Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
12-04-2021 06:12
Static task
static1
Behavioral task
behavioral1
Sample
RFQ 견적요청_해성190918.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
RFQ 견적요청_해성190918.exe
Resource
win10v20201028
General
-
Target
RFQ 견적요청_해성190918.exe
-
Size
467KB
-
MD5
cd70300691bc9f2a261dc6b814ea31a0
-
SHA1
255a24ace53039f262cc74bcda27541a4c3eeaaf
-
SHA256
5b578a81fa5276232529484ff00db9fca64a7879ab4a7abc652c9d0d3e1461ba
-
SHA512
f3c86b554d45f0d0cc67be9ed25025411d47ed513fb0f72978e952c2fcbf20357ee55f1754dc7961afd1e0fc07149dfd38709c0205ad50fccdf7fdf97de981a5
Malware Config
Extracted
xloader
2.3
http://www.mappmake.com/hrqs/
xaydungdahoacuonghoanglong.com
bigbladesharpeningservice.com
lafabricadestock.com
anothersanitizerbusiness.com
vidahproperties.com
peoples.mba
lucrumglobaltrading.com
saucywhite.com
larissabarros.com
sybjs.net
crasvaleasingn.com
helpmelabit.com
physiciansimpact.com
graduacionesdemexico.com
banhflanquynhhoa.com
jn163.com
startzassets.com
kutrasoftware.com
karasknots.com
tupetmarketingdigital.com
quranwords.net
kingdomvets.com
hiluotime.com
arovess.com
curtex.info
bedbugdude.com
theknowledgenoodles.com
exhibit42.com
laurencondick.com
wytchwoodhollow.com
privatevpnserver.com
fitnesshred.com
nw21salon.com
approved15.info
mgenevieve.com
flagshiplandscape.com
kristinlindvall.com
pheliamoore.com
kebabakini.com
peercondescend.life
fzazb.com
frictionlessdlp.com
tk-ltd.com
procrafthomesolutions.com
cxcontractorsllc.com
qqwiwee.com
idiaricuriosi.com
vietskills.com
poker6plusholdem.com
ti22.online
roostercollection.com
felinecures.com
lankaboy.com
fafq000.icu
thedigitalfuture.net
naturistanbul.com
q4payments.com
hcloudanalytics.com
cerebralcompost.com
sarklark.com
morethanascribble.com
lsbiofarm.com
vetaskills.com
tklaserworks.com
Signatures
-
Xloader Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/3896-145-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral2/memory/3896-146-0x000000000041D020-mapping.dmp xloader behavioral2/memory/1216-154-0x0000000003200000-0x0000000003228000-memory.dmp xloader behavioral2/memory/1216-156-0x0000000003230000-0x00000000032DE000-memory.dmp xloader -
Executes dropped EXE 2 IoCs
Processes:
RFQ.exeRFQ.exepid process 1312 RFQ.exe 3896 RFQ.exe -
Obfuscated with Agile.Net obfuscator 4 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/2736-122-0x0000000006390000-0x00000000063B1000-memory.dmp agile_net behavioral2/memory/2736-126-0x0000000004BB0000-0x00000000050AE000-memory.dmp agile_net behavioral2/memory/1312-138-0x0000000005500000-0x00000000059FE000-memory.dmp agile_net behavioral2/memory/1312-142-0x0000000005500000-0x00000000059FE000-memory.dmp agile_net -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\RFQ = "C:\\Users\\Admin\\AppData\\Roaming\\RFQ.exe" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
RFQ.exeRFQ.exewlanext.exedescription pid process target process PID 1312 set thread context of 3896 1312 RFQ.exe RFQ.exe PID 3896 set thread context of 1680 3896 RFQ.exe Explorer.EXE PID 1216 set thread context of 1680 1216 wlanext.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
