Overview

overview

10

Static

static

rfq.exe

windows7_x64

10

rfq.exe

windows10_x64

10

Analysis

  • max time kernel
    117s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-en-20211104
  • submitted
    29-11-2021 14:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    rfq.exe

  • Size

    595KB

  • MD5

    1212b3c985046ecb241e195e25a9913b

  • SHA1

    984eb9a8f5cb572774115307d65557e9a6a7f31d

  • SHA256

    d02c7e238675ed340d700e865360567a92cece2754486e033a7957f7f0b33a22

  • SHA512

    e10aecd08a673158e82520deafcaa7e298269c3a0ee123c9ac154b2f85af5946bfbbec5525558a00abee866e72b6710b1ea6a2409c2e2263062276df81da67a3

Score
10/10
neshtapersistencespywarestealer

Malware Config

Signatures

  • Detect Neshta Payload 4 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\rfq.exe
    "C:\Users\Admin\AppData\Local\Temp\rfq.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1452
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\PvHZQvCKp.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:304
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PvHZQvCKp" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7A6D.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1440
    • C:\Users\Admin\AppData\Local\Temp\rfq.exe
      "C:\Users\Admin\AppData\Local\Temp\rfq.exe"
      2⤵
      • Modifies system executable filetype association
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies registry class
      PID:976

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp7A6D.tmp
    MD5

    93f8c92890d8438be353354c91353cc6

    SHA1

    cc534a29459cb8467e0d998618f003ae157ccb94

    SHA256

    bcf8ba5dd79971009aaa87d432333c1687c22ea087cc1e27e238d10183821bf0

    SHA512

    18e2a629b83350b47072eaef5cfbbe16b8a2e7c7b67dc047181822a509e9467a2d39af52990691870224f22229f35c8ba533e7f433ffe8b91c27d84cb1ce9e7a

    Download Submit
  • C:\Users\Admin\AppData\Roaming\PVHZQV~1.EXE
    MD5

    1212b3c985046ecb241e195e25a9913b

    SHA1

    984eb9a8f5cb572774115307d65557e9a6a7f31d

    SHA256

    d02c7e238675ed340d700e865360567a92cece2754486e033a7957f7f0b33a22

    SHA512

    e10aecd08a673158e82520deafcaa7e298269c3a0ee123c9ac154b2f85af5946bfbbec5525558a00abee866e72b6710b1ea6a2409c2e2263062276df81da67a3

    Download Submit
  • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
    MD5

    9e2b9928c89a9d0da1d3e8f4bd96afa7

    SHA1

    ec66cda99f44b62470c6930e5afda061579cde35

    SHA256

    8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

    SHA512

    2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

    Download Submit
  • memory/304-75-0x00000000024F0000-0x000000000313A000-memory.dmp
    Filesize

    12.3MB

    Download
  • memory/304-77-0x00000000024F0000-0x000000000313A000-memory.dmp
    Filesize

    12.3MB

    Download
  • memory/304-60-0x0000000000000000-mapping.dmp
    Download
  • memory/304-76-0x00000000024F0000-0x000000000313A000-memory.dmp
    Filesize

    12.3MB

    Download
  • memory/304-62-0x0000000075141000-0x0000000075143000-memory.dmp
    Filesize

    8KB

    Download
  • memory/976-72-0x00000000004080E4-mapping.dmp
    Download
  • memory/976-64-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/976-66-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/976-67-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/976-68-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/976-69-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/976-70-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/976-65-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/976-71-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/976-74-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/1440-61-0x0000000000000000-mapping.dmp
    Download
  • memory/1452-55-0x0000000000340000-0x0000000000341000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1452-59-0x0000000004950000-0x00000000049C8000-memory.dmp
    Filesize

    480KB

    Download
  • memory/1452-58-0x0000000000440000-0x0000000000441000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1452-57-0x0000000000430000-0x0000000000436000-memory.dmp
    Filesize

    24KB

    Download