0971cbc70ca0abf88a7059f0eb904112d64db2355890bc956244b44371534a28

Analysis

max time kernel
125s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
21-05-2022 12:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RFQ.exe
Size

875KB
MD5

d09e24ff3e15d721e4a7feac4e9b1ef5
SHA1

12017612e0361f56a2d1fd593a3b54895a34f4a9
SHA256

776a4ff176f431da77a945cf047746d71aa1b629c743d16a8018f883692cf7c8
SHA512

9c084b6b92a0cfb0bf7d3eef6aee45a3fd881a968b95e07b268093bb7b41d52bae883b4df012f58afe36d044fa75a6da37384e84b23166b7e6dc7ac770c43d2d

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	RFQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	RFQ.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
35	api.ipify.org
37	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4480 set thread context of 4360	4480	RFQ.exe	84

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2632	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4480	RFQ.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4480	RFQ.exe
Token: SeDebugPrivilege	4360	RFQ.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4480 wrote to memory of 2632	4480	RFQ.exe	82
PID 4480 wrote to memory of 2632	4480	RFQ.exe	82
PID 4480 wrote to memory of 2632	4480	RFQ.exe	82
PID 4480 wrote to memory of 4360	4480	RFQ.exe	84
PID 4480 wrote to memory of 4360	4480	RFQ.exe	84
PID 4480 wrote to memory of 4360	4480	RFQ.exe	84
PID 4480 wrote to memory of 4360	4480	RFQ.exe	84
PID 4480 wrote to memory of 4360	4480	RFQ.exe	84
PID 4480 wrote to memory of 4360	4480	RFQ.exe	84
PID 4480 wrote to memory of 4360	4480	RFQ.exe	84
PID 4480 wrote to memory of 4360	4480	RFQ.exe	84

C:\Users\Admin\AppData\Local\Temp\RFQ.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4480
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oLpxgY" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA21C.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2632
- C:\Users\Admin\AppData\Local\Temp\RFQ.exe
  "{path}"
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ.exe.log

Filesize
507B

MD5
ab4c71d3ff6255edd4e5c1e09540f49e

SHA1
22e06bf4e258741b5df918061871cba998c50cea

SHA256
1690fec628f775dd3c3385b800eed126b37978ef2ffd592b024052724caafb5a

SHA512
8fa7d0045796e6cda7c28e2b9a690ef550619828c1b5d0ebf8e8367aff4bf4d9f63121e5b4f199d30cb8006eb584c6767f4c59150749b8256dab9dd0ebd9f1af

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA21C.tmp

Filesize
1KB

MD5
c60e0505924032b24e2ca346156dafa1

SHA1
a53ad617e9429faed5b2ac4beb5840e7af9c7abf

SHA256
8eabc350581c0faec5fd926910bfb9595984cf9fabb1dd86718e795adff2fa8f

SHA512
4384ceef6cc125d6698767eccb4aee0893aa400541ad94127889296eacdb3cdc77c77463cea35a688bbca1043ab9d2c8183e99bf035d18072b58e2437523bc6c

Download Submit
memory/4360-163-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-173-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-648-0x00000000052A0000-0x0000000005306000-memory.dmp

Filesize
408KB

Download
memory/4360-138-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-167-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-143-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-145-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-165-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-147-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-149-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-151-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-153-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-155-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-159-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-161-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-157-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-175-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-141-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-185-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-183-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-171-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-177-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-181-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-179-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-169-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-187-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-191-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-199-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-197-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-201-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-195-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-193-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-189-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4480-134-0x0000000005C30000-0x00000000061D4000-memory.dmp

Filesize
5.6MB

Download
memory/4480-131-0x0000000000010000-0x00000000000F2000-memory.dmp

Filesize
904KB

Download
memory/4480-132-0x0000000004A50000-0x0000000004AEC000-memory.dmp

Filesize
624KB

Download
memory/4480-133-0x0000000004C00000-0x0000000004C92000-memory.dmp

Filesize
584KB

Download