6c5210755b655eb982c7d572de94e5ef9d685ec236e629ef03eb99bbcabfcdaf

General

Target

RFQ.exe
Size

842KB
MD5

43bf47ce9c3b94e284d4b1127ae23316
SHA1

ecd3faede2a34fee58c8b84e297abf217e9b4b4c
SHA256

db18483e4256dc8f3362b52e3474260eeee4a7e7af43c8126200237e5a8804db
SHA512

dfa81578090f56788c7b76bbca564a2c3cfb2e49c6ee83a92a46adc5a57a802950c18368ae1a4df68d4e0b6e3342b2c83d0ebb1b73b4edd93f347d309a891d72

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

RFQ.exe

description pid process target process

PID 4892 set thread context of 384 4892 RFQ.exe RFQ.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

RFQ.exepowershell.exe

pid process

4892 RFQ.exe
4892 RFQ.exe
4892 RFQ.exe
4892 RFQ.exe
4892 RFQ.exe
264 powershell.exe
264 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

RFQ.exepowershell.exe

description pid process

Token: SeDebugPrivilege 4892 RFQ.exe
Token: SeDebugPrivilege 264 powershell.exe

description	pid	process	target process
PID 4892 set thread context of 384	4892	RFQ.exe	RFQ.exe

pid	process
4892	RFQ.exe
4892	RFQ.exe
4892	RFQ.exe
4892	RFQ.exe
4892	RFQ.exe
264	powershell.exe
264	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4892	RFQ.exe
Token: SeDebugPrivilege	264	powershell.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

RFQ.exeRFQ.execmd.exe

description	pid	process	target process
PID 4892 wrote to memory of 1420	4892	RFQ.exe	RFQ.exe
PID 4892 wrote to memory of 1420	4892	RFQ.exe	RFQ.exe
PID 4892 wrote to memory of 1420	4892	RFQ.exe	RFQ.exe
PID 4892 wrote to memory of 384	4892	RFQ.exe	RFQ.exe
PID 4892 wrote to memory of 384	4892	RFQ.exe	RFQ.exe
PID 4892 wrote to memory of 384	4892	RFQ.exe	RFQ.exe
PID 4892 wrote to memory of 384	4892	RFQ.exe	RFQ.exe
PID 4892 wrote to memory of 384	4892	RFQ.exe	RFQ.exe
PID 4892 wrote to memory of 384	4892	RFQ.exe	RFQ.exe
PID 4892 wrote to memory of 384	4892	RFQ.exe	RFQ.exe
PID 4892 wrote to memory of 384	4892	RFQ.exe	RFQ.exe
PID 384 wrote to memory of 3488	384	RFQ.exe	cmd.exe
PID 384 wrote to memory of 3488	384	RFQ.exe	cmd.exe
PID 384 wrote to memory of 3488	384	RFQ.exe	cmd.exe
PID 3488 wrote to memory of 264	3488	cmd.exe	powershell.exe
PID 3488 wrote to memory of 264	3488	cmd.exe	powershell.exe
PID 3488 wrote to memory of 264	3488	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\RFQ.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Users\Admin\AppData\Local\Temp\RFQ.exe
  "{path}"
  2⤵
  PID:1420
- C:\Users\Admin\AppData\Local\Temp\RFQ.exe
  "{path}"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:384
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\RFQ.exe' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3488
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\RFQ.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:264

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ.exe.log

Filesize
412B

MD5
be13ac3b65841ec3eedbd017b51c53b0

SHA1
c07874d283990055034a448f0dffc005586b791e

SHA256
e82d6ad0571bd9377d067f29c5c088cd8b5de2770dc240d69178a149488a6426

SHA512
8a0bcd002790d0ab8a458c37499552825cdc5f7c5ae3b18f8dc0f0b1fc076a3cf768cffd10116df37181d6d690a15c031f40ae15f668883b3ac26072151bac47

Download Submit
memory/264-145-0x00000000064F0000-0x000000000650E000-memory.dmp

Filesize
120KB

Download
memory/264-144-0x00000000055E0000-0x0000000005646000-memory.dmp

Filesize
408KB

Download
memory/264-140-0x0000000000000000-mapping.dmp

Download
memory/264-148-0x0000000007770000-0x0000000007806000-memory.dmp

Filesize
600KB

Download
memory/264-147-0x00000000069F0000-0x0000000006A0A000-memory.dmp

Filesize
104KB

Download
memory/264-146-0x0000000007B50000-0x00000000081CA000-memory.dmp

Filesize
6.5MB

Download
memory/264-143-0x0000000005540000-0x0000000005562000-memory.dmp

Filesize
136KB

Download
memory/264-141-0x0000000002BC0000-0x0000000002BF6000-memory.dmp

Filesize
216KB

Download
memory/264-142-0x0000000005750000-0x0000000005D78000-memory.dmp

Filesize
6.2MB

Download
memory/264-149-0x0000000006AB0000-0x0000000006AD2000-memory.dmp

Filesize
136KB

Download
memory/384-137-0x0000000006160000-0x0000000006704000-memory.dmp

Filesize
5.6MB

Download
memory/384-136-0x00000000055C0000-0x0000000005626000-memory.dmp

Filesize
408KB

Download
memory/384-135-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/384-134-0x0000000000000000-mapping.dmp

Download
memory/1420-133-0x0000000000000000-mapping.dmp

Download
memory/3488-138-0x0000000000000000-mapping.dmp

Download
memory/4892-132-0x000000000B7D0000-0x000000000B86C000-memory.dmp

Filesize
624KB

Download
memory/4892-130-0x0000000000790000-0x0000000000868000-memory.dmp

Filesize
864KB

Download
memory/4892-131-0x0000000005290000-0x0000000005322000-memory.dmp

Filesize
584KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads