Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
29-11-2021 14:36
Static task
static1
Behavioral task
behavioral1
Sample
rfq.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
rfq.exe
Resource
win10-en-20211014
General
-
Target
rfq.exe
-
Size
595KB
-
MD5
1212b3c985046ecb241e195e25a9913b
-
SHA1
984eb9a8f5cb572774115307d65557e9a6a7f31d
-
SHA256
d02c7e238675ed340d700e865360567a92cece2754486e033a7957f7f0b33a22
-
SHA512
e10aecd08a673158e82520deafcaa7e298269c3a0ee123c9ac154b2f85af5946bfbbec5525558a00abee866e72b6710b1ea6a2409c2e2263062276df81da67a3
Malware Config
Signatures
-
Detect Neshta Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/976-72-0x00000000004080E4-mapping.dmp family_neshta behavioral1/memory/976-71-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/976-74-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/304-75-0x00000000024F0000-0x000000000313A000-memory.dmp family_neshta -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
rfq.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" rfq.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Loads dropped DLL 1 IoCs
Processes:
rfq.exepid process 976 rfq.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
rfq.exedescription pid process target process PID 1452 set thread context of 976 1452 rfq.exe rfq.exe -
Drops file in Program Files directory 64 IoCs
Processes:
rfq.exedescription ioc process File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE rfq.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE rfq.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE rfq.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE rfq.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE rfq.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe rfq.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe rfq.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe rfq.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe rfq.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe rfq.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe rfq.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe rfq.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe rfq.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe rfq.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe rfq.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE rfq.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE rfq.exe File opened for modification C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE rfq.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE rfq.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE rfq.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE rfq.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE rfq.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe rfq.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe rfq.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe rfq.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe rfq.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE rfq.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe rfq.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE rfq.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE rfq.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE rfq.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE rfq.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE rfq.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE rfq.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE rfq.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE rfq.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe rfq.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe rfq.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE rfq.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE rfq.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE rfq.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE rfq.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE rfq.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe rfq.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE rfq.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE rfq.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE rfq.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE rfq.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE rfq.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE rfq.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE rfq.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE rfq.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe rfq.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe rfq.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE rfq.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE rfq.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE rfq.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE rfq.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE rfq.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE rfq.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe rfq.exe File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe rfq.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE rfq.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe rfq.exe -
Drops file in Windows directory 1 IoCs
Processes:
rfq.exedescription ioc process File opened for modification C:\Windows\svchost.com rfq.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 1 IoCs
Processes:
rfq.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" rfq.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
rfq.exepowershell.exepid process 1452 rfq.exe 1452 rfq.exe 1452 rfq.exe 1452 rfq.exe 1452 rfq.exe 1452 rfq.exe 1452 rfq.exe 304 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rfq.exepowershell.exedescription pid process Token: SeDebugPrivilege 1452 rfq.exe Token: SeDebugPrivilege 304 powershell.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
rfq.exedescription pid process target process PID 1452 wrote to memory of 304 1452 rfq.exe powershell.exe PID 1452 wrote to memory of 304 1452 rfq.exe powershell.exe PID 1452 wrote to memory of 304 1452 rfq.exe powershell.exe PID 1452 wrote to memory of 304 1452 rfq.exe powershell.exe PID 1452 wrote to memory of 1440 1452 rfq.exe schtasks.exe PID 1452 wrote to memory of 1440 1452 rfq.exe schtasks.exe PID 1452 wrote to memory of 1440 1452 rfq.exe schtasks.exe PID 1452 wrote to memory of 1440 1452 rfq.exe schtasks.exe PID 1452 wrote to memory of 976 1452 rfq.exe rfq.exe PID 1452 wrote to memory of 976 1452 rfq.exe rfq.exe PID 1452 wrote to memory of 976 1452 rfq.exe rfq.exe PID 1452 wrote to memory of 976 1452 rfq.exe rfq.exe PID 1452 wrote to memory of 976 1452 rfq.exe rfq.exe PID 1452 wrote to memory of 976 1452 rfq.exe rfq.exe PID 1452 wrote to memory of 976 1452 rfq.exe rfq.exe PID 1452 wrote to memory of 976 1452 rfq.exe rfq.exe PID 1452 wrote to memory of 976 1452 rfq.exe rfq.exe PID 1452 wrote to memory of 976 1452 rfq.exe rfq.exe PID 1452 wrote to memory of 976 1452 rfq.exe rfq.exe PID 1452 wrote to memory of 976 1452 rfq.exe rfq.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\rfq.exe"C:\Users\Admin\AppData\Local\Temp\rfq.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\PvHZQvCKp.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:304 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PvHZQvCKp" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7A6D.tmp"2⤵
- Creates scheduled task(s)
PID:1440 -
C:\Users\Admin\AppData\Local\Temp\rfq.exe"C:\Users\Admin\AppData\Local\Temp\rfq.exe"2⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:976
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp7A6D.tmpMD5
93f8c92890d8438be353354c91353cc6
SHA1cc534a29459cb8467e0d998618f003ae157ccb94
SHA256bcf8ba5dd79971009aaa87d432333c1687c22ea087cc1e27e238d10183821bf0
SHA51218e2a629b83350b47072eaef5cfbbe16b8a2e7c7b67dc047181822a509e9467a2d39af52990691870224f22229f35c8ba533e7f433ffe8b91c27d84cb1ce9e7a
-
C:\Users\Admin\AppData\Roaming\PVHZQV~1.EXEMD5
1212b3c985046ecb241e195e25a9913b
SHA1984eb9a8f5cb572774115307d65557e9a6a7f31d
SHA256d02c7e238675ed340d700e865360567a92cece2754486e033a7957f7f0b33a22
SHA512e10aecd08a673158e82520deafcaa7e298269c3a0ee123c9ac154b2f85af5946bfbbec5525558a00abee866e72b6710b1ea6a2409c2e2263062276df81da67a3
-
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXEMD5
9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
memory/304-75-0x00000000024F0000-0x000000000313A000-memory.dmpFilesize
12.3MB
-
memory/304-77-0x00000000024F0000-0x000000000313A000-memory.dmpFilesize
12.3MB
-
memory/304-60-0x0000000000000000-mapping.dmp
-
memory/304-76-0x00000000024F0000-0x000000000313A000-memory.dmpFilesize
12.3MB
-
memory/304-62-0x0000000075141000-0x0000000075143000-memory.dmpFilesize
8KB
-
memory/976-72-0x00000000004080E4-mapping.dmp
-
memory/976-64-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/976-66-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/976-67-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/976-68-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/976-69-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/976-70-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/976-65-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/976-71-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/976-74-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1440-61-0x0000000000000000-mapping.dmp
-
memory/1452-55-0x0000000000340000-0x0000000000341000-memory.dmpFilesize
4KB
-
memory/1452-59-0x0000000004950000-0x00000000049C8000-memory.dmpFilesize
480KB
-
memory/1452-58-0x0000000000440000-0x0000000000441000-memory.dmpFilesize
4KB
-
memory/1452-57-0x0000000000430000-0x0000000000436000-memory.dmpFilesize
24KB