Analysis
-
max time kernel
152s -
max time network
162s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 01:20
Static task
static1
Behavioral task
behavioral1
Sample
RFQ#7018.exe
Resource
win7-20220414-en
General
-
Target
RFQ#7018.exe
-
Size
304KB
-
MD5
ff63351b26aa98482e65c848d3c81dba
-
SHA1
a12eac529a3e6f4f54ef3132077ede6fadac14ee
-
SHA256
e2234312d9f3cca21a317e8fddb427b2dd315cd69f9c1cc3606016c154fa4182
-
SHA512
656a29f833f50921196bcee13f39ad6eb2c2f7f4aaedf471b3517d6b366354579e3f103d2e2ac3c398b5a1be647149825d58f240defd07a430a6aa3f811fedd5
Malware Config
Extracted
formbook
3.9
20w
cofounder.technology
mrbajaf.com
xn--w9s874cfjq5fk.com
haliciogluhali.net
vanessadunfordhere.com
lookguy.win
91javac.com
goldennd.com
nwatheeliteteam.net
tumpukganda.com
clarservicios.com
koghana.com
workingwithroland.com
yellowsocialbox.com
under-dawg.com
sdtjtzyz.com
banditaerialproductions.com
newssmog.com
tefnmp.men
rebelialabel.com
shubhankarthinks.com
weldlngwarehouseinc.com
cxwlkjgs.com
sfbtadvertising.com
just-climb-it.com
abigailstales.net
erreapeworld.com
ujoi0cb3td.com
adhitshet.com
loi-mezard-invest.com
shimanami-guesthouse.com
5bu3.com
koszr.info
shopgoperinnovation.com
matthiasdittert.com
stiffeducation.com
projectoverflowinc.com
v5rayp.club
dqklfr.info
jacobsonfordl.com
chicagobps.biz
bsateenalsharq.com
238bifa.com
kairui.ink
lai2151.com
simplysavvysolutions.com
watertable.win
robotica.tech
avggrfx.com
teleportcafe.com
712roofing.com
07hosting.com
quiltlux.com
implantcyrkonowy.com
gnbaccelerator.com
negusangel.com
best1caratdiamondrings.com
elizabethlampertpr.net
pinpointlocalsacramento.com
skinstradesarea.com
morganhelps.com
divarium.com
njswd.com
bfmjgame.com
nyoxibwer.com
Signatures
-
CoreEntity .NET Packer 1 IoCs
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
Processes:
resource yara_rule behavioral1/memory/1640-56-0x00000000002F0000-0x00000000002F8000-memory.dmp coreentity -
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1256-63-0x0000000000400000-0x000000000042A000-memory.dmp formbook behavioral1/memory/1256-64-0x000000000041B680-mapping.dmp formbook behavioral1/memory/2032-72-0x0000000000080000-0x00000000000AA000-memory.dmp formbook -
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
Processes:
resource yara_rule behavioral1/memory/1640-57-0x0000000001F10000-0x0000000001F48000-memory.dmp rezer0 -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1996 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
RFQ#7018.exeRFQ#7018.execmd.exedescription pid process target process PID 1640 set thread context of 1256 1640 RFQ#7018.exe RFQ#7018.exe PID 1256 set thread context of 1212 1256 RFQ#7018.exe Explorer.EXE PID 2032 set thread context of 1212 2032 cmd.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
RFQ#7018.execmd.exepid process 1256 RFQ#7018.exe 1256 RFQ#7018.exe 2032 cmd.exe 2032 cmd.exe 2032 cmd.exe 2032 cmd.exe 2032 cmd.exe 2032 cmd.exe 2032 cmd.exe 2032 cmd.exe 2032 cmd.exe 2032 cmd.exe 2032 cmd.exe 2032 cmd.exe 2032 cmd.exe 2032 cmd.exe 2032 cmd.exe 2032 cmd.exe 2032 cmd.exe 2032 cmd.exe 2032 cmd.exe 2032 cmd.exe 2032 cmd.exe 2032 cmd.exe 2032 cmd.exe 2032 cmd.exe 2032 cmd.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
RFQ#7018.execmd.exepid process 1256 RFQ#7018.exe 1256 RFQ#7018.exe 1256 RFQ#7018.exe 2032 cmd.exe 2032 cmd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RFQ#7018.execmd.exedescription pid process Token: SeDebugPrivilege 1256 RFQ#7018.exe Token: SeDebugPrivilege 2032 cmd.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1212 Explorer.EXE 1212 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1212 Explorer.EXE 1212 Explorer.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
RFQ#7018.exeExplorer.EXEcmd.exedescription pid process target process PID 1640 wrote to memory of 964 1640 RFQ#7018.exe schtasks.exe PID 1640 wrote to memory of 964 1640 RFQ#7018.exe schtasks.exe PID 1640 wrote to memory of 964 1640 RFQ#7018.exe schtasks.exe PID 1640 wrote to memory of 964 1640 RFQ#7018.exe schtasks.exe PID 1640 wrote to memory of 1256 1640 RFQ#7018.exe RFQ#7018.exe PID 1640 wrote to memory of 1256 1640 RFQ#7018.exe RFQ#7018.exe PID 1640 wrote to memory of 1256 1640 RFQ#7018.exe RFQ#7018.exe PID 1640 wrote to memory of 1256 1640 RFQ#7018.exe RFQ#7018.exe PID 1640 wrote to memory of 1256 1640 RFQ#7018.exe RFQ#7018.exe PID 1640 wrote to memory of 1256 1640 RFQ#7018.exe RFQ#7018.exe PID 1640 wrote to memory of 1256 1640 RFQ#7018.exe RFQ#7018.exe PID 1212 wrote to memory of 2032 1212 Explorer.EXE cmd.exe PID 1212 wrote to memory of 2032 1212 Explorer.EXE cmd.exe PID 1212 wrote to memory of 2032 1212 Explorer.EXE cmd.exe PID 1212 wrote to memory of 2032 1212 Explorer.EXE cmd.exe PID 2032 wrote to memory of 1996 2032 cmd.exe cmd.exe PID 2032 wrote to memory of 1996 2032 cmd.exe cmd.exe PID 2032 wrote to memory of 1996 2032 cmd.exe cmd.exe PID 2032 wrote to memory of 1996 2032 cmd.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Users\Admin\AppData\Local\Temp\RFQ#7018.exe"C:\Users\Admin\AppData\Local\Temp\RFQ#7018.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RIEsscrX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5294.tmp"3⤵
- Creates scheduled task(s)
PID:964 -
C:\Users\Admin\AppData\Local\Temp\RFQ#7018.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1256 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\RFQ#7018.exe"3⤵
- Deletes itself
PID:1996
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp5294.tmpFilesize
1KB
MD5b07a53c6fc8fc5fc83a5733cfca6a41e
SHA116c91ab6f7c6316068c885662ec5e688ecea5015
SHA256cab014bd9d149ccba1b7bdc9d3018f6e7fedf754726f45a162eeeaa9ecd3e594
SHA5128be43911501213272d01e59cb6de2b14adbd395b8797eae791ede419ce57b5166401b065b4ab0a5446833c3fdfda8998612970a7f943ecdc7c103ec10e921a96
-
memory/964-58-0x0000000000000000-mapping.dmp
-
memory/1212-75-0x0000000004C10000-0x0000000004D32000-memory.dmpFilesize
1.1MB
-
memory/1212-68-0x0000000004A60000-0x0000000004B42000-memory.dmpFilesize
904KB
-
memory/1256-66-0x0000000000860000-0x0000000000B63000-memory.dmpFilesize
3.0MB
-
memory/1256-67-0x0000000000390000-0x00000000003A4000-memory.dmpFilesize
80KB
-
memory/1256-60-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1256-61-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1256-63-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1256-64-0x000000000041B680-mapping.dmp
-
memory/1640-54-0x0000000000190000-0x00000000001E2000-memory.dmpFilesize
328KB
-
memory/1640-57-0x0000000001F10000-0x0000000001F48000-memory.dmpFilesize
224KB
-
memory/1640-56-0x00000000002F0000-0x00000000002F8000-memory.dmpFilesize
32KB
-
memory/1640-55-0x0000000075AE1000-0x0000000075AE3000-memory.dmpFilesize
8KB
-
memory/1996-70-0x0000000000000000-mapping.dmp
-
memory/2032-69-0x0000000000000000-mapping.dmp
-
memory/2032-71-0x000000004A8B0000-0x000000004A8FC000-memory.dmpFilesize
304KB
-
memory/2032-72-0x0000000000080000-0x00000000000AA000-memory.dmpFilesize
168KB
-
memory/2032-73-0x0000000002120000-0x0000000002423000-memory.dmpFilesize
3.0MB
-
memory/2032-74-0x0000000001E50000-0x0000000001EE3000-memory.dmpFilesize
588KB