Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 22:29
Static task
static1
Behavioral task
behavioral1
Sample
RFQ_PCPSPIRSZ2020022.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
RFQ_PCPSPIRSZ2020022.exe
Resource
win10v2004-20220414-en
General
-
Target
RFQ_PCPSPIRSZ2020022.exe
-
Size
895KB
-
MD5
78b61b1e9b375628d02bf7d289b1aeab
-
SHA1
f861925e28320134d0458100c9898d6fdd8c0154
-
SHA256
a551bc2327862c1430dac51dce368001622525fae235ca689f7b055e0d3125c7
-
SHA512
05cd3aeefb9fee84c813af2951eccf2b5c2e1679a3fe892cdd9d6a37cc215064bde4e9a39f41c1afbba9e672020a1f7e5a7c25452f01ffe91ec54de48c2ef3cd
Malware Config
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
RFQ_PCPSPIRSZ2020022.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RFQ_PCPSPIRSZ2020022.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion RFQ_PCPSPIRSZ2020022.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
RFQ_PCPSPIRSZ2020022.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation RFQ_PCPSPIRSZ2020022.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
RFQ_PCPSPIRSZ2020022.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum RFQ_PCPSPIRSZ2020022.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 RFQ_PCPSPIRSZ2020022.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
RFQ_PCPSPIRSZ2020022.exedescription pid process target process PID 2584 set thread context of 4408 2584 RFQ_PCPSPIRSZ2020022.exe RFQ_PCPSPIRSZ2020022.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
RFQ_PCPSPIRSZ2020022.exeRFQ_PCPSPIRSZ2020022.exepowershell.exepid process 2584 RFQ_PCPSPIRSZ2020022.exe 2584 RFQ_PCPSPIRSZ2020022.exe 2584 RFQ_PCPSPIRSZ2020022.exe 2584 RFQ_PCPSPIRSZ2020022.exe 4408 RFQ_PCPSPIRSZ2020022.exe 4408 RFQ_PCPSPIRSZ2020022.exe 1032 powershell.exe 1032 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
RFQ_PCPSPIRSZ2020022.exeRFQ_PCPSPIRSZ2020022.exepowershell.exedescription pid process Token: SeDebugPrivilege 2584 RFQ_PCPSPIRSZ2020022.exe Token: SeDebugPrivilege 4408 RFQ_PCPSPIRSZ2020022.exe Token: SeDebugPrivilege 1032 powershell.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
RFQ_PCPSPIRSZ2020022.exeRFQ_PCPSPIRSZ2020022.execmd.exedescription pid process target process PID 2584 wrote to memory of 4252 2584 RFQ_PCPSPIRSZ2020022.exe schtasks.exe PID 2584 wrote to memory of 4252 2584 RFQ_PCPSPIRSZ2020022.exe schtasks.exe PID 2584 wrote to memory of 4252 2584 RFQ_PCPSPIRSZ2020022.exe schtasks.exe PID 2584 wrote to memory of 4408 2584 RFQ_PCPSPIRSZ2020022.exe RFQ_PCPSPIRSZ2020022.exe PID 2584 wrote to memory of 4408 2584 RFQ_PCPSPIRSZ2020022.exe RFQ_PCPSPIRSZ2020022.exe PID 2584 wrote to memory of 4408 2584 RFQ_PCPSPIRSZ2020022.exe RFQ_PCPSPIRSZ2020022.exe PID 2584 wrote to memory of 4408 2584 RFQ_PCPSPIRSZ2020022.exe RFQ_PCPSPIRSZ2020022.exe PID 2584 wrote to memory of 4408 2584 RFQ_PCPSPIRSZ2020022.exe RFQ_PCPSPIRSZ2020022.exe PID 2584 wrote to memory of 4408 2584 RFQ_PCPSPIRSZ2020022.exe RFQ_PCPSPIRSZ2020022.exe PID 2584 wrote to memory of 4408 2584 RFQ_PCPSPIRSZ2020022.exe RFQ_PCPSPIRSZ2020022.exe PID 2584 wrote to memory of 4408 2584 RFQ_PCPSPIRSZ2020022.exe RFQ_PCPSPIRSZ2020022.exe PID 4408 wrote to memory of 3616 4408 RFQ_PCPSPIRSZ2020022.exe cmd.exe PID 4408 wrote to memory of 3616 4408 RFQ_PCPSPIRSZ2020022.exe cmd.exe PID 4408 wrote to memory of 3616 4408 RFQ_PCPSPIRSZ2020022.exe cmd.exe PID 3616 wrote to memory of 1032 3616 cmd.exe powershell.exe PID 3616 wrote to memory of 1032 3616 cmd.exe powershell.exe PID 3616 wrote to memory of 1032 3616 cmd.