RFQ 견적요청_해성190918.exeRFQ.exeRFQ.exewlanext.exepid process 2736 RFQ 견적요청_해성190918.exe 2736 RFQ 견적요청_해성190918.exe 2736 RFQ 견적요청_해성190918.exe 2736 RFQ 견적요청_해성190918.exe 2736 RFQ 견적요청_해성190918.exe 2736 RFQ 견적요청_해성190918.exe 2736 RFQ 견적요청_해성190918.exe 2736 RFQ 견적요청_해성190918.exe 2736 RFQ 견적요청_해성190918.exe 2736 RFQ 견적요청_해성190918.exe 2736 RFQ 견적요청_해성190918.exe 2736 RFQ 견적요청_해성190918.exe 2736 RFQ 견적요청_해성190918.exe 2736 RFQ 견적요청_해성190918.exe 2736 RFQ 견적요청_해성190918.exe 2736 RFQ 견적요청_해성190918.exe 2736 RFQ 견적요청_해성190918.exe 1312 RFQ.exe 1312 RFQ.exe 3896 RFQ.exe 3896 RFQ.exe 3896 RFQ.exe 3896 RFQ.exe 1216 wlanext.exe 1216 wlanext.exe 1216 wlanext.exe 1216 wlanext.exe 1216 wlanext.exe 1216 wlanext.exe 1216 wlanext.exe 1216 wlanext.exe 1216 wlanext.exe 1216 wlanext.exe 1216 wlanext.exe 1216 wlanext.exe 1216 wlanext.exe 1216 wlanext.exe 1216 wlanext.exe 1216 wlanext.exe 1216 wlanext.exe 1216 wlanext.exe 1216 wlanext.exe 1216 wlanext.exe 1216 wlanext.exe 1216 wlanext.exe 1216 wlanext.exe 1216 wlanext.exe 1216 wlanext.exe 1216 wlanext.exe 1216 wlanext.exe 1216 wlanext.exe 1216 wlanext.exe 1216 wlanext.exe 1216 wlanext.exe 1216 wlanext.exe 1216 wlanext.exe 1216 wlanext.exe 1216 wlanext.exe 1216 wlanext.exe 1216 wlanext.exe 1216 wlanext.exe 1216 wlanext.exe 1216 wlanext.exe 1216 wlanext.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1680 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
RFQ.exewlanext.exepid process 3896 RFQ.exe 3896 RFQ.exe 3896 RFQ.exe 1216 wlanext.exe 1216 wlanext.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
RFQ 견적요청_해성190918.exeRFQ.exeRFQ.exewlanext.exedescription pid process Token: SeDebugPrivilege 2736 RFQ 견적요청_해성190918.exe Token: SeDebugPrivilege 1312 RFQ.exe Token: SeDebugPrivilege 3896 RFQ.exe Token: SeDebugPrivilege 1216 wlanext.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 1680 Explorer.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
RFQ 견적요청_해성190918.execmd.exeRFQ.exeExplorer.EXEwlanext.exedescription pid process target process PID 2736 wrote to memory of 2464 2736 RFQ 견적요청_해성190918.exe cmd.exe PID 2736 wrote to memory of 2464 2736 RFQ 견적요청_해성190918.exe cmd.exe PID 2736 wrote to memory of 2464 2736 RFQ 견적요청_해성190918.exe cmd.exe PID 2464 wrote to memory of 4004 2464 cmd.exe reg.exe PID 2464 wrote to memory of 4004 2464 cmd.exe reg.exe PID 2464 wrote to memory of 4004 2464 cmd.exe reg.exe PID 2736 wrote to memory of 1312 2736 RFQ 견적요청_해성190918.exe RFQ.exe PID 2736 wrote to memory of 1312 2736 RFQ 견적요청_해성190918.exe RFQ.exe PID 2736 wrote to memory of 1312 2736 RFQ 견적요청_해성190918.exe RFQ.exe PID 1312 wrote to memory of 3896 1312 RFQ.exe RFQ.exe PID 1312 wrote to memory of 3896 1312 RFQ.exe RFQ.exe PID 1312 wrote to memory of 3896 1312 RFQ.exe RFQ.exe PID 1312 wrote to memory of 3896 1312 RFQ.exe RFQ.exe PID 1312 wrote to memory of 3896 1312 RFQ.exe RFQ.exe PID 1312 wrote to memory of 3896 1312 RFQ.exe RFQ.exe PID 1680 wrote to memory of 1216 1680 Explorer.EXE wlanext.exe PID 1680 wrote to memory of 1216 1680 Explorer.EXE wlanext.exe PID 1680 wrote to memory of 1216 1680 Explorer.EXE wlanext.exe PID 1216 wrote to memory of 940 1216 wlanext.exe cmd.exe PID 1216 wrote to memory of 940 1216 wlanext.exe cmd.exe PID 1216 wrote to memory of 940 1216 wlanext.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ 견적요청_해성190918.exe"C:\Users\Admin\AppData\Local\Temp\RFQ 견적요청_해성190918.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "RFQ" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\RFQ.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "RFQ" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\RFQ.exe"3⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\RFQ.exe"C:\Users\Admin\AppData\Roaming\RFQ.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\RFQ.exe"C:\Users\Admin\AppData\Roaming\RFQ.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Roaming\RFQ.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\RFQ.exeMD5
