Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
11-05-2021 11:10
Static task
static1
Behavioral task
behavioral1
Sample
RFQEMFA.Elektrik.pdf.exe
Resource
win7v20210410
General
-
Target
RFQEMFA.Elektrik.pdf.exe
-
Size
951KB
-
MD5
212b4438b24a7861e987a74aeb6b937e
-
SHA1
df3c8093317d50ed2463fa96ca681a037123ddcf
-
SHA256
00b6b610ff7d07af06a0888ac2095085de70aae5238bb1e876128ed0ede3fb3e
-
SHA512
164beaf6d8d9693a3ab9971fe925cd680c844886acd1caf0ccd9c6f05e15f0c72c4fee867076f15e87a5788363302919751c6d712ee35ce0dc7198c1535e8335
Malware Config
Extracted
nanocore
1.2.2.0
79.134.225.17:2050
127.0.0.1:2050
faa60493-d519-4c8d-8ff8-8e7cd20e9967
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-02-19T18:34:39.325937936Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
2050
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
faa60493-d519-4c8d-8ff8-8e7cd20e9967
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
79.134.225.17
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RFQEMFA.Elektrik.pdf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UPNP Subsystem = "C:\\Program Files (x86)\\UPNP Subsystem\\upnpss.exe" RFQEMFA.Elektrik.pdf.exe -
Processes:
RFQEMFA.Elektrik.pdf.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RFQEMFA.Elektrik.pdf.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
RFQEMFA.Elektrik.pdf.exedescription pid process target process PID 804 set thread context of 1312 804 RFQEMFA.Elektrik.pdf.exe RFQEMFA.Elektrik.pdf.exe -
Drops file in Program Files directory 2 IoCs
Processes:
RFQEMFA.Elektrik.pdf.exedescription ioc process File opened for modification C:\Program Files (x86)\UPNP Subsystem\upnpss.exe RFQEMFA.Elektrik.pdf.exe File created C:\Program Files (x86)\UPNP Subsystem\upnpss.exe RFQEMFA.Elektrik.pdf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
RFQEMFA.Elektrik.pdf.exepid process 1312 RFQEMFA.Elektrik.pdf.exe 1312 RFQEMFA.Elektrik.pdf.exe 1312 RFQEMFA.Elektrik.pdf.exe 1312 RFQEMFA.Elektrik.pdf.exe 1312 RFQEMFA.Elektrik.pdf.exe 1312 RFQEMFA.Elektrik.pdf.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RFQEMFA.Elektrik.pdf.exepid process 1312 RFQEMFA.Elektrik.pdf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RFQEMFA.Elektrik.pdf.exedescription pid process Token: SeDebugPrivilege 1312 RFQEMFA.Elektrik.pdf.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
RFQEMFA.Elektrik.pdf.exedescription pid process target process PID 804 wrote to memory of 2256 804 RFQEMFA.Elektrik.pdf.exe schtasks.exe PID 804 wrote to memory of 2256 804 RFQEMFA.Elektrik.pdf.exe schtasks.exe PID 804 wrote to memory of 2256 804 RFQEMFA.Elektrik.pdf.exe schtasks.exe PID 804 wrote to memory of 1312 804 RFQEMFA.Elektrik.pdf.exe RFQEMFA.Elektrik.pdf.exe PID 804 wrote to memory of 1312 804 RFQEMFA.Elektrik.pdf.exe RFQEMFA.Elektrik.pdf.exe PID 804 wrote to memory of 1312 804 RFQEMFA.Elektrik.pdf.exe RFQEMFA.Elektrik.pdf.exe PID 804 wrote to memory of 1312 804 RFQEMFA.Elektrik.pdf.exe RFQEMFA.Elektrik.pdf.exe PID 804 wrote to memory of 1312 804 RFQEMFA.Elektrik.pdf.exe RFQEMFA.Elektrik.pdf.exe PID 804 wrote to memory of 1312 804 RFQEMFA.Elektrik.pdf.exe RFQEMFA.Elektrik.pdf.exe PID 804 wrote to memory of 1312 804 RFQEMFA.Elektrik.pdf.exe RFQEMFA.Elektrik.pdf.exe PID 804 wrote to memory of 1312 804 RFQEMFA.Elektrik.pdf.exe RFQEMFA.Elektrik.pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQEMFA.Elektrik.pdf.exe"C:\Users\Admin\AppData\Local\Temp\RFQEMFA.Elektrik.pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UmdaRvNPnl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp492A.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\RFQEMFA.Elektrik.pdf.exe"C:\Users\Admin\AppData\Local\Temp\RFQEMFA.Elektrik.pdf.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQEMFA.Elektrik.pdf.exe.logMD5
90acfd72f14a512712b1a7380c0faf60
SHA140ba4accb8faa75887e84fb8e38d598dc8cf0f12
SHA25620806822f0c130b340504132c1461b589261fbbc518e468f4f90733ab514cb86
SHA51229dbf85e14e60868574cb4dc9bda83d3c229fb956733d8d2557f2475ee0e690ac9c2e72f31e02284996da6906ba2dbfa382a29b04c15a2406571d8ee19ad16b9
-
C:\Users\Admin\AppData\Local\Temp\tmp492A.tmpMD5
b25b804bcb11b573796086ac9ae552c8
SHA1eec2e77c14a4779389b99b38424e2da85de1f38c
SHA25620471a1a1d588733fc59e98e8c3c8701e9e084efc22d83873d45b168031f05e6
SHA5127b915862df5504dfdd619875bbb4f9a46f603a37d5e13e4f7416b98bb5c498105a29f01e6b523b91c8412600649685d3cae0c2e4ce6d99f5bdbe84f3703ba2a7
-
memory/804-116-0x0000000005810000-0x0000000005811000-memory.dmpFilesize
4KB
-
memory/804-117-0x0000000005DB0000-0x0000000005DB1000-memory.dmpFilesize
4KB
-
memory/804-118-0x00000000058B0000-0x00000000058B1000-memory.dmpFilesize
4KB
-
memory/804-119-0x00000000031E0000-0x00000000031E1000-memory.dmpFilesize
4KB
-
memory/804-120-0x00000000058B0000-0x0000000005DAE000-memory.dmpFilesize
5.0MB
-
memory/804-121-0x0000000005780000-0x0000000005781000-memory.dmpFilesize
4KB
-
memory/804-122-0x00000000057E0000-0x00000000057E4000-memory.dmpFilesize
16KB
-
memory/804-123-0x00000000066B0000-0x000000000677B000-memory.dmpFilesize
812KB
-
memory/804-124-0x0000000005CF0000-0x0000000005D7A000-memory.dmpFilesize
552KB
-
memory/804-114-0x0000000000DD0000-0x0000000000DD1000-memory.dmpFilesize
4KB
-
memory/1312-137-0x00000000051D0000-0x00000000051D5000-memory.dmpFilesize
20KB
-
memory/1312-142-0x00000000064E0000-0x00000000064E6000-memory.dmpFilesize
24KB
-
memory/1312-127-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1312-136-0x0000000005080000-0x0000000005112000-memory.dmpFilesize
584KB
-
memory/1312-152-0x00000000067A0000-0x00000000067A1000-memory.dmpFilesize
4KB
-
memory/1312-138-0x00000000056D0000-0x00000000056E9000-memory.dmpFilesize
100KB
-
memory/1312-139-0x0000000005E80000-0x0000000005E83000-memory.dmpFilesize
12KB
-
memory/1312-140-0x0000000005E90000-0x0000000005E9D000-memory.dmpFilesize
52KB
-
memory/1312-141-0x00000000064B0000-0x00000000064C5000-memory.dmpFilesize
84KB
-
memory/1312-128-0x000000000041E792-mapping.dmp
-
memory/1312-143-0x0000000006500000-0x000000000650C000-memory.dmpFilesize
48KB
-
memory/1312-144-0x0000000006510000-0x0000000006517000-memory.dmpFilesize
28KB
-
memory/1312-145-0x0000000006520000-0x0000000006526000-memory.dmpFilesize
24KB
-
memory/1312-146-0x0000000006530000-0x000000000653D000-memory.dmpFilesize
52KB
-
memory/1312-147-0x0000000006540000-0x0000000006549000-memory.dmpFilesize
36KB
-
memory/1312-148-0x0000000006550000-0x000000000655F000-memory.dmpFilesize
60KB
-
memory/1312-149-0x0000000006570000-0x000000000657A000-memory.dmpFilesize
40KB
-
memory/1312-150-0x0000000006580000-0x00000000065A9000-memory.dmpFilesize
164KB
-
memory/1312-151-0x00000000065C0000-0x00000000065CF000-memory.dmpFilesize
60KB
-
memory/2256-125-0x0000000000000000-mapping.dmp