Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
29-11-2021 14:36
Static task
static1
Behavioral task
behavioral1
Sample
rfq.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
rfq.exe
Resource
win10-en-20211014
General
-
Target
rfq.exe
-
Size
595KB
-
MD5
1212b3c985046ecb241e195e25a9913b
-
SHA1
984eb9a8f5cb572774115307d65557e9a6a7f31d
-
SHA256
d02c7e238675ed340d700e865360567a92cece2754486e033a7957f7f0b33a22
-
SHA512
e10aecd08a673158e82520deafcaa7e298269c3a0ee123c9ac154b2f85af5946bfbbec5525558a00abee866e72b6710b1ea6a2409c2e2263062276df81da67a3
Malware Config
Signatures
-
Detect Neshta Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3196-131-0x00000000004080E4-mapping.dmp family_neshta behavioral2/memory/3196-130-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3196-134-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
rfq.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" rfq.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
rfq.exedescription pid process target process PID 2624 set thread context of 3196 2624 rfq.exe rfq.exe -
Drops file in Program Files directory 53 IoCs
Processes:
rfq.exedescription ioc process File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe rfq.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE rfq.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE rfq.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE rfq.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE rfq.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE rfq.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe rfq.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE rfq.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE rfq.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE rfq.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe rfq.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE rfq.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE rfq.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe rfq.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE rfq.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe rfq.exe File opened for modification C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE rfq.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe rfq.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe rfq.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE rfq.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe rfq.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE rfq.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE rfq.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe rfq.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe rfq.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe rfq.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE rfq.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe rfq.exe File opened for modification C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe rfq.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe rfq.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE rfq.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe rfq.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE rfq.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe rfq.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe rfq.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe rfq.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe rfq.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe rfq.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe rfq.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE rfq.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE rfq.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe rfq.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE rfq.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe rfq.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe rfq.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE rfq.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe rfq.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE rfq.exe File opened for modification C:\PROGRA~2\WINDOW~2\WinMail.exe rfq.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe rfq.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE rfq.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE rfq.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE rfq.exe -
Drops file in Windows directory 1 IoCs
Processes:
rfq.exedescription ioc process File opened for modification C:\Windows\svchost.com rfq.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 1 IoCs
Processes:
rfq.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" rfq.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