cd70300691bc9f2a261dc6b814ea31a0
SHA1255a24ace53039f262cc74bcda27541a4c3eeaaf
SHA2565b578a81fa5276232529484ff00db9fca64a7879ab4a7abc652c9d0d3e1461ba
SHA512f3c86b554d45f0d0cc67be9ed25025411d47ed513fb0f72978e952c2fcbf20357ee55f1754dc7961afd1e0fc07149dfd38709c0205ad50fccdf7fdf97de981a5
-
C:\Users\Admin\AppData\Roaming\RFQ.exeMD5
cd70300691bc9f2a261dc6b814ea31a0
SHA1255a24ace53039f262cc74bcda27541a4c3eeaaf
SHA2565b578a81fa5276232529484ff00db9fca64a7879ab4a7abc652c9d0d3e1461ba
SHA512f3c86b554d45f0d0cc67be9ed25025411d47ed513fb0f72978e952c2fcbf20357ee55f1754dc7961afd1e0fc07149dfd38709c0205ad50fccdf7fdf97de981a5
-
C:\Users\Admin\AppData\Roaming\RFQ.exeMD5
cd70300691bc9f2a261dc6b814ea31a0
SHA1255a24ace53039f262cc74bcda27541a4c3eeaaf
SHA2565b578a81fa5276232529484ff00db9fca64a7879ab4a7abc652c9d0d3e1461ba
SHA512f3c86b554d45f0d0cc67be9ed25025411d47ed513fb0f72978e952c2fcbf20357ee55f1754dc7961afd1e0fc07149dfd38709c0205ad50fccdf7fdf97de981a5
-
memory/940-155-0x0000000000000000-mapping.dmp
-
memory/1216-152-0x0000000000000000-mapping.dmp
-
memory/1216-154-0x0000000003200000-0x0000000003228000-memory.dmpFilesize
160KB
-
memory/1216-153-0x0000000000140000-0x0000000000157000-memory.dmpFilesize
92KB
-
memory/1216-156-0x0000000003230000-0x00000000032DE000-memory.dmpFilesize
696KB
-
memory/1216-157-0x00000000036E0000-0x000000000376F000-memory.dmpFilesize
572KB
-
memory/1312-144-0x0000000009B50000-0x0000000009B51000-memory.dmpFilesize
4KB
-
memory/1312-143-0x0000000007550000-0x000000000755B000-memory.dmpFilesize
44KB
-
memory/1312-142-0x0000000005500000-0x00000000059FE000-memory.dmpFilesize
5.0MB
-
memory/1312-138-0x0000000005500000-0x00000000059FE000-memory.dmpFilesize
5.0MB
-
memory/1312-128-0x0000000000000000-mapping.dmp
-
memory/1680-151-0x00000000057B0000-0x000000000590F000-memory.dmpFilesize
1.4MB
-
memory/1680-158-0x0000000005910000-0x0000000005A84000-memory.dmpFilesize
1.5MB
-
memory/2464-125-0x0000000000000000-mapping.dmp
-
memory/2736-119-0x0000000005CF0000-0x0000000005CF1000-memory.dmpFilesize
4KB
-
memory/2736-126-0x0000000004BB0000-0x00000000050AE000-memory.dmpFilesize
5.0MB
-
memory/2736-124-0x0000000006530000-0x0000000006531000-memory.dmpFilesize
4KB
-
memory/2736-116-0x00000000050B0000-0x00000000050B1000-memory.dmpFilesize
4KB
-
memory/2736-123-0x00000000065A0000-0x00000000065A1000-memory.dmpFilesize
4KB
-
memory/2736-117-0x0000000004C50000-0x0000000004C51000-memory.dmpFilesize
4KB
-
memory/2736-118-0x0000000004CF0000-0x0000000004CF1000-memory.dmpFilesize
4KB
-
memory/2736-114-0x0000000000320000-0x0000000000321000-memory.dmpFilesize
4KB
-
memory/2736-122-0x0000000006390000-0x00000000063B1000-memory.dmpFilesize
132KB
-
memory/2736-121-0x0000000004BB0000-0x00000000050AE000-memory.dmpFilesize
5.0MB
-
memory/3896-145-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/3896-150-0x0000000001190000-0x00000000011A0000-memory.dmpFilesize
64KB
-
memory/3896-149-0x0000000001630000-0x0000000001950000-memory.dmpFilesize
3.1MB
-
memory/3896-146-0x000000000041D020-mapping.dmp
-
memory/4004-127-0x0000000000000000-mapping.dmp