0971cbc70ca0abf88a7059f0eb904112d64db2355890bc956244b44371534a28

General

Target

RFQ.exe
Size

875KB
MD5

d09e24ff3e15d721e4a7feac4e9b1ef5
SHA1

12017612e0361f56a2d1fd593a3b54895a34f4a9
SHA256

776a4ff176f431da77a945cf047746d71aa1b629c743d16a8018f883692cf7c8
SHA512

9c084b6b92a0cfb0bf7d3eef6aee45a3fd881a968b95e07b268093bb7b41d52bae883b4df012f58afe36d044fa75a6da37384e84b23166b7e6dc7ac770c43d2d

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RFQ.exeRFQ.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	RFQ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	RFQ.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

35 api.ipify.org
37 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

RFQ.exe

description pid process target process

PID 4480 set thread context of 4360 4480 RFQ.exe RFQ.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2632 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

RFQ.exe

pid process

4480 RFQ.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

RFQ.exeRFQ.exe

description pid process

Token: SeDebugPrivilege 4480 RFQ.exe
Token: SeDebugPrivilege 4360 RFQ.exe

flow	ioc
35	api.ipify.org
37	api.ipify.org

description	pid	process	target process
PID 4480 set thread context of 4360	4480	RFQ.exe	RFQ.exe

pid	process
2632	schtasks.exe

pid	process
4480	RFQ.exe

description	pid	process
Token: SeDebugPrivilege	4480	RFQ.exe
Token: SeDebugPrivilege	4360	RFQ.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

RFQ.exe

description	pid	process	target process
PID 4480 wrote to memory of 2632	4480	RFQ.exe	schtasks.exe
PID 4480 wrote to memory of 2632	4480	RFQ.exe	schtasks.exe
PID 4480 wrote to memory of 2632	4480	RFQ.exe	schtasks.exe
PID 4480 wrote to memory of 4360	4480	RFQ.exe	RFQ.exe
PID 4480 wrote to memory of 4360	4480	RFQ.exe	RFQ.exe
PID 4480 wrote to memory of 4360	4480	RFQ.exe	RFQ.exe
PID 4480 wrote to memory of 4360	4480	RFQ.exe	RFQ.exe
PID 4480 wrote to memory of 4360	4480	RFQ.exe	RFQ.exe
PID 4480 wrote to memory of 4360	4480	RFQ.exe	RFQ.exe
PID 4480 wrote to memory of 4360	4480	RFQ.exe	RFQ.exe
PID 4480 wrote to memory of 4360	4480	RFQ.exe	RFQ.exe

C:\Users\Admin\AppData\Local\Temp\RFQ.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4480

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oLpxgY" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA21C.tmp"
2⤵
- Creates scheduled task(s)
PID:2632

C:\Users\Admin\AppData\Local\Temp\RFQ.exe
"{path}"
2⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:4360

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ.exe.log
Filesize
507B

MD5
ab4c71d3ff6255edd4e5c1e09540f49e

SHA1
22e06bf4e258741b5df918061871cba998c50cea

SHA256
1690fec628f775dd3c3385b800eed126b37978ef2ffd592b024052724caafb5a

SHA512
8fa7d0045796e6cda7c28e2b9a690ef550619828c1b5d0ebf8e8367aff4bf4d9f63121e5b4f199d30cb8006eb584c6767f4c59150749b8256dab9dd0ebd9f1af

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA21C.tmp
Filesize
1KB

MD5
c60e0505924032b24e2ca346156dafa1

SHA1
a53ad617e9429faed5b2ac4beb5840e7af9c7abf

SHA256
8eabc350581c0faec5fd926910bfb9595984cf9fabb1dd86718e795adff2fa8f

SHA512
4384ceef6cc125d6698767eccb4aee0893aa400541ad94127889296eacdb3cdc77c77463cea35a688bbca1043ab9d2c8183e99bf035d18072b58e2437523bc6c

Download Submit
memory/2632-135-0x0000000000000000-mapping.dmp

Download
memory/4360-163-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-173-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-648-0x00000000052A0000-0x0000000005306000-memory.dmp

Filesize
408KB

Download
memory/4360-137-0x0000000000000000-mapping.dmp

Download
memory/4360-138-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-167-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-143-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-145-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-165-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-147-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-149-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-151-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-153-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-155-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-159-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-161-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-157-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-175-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-141-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-185-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-183-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-171-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-177-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-181-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-179-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-169-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-187-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-191-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-199-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-197-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-201-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-195-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-193-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4360-189-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4480-134-0x0000000005C30000-0x00000000061D4000-memory.dmp

Filesize
5.6MB

Download
memory/4480-131-0x0000000000010000-0x00000000000F2000-memory.dmp

Filesize
904KB

Download
memory/4480-132-0x0000000004A50000-0x0000000004AEC000-memory.dmp

Filesize
624KB

Download
memory/4480-133-0x0000000004C00000-0x0000000004C92000-memory.dmp

Filesize
584KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads