Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
03-11-2021 11:36
Static task
static1
Behavioral task
behavioral1
Sample
rfq.exe
Resource
win7-en-20211014
General
-
Target
rfq.exe
-
Size
304KB
-
MD5
1fefc11b33956003889da1a5337179f4
-
SHA1
01a2773637fa5eea87508ee768d7ccff9bd09f7b
-
SHA256
9b4f227304980351439c58e4b8a29844c7929c11de71051cf7c79f348996e8b1
-
SHA512
f5e8faf8d630acf5a5f9cdd34e2b87cb67cb8877e5790ab63626adcb7f447bc05cd2d54b728b2c613f12b656c3a8f5b7516c0c5dcbed1a3d8bbcc1c0fa7c292a
Malware Config
Extracted
xloader
2.5
unzn
http://www.davanamays.com/unzn/
xiulf.com
highcountrymortar.com
523561.com
marketingagency.tools
ganmovie.net
nationaalcontactpunt.com
sirrbter.com
begizas.xyz
missimi-fashion.com
munixc.info
daas.support
spaceworbc.com
faithtruthresolve.com
gymkub.com
thegrayverse.xyz
artisanmakefurniture.com
029tryy.com
ijuubx.biz
iphone13promax.club
techuniversus.com
samrgov.xyz
grownupcurl.com
sj0755.net
beekeeperkit.com
richessesabondantes.com
xclgjgjh.net
webworkscork.com
vedepviet365.com
bretabeameven.com
cdzsmhw.com
clearperspective.biz
tigrg5g784sh.biz
bbezan011.xyz
mycar.store
mansooralobeidli.com
ascensionmemberszoom.com
unlimitedrehab.com
wozka.top
askylarkgoods.com
rj793.com
prosvalor.com
primetimeexpress.com
boixosnoisperu.com
mmasportgear.com
concertiranian.net
hyponymys.info
maila.one
yti0fyic.xyz
shashiprayag.com
speedprosmotorsports.com
westchestercountyjunkcars.com
patienceinmypocket.com
rausachbaoloc.com
plexregroup.com
outsydercs.com
foodandflour.com
lenacrypto.xyz
homeservicetoday.net
marthaperry.com
vmtcyd4q8.com
shamefulguys.com
loccssol.store
gnarledportra.xyz
042atk.xyz
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/892-116-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/892-117-0x000000000041D430-mapping.dmp xloader behavioral2/memory/1304-125-0x0000000004D20000-0x0000000004D49000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
rfq.exepid process 3496 rfq.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
rfq.exerfq.exechkdsk.exedescription pid process target process PID 3496 set thread context of 892 3496 rfq.exe rfq.exe PID 892 set thread context of 2568 892 rfq.exe Explorer.EXE PID 1304 set thread context of 2568 1304 chkdsk.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
chkdsk.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
rfq.exechkdsk.exepid process 892 rfq.exe 892 rfq.exe 892 rfq.exe 892 rfq.exe 1304 chkdsk.exe 1304 chkdsk.exe 1304 chkdsk.exe 1304 chkdsk.exe 1304 chkdsk.exe 1304 chkdsk.exe 1304 chkdsk.exe 1304 chkdsk.exe 1304 chkdsk.exe 1304 chkdsk.exe 1304 chkdsk.exe 1304 chkdsk.exe 1304 chkdsk.exe 1304 chkdsk.exe 1304 chkdsk.exe 1304 chkdsk.exe 1304 chkdsk.exe 1304 chkdsk.exe 1304 chkdsk.exe 1304 chkdsk.exe 1304 chkdsk.exe 1304 chkdsk.exe 1304 chkdsk.exe 1304 chkdsk.exe 1304 chkdsk.exe 1304 chkdsk.exe 1304 chkdsk.exe 1304 chkdsk.exe 1304 chkdsk.exe 1304 chkdsk.exe 1304 chkdsk.exe 1304 chkdsk.exe 1304 chkdsk.exe 1304 chkdsk.exe 1304 chkdsk.exe 1304 chkdsk.exe 1304 chkdsk.exe 1304 chkdsk.exe 1304 chkdsk.exe 1304 chkdsk.exe 1304 chkdsk.exe 1304 chkdsk.exe 1304 chkdsk.exe 1304 chkdsk.exe 1304 chkdsk.exe 1304 chkdsk.exe 1304 chkdsk.exe 1304 chkdsk.exe 1304 chkdsk.exe 1304 chkdsk.exe 1304 chkdsk.exe 1304 chkdsk.exe 1304 chkdsk.exe 1304 chkdsk.exe 1304 chkdsk.exe 1304 chkdsk.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2568 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
rfq.exechkdsk.exepid process 892 rfq.exe 892 rfq.exe 892 rfq.exe 1304 chkdsk.exe 1304 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rfq.exechkdsk.exedescription pid process Token: SeDebugPrivilege 892 rfq.exe Token: SeDebugPrivilege 1304 chkdsk.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
rfq.exeExplorer.EXEchkdsk.exedescription pid process target process PID 3496 wrote to memory of 892 3496 rfq.exe rfq.exe PID 3496 wrote to memory of 892 3496 rfq.exe rfq.exe PID 3496 wrote to memory of 892 3496 rfq.exe rfq.exe PID 3496 wrote to memory of 892 3496 rfq.exe rfq.exe PID 3496 wrote to memory of 892 3496 rfq.exe rfq.exe PID 3496 wrote to memory of 892 3496 rfq.exe rfq.exe PID 2568 wrote to memory of 1304 2568 Explorer.EXE chkdsk.exe PID 2568 wrote to memory of 1304 2568 Explorer.EXE chkdsk.exe PID 2568 wrote to memory of 1304 2568 Explorer.EXE chkdsk.exe PID 1304 wrote to memory of 2020 1304 chkdsk.exe cmd.exe PID 1304 wrote to memory of 2020 1304 chkdsk.exe cmd.exe PID 1304 wrote to memory of 2020 1304 chkdsk.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\rfq.exe"C:\Users\Admin\AppData\Local\Temp\rfq.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\rfq.exe"C:\Users\Admin\AppData\Local\Temp\rfq.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\rfq.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsiD7F3.tmp\lgyx.dllMD5
85f315070bb4e1181d70ad3cd91fb245
SHA11848b67bb67f9c5235367e60f9828c0081c34a25
SHA256fd1cedeacb764040a514e54679106f609c1724559b17ae4c051f73135190cfcb
SHA5121868003df1d37738929d4a88bf3666a3157cc36b17f243fd034f1301872617d91104314fe6a4c66253e0c63d36e63f0a307c22810099777dbd2580415d8fb927
-
memory/892-116-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/892-117-0x000000000041D430-mapping.dmp
-
memory/892-120-0x0000000000E40000-0x0000000000E51000-memory.dmpFilesize
68KB
-
memory/892-119-0x00000000009D0000-0x0000000000CF0000-memory.dmpFilesize
3.1MB
-
memory/1304-122-0x0000000000000000-mapping.dmp
-
memory/1304-124-0x00000000008F0000-0x00000000008FA000-memory.dmpFilesize
40KB
-
memory/1304-125-0x0000000004D20000-0x0000000004D49000-memory.dmpFilesize
164KB
-
memory/1304-126-0x0000000005430000-0x0000000005750000-memory.dmpFilesize
3.1MB
-
memory/1304-127-0x0000000005290000-0x0000000005320000-memory.dmpFilesize
576KB
-
memory/2020-123-0x0000000000000000-mapping.dmp
-
memory/2568-121-0x0000000007000000-0x0000000007113000-memory.dmpFilesize
1.1MB
-
memory/2568-128-0x0000000007120000-0x000000000728C000-memory.dmpFilesize
1.4MB