ..exe PID 1056 wrote to memory of 380 1056 January RFQ..exe January RFQ..exe PID 1056 wrote to memory of 380 1056 January RFQ..exe January RFQ..exe PID 1056 wrote to memory of 1808 1056 January RFQ..exe January RFQ..exe PID 1056 wrote to memory of 1808 1056 January RFQ..exe January RFQ..exe PID 1056 wrote to memory of 1808 1056 January RFQ..exe January RFQ..exe PID 1056 wrote to memory of 1808 1056 January RFQ..exe January RFQ..exe PID 1056 wrote to memory of 520 1056 January RFQ..exe January RFQ..exe PID 1056 wrote to memory of 520 1056 January RFQ..exe January RFQ..exe PID 1056 wrote to memory of 520 1056 January RFQ..exe January RFQ..exe PID 1056 wrote to memory of 520 1056 January RFQ..exe January RFQ..exe PID 1056 wrote to memory of 392 1056 January RFQ..exe January RFQ..exe PID 1056 wrote to memory of 392 1056 January RFQ..exe January RFQ..exe PID 1056 wrote to memory of 392 1056 January RFQ..exe January RFQ..exe PID 1056 wrote to memory of 392 1056 January RFQ..exe January RFQ..exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\January RFQ..exe"C:\Users\Admin\AppData\Local\Temp\January RFQ..exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\January RFQ..exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\January RFQ..exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\January RFQ..exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\January RFQ..exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\January RFQ..exe"{path}"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1056-2-0x0000000073C60000-0x000000007434E000-memory.dmpFilesize
6.9MB
-
memory/1056-3-0x00000000003A0000-0x00000000003A1000-memory.dmpFilesize
4KB
-
memory/1056-5-0x0000000004200000-0x000000000427C000-memory.dmpFilesize
496KB
-
memory/1056-6-0x0000000005F20000-0x0000000005F21000-memory.dmpFilesize
4KB
-
memory/1056-7-0x00000000006C0000-0x00000000006CE000-memory.dmpFilesize
56KB
-
memory/1056-8-0x000000000BB60000-0x000000000BBBA000-memory.dmpFilesize
360KB