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ_PCPSPIRSZ2020022.exe"C:\Users\Admin\AppData\Local\Temp\RFQ_PCPSPIRSZ2020022.exe"1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dTPwlukysvENt" /XML "C:\Users\Admin\AppData\Local\Temp\tmp608F.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\RFQ_PCPSPIRSZ2020022.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\RFQ_PCPSPIRSZ2020022.exe' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\RFQ_PCPSPIRSZ2020022.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ_PCPSPIRSZ2020022.exe.logFilesize
1KB
MD5e08f822522c617a40840c62e4b0fb45e
SHA1ae516dca4da5234be6676d3f234c19ec55725be7
SHA256bd9d5e9f7fe6fcff17d873555d4077d15f7d6cdda1183e7f7d278b735ffe1fd7
SHA512894a7fb7bbc18ac6ba13378f58a7db80ad00d6080be9a66b01cae8e23e41d9d2d4cd53c1e20669356b73590c8a3ebfda4bdda3258f81240db56c4a81b7313fe4
-
C:\Users\Admin\AppData\Local\Temp\tmp608F.tmpFilesize
1KB
MD5802cc2ccf7c388d20b26d13b1223f205
SHA15843560ba739c2ca0f32b575df1e4980921bb610
SHA256518f7c17ba99cfd989c6d3329e3da6996a5283bd9909ad818a27b68bd40dc54b
SHA5120390c9106a31da494816124e074b8c0876ab252dfbb6f27784a3c10d593e5cea1dcb298866b94b7b3fd5acf1cef5dac011aad6adca2d40609352af014ee0e528
-
memory/1032-145-0x00000000058C0000-0x00000000058E2000-memory.dmpFilesize
136KB
-
memory/1032-142-0x0000000000000000-mapping.dmp
-
memory/1032-151-0x0000000006E30000-0x0000000006E52000-memory.dmpFilesize
136KB
-
memory/1032-150-0x0000000007AE0000-0x0000000007B76000-memory.dmpFilesize
600KB
-
memory/1032-149-0x0000000006D60000-0x0000000006D7A000-memory.dmpFilesize
104KB
-
memory/1032-148-0x0000000008160000-0x00000000087DA000-memory.dmpFilesize
6.5MB
-
memory/1032-147-0x00000000068F0000-0x000000000690E000-memory.dmpFilesize
120KB
-
memory/1032-146-0x0000000005960000-0x00000000059C6000-memory.dmpFilesize
408KB
-
memory/1032-144-0x0000000005C20000-0x0000000006248000-memory.dmpFilesize
6.2MB
-
memory/1032-143-0x00000000030A0000-0x00000000030D6000-memory.dmpFilesize
216KB
-
memory/2584-130-0x0000000000EE0000-0x0000000000FC6000-memory.dmpFilesize
920KB
-
memory/2584-131-0x00000000083E0000-0x0000000008984000-memory.dmpFilesize
5.6MB
-
memory/2584-133-0x0000000007EE0000-0x0000000007EEA000-memory.dmpFilesize
40KB
-
memory/2584-132-0x0000000007E30000-0x0000000007EC2000-memory.dmpFilesize
584KB
-
memory/2584-135-0x000000000F590000-0x000000000F5F6000-memory.dmpFilesize
408KB
-
memory/2584-134-0x0000000008140000-0x00000000081DC000-memory.dmpFilesize
624KB
-
memory/3616-141-0x0000000000000000-mapping.dmp
-
memory/4252-136-0x0000000000000000-mapping.dmp
-
memory/4408-139-0x0000000000400000-0x00000000004B8000-memory.dmpFilesize
736KB
-
memory/4408-138-0x0000000000000000-mapping.dmp