rfq.exepowershell.exepid process 2624 rfq.exe 2624 rfq.exe 2624 rfq.exe 2624 rfq.exe 2624 rfq.exe 2624 rfq.exe 2624 rfq.exe 4080 powershell.exe 4080 powershell.exe 4080 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rfq.exepowershell.exedescription pid process Token: SeDebugPrivilege 2624 rfq.exe Token: SeDebugPrivilege 4080 powershell.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
rfq.exedescription pid process target process PID 2624 wrote to memory of 4080 2624 rfq.exe powershell.exe PID 2624 wrote to memory of 4080 2624 rfq.exe powershell.exe PID 2624 wrote to memory of 4080 2624 rfq.exe powershell.exe PID 2624 wrote to memory of 1120 2624 rfq.exe schtasks.exe PID 2624 wrote to memory of 1120 2624 rfq.exe schtasks.exe PID 2624 wrote to memory of 1120 2624 rfq.exe schtasks.exe PID 2624 wrote to memory of 3196 2624 rfq.exe rfq.exe PID 2624 wrote to memory of 3196 2624 rfq.exe rfq.exe PID 2624 wrote to memory of 3196 2624 rfq.exe rfq.exe PID 2624 wrote to memory of 3196 2624 rfq.exe rfq.exe PID 2624 wrote to memory of 3196 2624 rfq.exe rfq.exe PID 2624 wrote to memory of 3196 2624 rfq.exe rfq.exe PID 2624 wrote to memory of 3196 2624 rfq.exe rfq.exe PID 2624 wrote to memory of 3196 2624 rfq.exe rfq.exe PID 2624 wrote to memory of 3196 2624 rfq.exe rfq.exe PID 2624 wrote to memory of 3196 2624 rfq.exe rfq.exe PID 2624 wrote to memory of 3196 2624 rfq.exe rfq.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\rfq.exe"C:\Users\Admin\AppData\Local\Temp\rfq.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\PvHZQvCKp.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4080 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PvHZQvCKp" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAB30.tmp"2⤵
- Creates scheduled task(s)
PID:1120 -
C:\Users\Admin\AppData\Local\Temp\rfq.exe"C:\Users\Admin\AppData\Local\Temp\rfq.exe"2⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:3196
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpAB30.tmpMD5
775ffa6ba20a4cc6433faff9ab7b0d55
SHA142df272a1b5d62c820c8059c05d54541ed7d9419
SHA256041f853bb2884304c79065588354bdf981000e8a064d43c573979c4f8245392f
SHA5124661a5ddd1b2f5d8ebc0cb8443e0dcb785858ad547282555a0983def119115dca337d698e5fa3b897218b2649e52520c81cc6790ae0fe39c6268b5aaa3706b12
-
C:\Users\Admin\AppData\Roaming\PVHZQV~1.EXEMD5
1212b3c985046ecb241e195e25a9913b
SHA1984eb9a8f5cb572774115307d65557e9a6a7f31d
SHA256d02c7e238675ed340d700e865360567a92cece2754486e033a7957f7f0b33a22
SHA512e10aecd08a673158e82520deafcaa7e298269c3a0ee123c9ac154b2f85af5946bfbbec5525558a00abee866e72b6710b1ea6a2409c2e2263062276df81da67a3
-
memory/1120-124-0x0000000000000000-mapping.dmp
-
memory/2624-122-0x0000000006900000-0x0000000006901000-memory.dmpFilesize
4KB
-
memory/2624-120-0x00000000060E0000-0x00000000060E1000-memory.dmpFilesize
4KB
-
memory/2624-121-0x0000000006380000-0x00000000063F8000-memory.dmpFilesize
480KB
-
memory/2624-119-0x0000000005A30000-0x0000000005A36000-memory.dmpFilesize
24KB
-
memory/2624-118-0x0000000005A60000-0x0000000005A61000-memory.dmpFilesize
4KB
-
memory/2624-117-0x00000000059B0000-0x00000000059B1000-memory.dmpFilesize
4KB
-
memory/2624-115-0x0000000000EE0000-0x0000000000EE1000-memory.dmpFilesize
4KB
-
memory/3196-134-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3196-130-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3196-131-0x00000000004080E4-mapping.dmp
-
memory/4080-132-0x00000000073A0000-0x00000000073A1000-memory.dmpFilesize
4KB
-
memory/4080-140-0x0000000008700000-0x0000000008701000-memory.dmpFilesize
4KB
-
memory/4080-127-0x0000000004B50000-0x0000000004B51000-memory.dmpFilesize
4KB
-
memory/4080-126-0x0000000004A40000-0x0000000004A41000-memory.dmpFilesize
4KB
-
memory/4080-133-0x00000000073A2000-0x00000000073A3000-memory.dmpFilesize
4KB
-
memory/4080-125-0x0000000004A40000-0x0000000004A41000-memory.dmpFilesize
4KB
-
memory/4080-135-0x00000000075E0000-0x00000000075E1000-memory.dmpFilesize
4KB
-
memory/4080-136-0x0000000007680000-0x0000000007681000-memory.dmpFilesize
4KB
-
memory/4080-137-0x00000000076F0000-0x00000000076F1000-memory.dmpFilesize
4KB
-
memory/4080-138-0x0000000008010000-0x0000000008011000-memory.dmpFilesize
4KB
-
memory/4080-139-0x00000000078F0000-0x00000000078F1000-memory.dmpFilesize
4KB
-
memory/4080-128-0x00000000079E0000-0x00000000079E1000-memory.dmpFilesize
4KB
-
memory/4080-141-0x0000000008750000-0x0000000008751000-memory.dmpFilesize
4KB
-
memory/4080-142-0x0000000004A40000-0x0000000004A41000-memory.dmpFilesize
4KB
-
memory/4080-149-0x0000000009450000-0x0000000009483000-memory.dmpFilesize
204KB
-
memory/4080-156-0x0000000009410000-0x0000000009411000-memory.dmpFilesize
4KB
-
memory/4080-161-0x0000000009580000-0x0000000009581000-memory.dmpFilesize
4KB
-
memory/4080-162-0x000000007F850000-0x000000007F851000-memory.dmpFilesize
4KB
-
memory/4080-163-0x0000000009950000-0x0000000009951000-memory.dmpFilesize
4KB
-
memory/4080-220-0x00000000073A3000-0x00000000073A4000-memory.dmpFilesize
4KB
-
memory/4080-123-0x0000000000000000-mapping.dmp