Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
13-09-2022 14:30
Static task
static1
Behavioral task
behavioral1
Sample
xcfgsfaa.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
xcfgsfaa.exe
Resource
win10v2004-20220812-en
General
-
Target
xcfgsfaa.exe
-
Size
1.5MB
-
MD5
45fd8c84b44a20b4188de744bdf0a3f8
-
SHA1
37a13e9a7d5af87b82e55630fe78a8e12059dad5
-
SHA256
59f62f44fbd11163cb3eeb68f2b4606130dd8a01f569624ee4e4c50691c94391
-
SHA512
70e3fb0696ad94a98bef78b3fb5d8267596032eb5345b160a0820977e5a8988a382da01ff1b4eb140ac9e319f2dcf0ca7978bbb61b78880c9de5741a49fcddcf
-
SSDEEP
24576:Q4z87j9s0ML+6lvQ0QGTr8ZtkYa5yVke+MomAstHC7w3H79RBWKP:QvfWbLd7Y75+MomAstHC7wr5W
Malware Config
Extracted
bitrat
1.38
185.174.40.147:5200
-
communication_password
e10adc3949ba59abbe56e057f20f883e
-
tor_process
tor
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
rfmfm.exepid process 1480 rfmfm.exe -
Processes:
resource yara_rule behavioral1/memory/556-60-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/556-62-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/556-63-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/556-65-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/556-66-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/556-67-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/556-68-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/556-72-0x0000000000400000-0x00000000007E4000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
vbc.exepid process 556 vbc.exe 556 vbc.exe 556 vbc.exe 556 vbc.exe 556 vbc.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
xcfgsfaa.exerfmfm.exedescription pid process target process PID 1064 set thread context of 556 1064 xcfgsfaa.exe vbc.exe PID 1480 set thread context of 1564 1480 rfmfm.exe vbc.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 556 vbc.exe Token: SeShutdownPrivilege 556 vbc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
vbc.exepid process 556 vbc.exe 556 vbc.exe -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
xcfgsfaa.execmd.exetaskeng.exerfmfm.execmd.exedescription pid process target process PID 1064 wrote to memory of 1640 1064 xcfgsfaa.exe cmd.exe PID 1064 wrote to memory of 1640 1064 xcfgsfaa.exe cmd.exe PID 1064 wrote to memory of 1640 1064 xcfgsfaa.exe cmd.exe PID 1064 wrote to memory of 1640 1064 xcfgsfaa.exe cmd.exe PID 1064 wrote to memory of 1636 1064 xcfgsfaa.exe cmd.exe PID 1064 wrote to memory of 1636 1064 xcfgsfaa.exe cmd.exe PID 1064 wrote to memory of 1636 1064 xcfgsfaa.exe cmd.exe PID 1064 wrote to memory of 1636 1064 xcfgsfaa.exe cmd.exe PID 1640 wrote to memory of 268 1640 cmd.exe schtasks.exe PID 1640 wrote to memory of 268 1640 cmd.exe schtasks.exe PID 1640 wrote to memory of 268 1640 cmd.exe schtasks.exe PID 1640 wrote to memory of 268 1640 cmd.exe schtasks.exe PID 1064 wrote to memory of 556 1064 xcfgsfaa.exe vbc.exe PID 1064 wrote to memory of 556 1064 xcfgsfaa.exe vbc.exe PID 1064 wrote to memory of 556 1064 xcfgsfaa.exe vbc.exe PID 1064 wrote to memory of 556 1064 xcfgsfaa.exe vbc.exe PID 1064 wrote to memory of 556 1064 xcfgsfaa.exe vbc.exe PID 1064 wrote to memory of 556 1064 xcfgsfaa.exe vbc.exe PID 1064 wrote to memory of 556 1064 xcfgsfaa.exe vbc.exe PID 1064 wrote to memory of 556 1064 xcfgsfaa.exe vbc.exe PID 2008 wrote to memory of 1480 2008 taskeng.exe rfmfm.exe PID 2008 wrote to memory of 1480 2008 taskeng.exe rfmfm.exe PID 2008 wrote to memory of 1480 2008 taskeng.exe rfmfm.exe PID 2008 wrote to memory of 1480 2008 taskeng.exe rfmfm.exe PID 1480 wrote to memory of 2028 1480 rfmfm.exe cmd.exe PID 1480 wrote to memory of 2028 1480 rfmfm.exe cmd.exe PID 1480 wrote to memory of 2028 1480 rfmfm.exe cmd.exe PID 1480 wrote to memory of 2028 1480 rfmfm.exe cmd.exe PID 1480 wrote to memory of 1280 1480 rfmfm.exe cmd.exe PID 1480 wrote to memory of 1280 1480 rfmfm.exe cmd.exe PID 1480 wrote to memory of 1280 1480 rfmfm.exe cmd.exe PID 1480 wrote to memory of 1280 1480 rfmfm.exe cmd.exe PID 2028 wrote to memory of 1264 2028 cmd.exe schtasks.exe PID 2028 wrote to memory of 1264 2028 cmd.exe schtasks.exe PID 2028 wrote to memory of 1264 2028 cmd.exe schtasks.exe PID 2028 wrote to memory of 1264 2028 cmd.exe schtasks.exe PID 1480 wrote to memory of 1564 1480 rfmfm.exe vbc.exe PID 1480 wrote to memory of 1564 1480 rfmfm.exe vbc.exe PID 1480 wrote to memory of 1564 1480 rfmfm.exe vbc.exe PID 1480 wrote to memory of 1564 1480 rfmfm.exe vbc.exe PID 1480 wrote to memory of 1564 1480 rfmfm.exe vbc.exe PID 1480 wrote to memory of 1564 1480 rfmfm.exe vbc.exe PID 1480 wrote to memory of 1564 1480 rfmfm.exe vbc.exe PID 1480 wrote to memory of 1564 1480 rfmfm.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\xcfgsfaa.exe"C:\Users\Admin\AppData\Local\Temp\xcfgsfaa.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\rfmfm.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\rfmfm.exe'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\xcfgsfaa.exe" "C:\Users\Admin\AppData\Roaming\rfmfm.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\taskeng.exetaskeng.exe {06BD4C29-73DB-4B59-A108-08F6F3EAA9D6} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\rfmfm.exeC:\Users\Admin\AppData\Roaming\rfmfm.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\rfmfm.exe'" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\rfmfm.exe'" /f4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\rfmfm.exe" "C:\Users\Admin\AppData\Roaming\rfmfm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\rfmfm.exeFilesize
1.5MB
MD545fd8c84b44a20b4188de744bdf0a3f8
SHA137a13e9a7d5af87b82e55630fe78a8e12059dad5
SHA25659f62f44fbd11163cb3eeb68f2b4606130dd8a01f569624ee4e4c50691c94391
SHA51270e3fb0696ad94a98bef78b3fb5d8267596032eb5345b160a0820977e5a8988a382da01ff1b4eb140ac9e319f2dcf0ca7978bbb61b78880c9de5741a49fcddcf
-
C:\Users\Admin\AppData\Roaming\rfmfm.exeFilesize
1.5MB
MD545fd8c84b44a20b4188de744bdf0a3f8
SHA137a13e9a7d5af87b82e55630fe78a8e12059dad5
SHA25659f62f44fbd11163cb3eeb68f2b4606130dd8a01f569624ee4e4c50691c94391
SHA51270e3fb0696ad94a98bef78b3fb5d8267596032eb5345b160a0820977e5a8988a382da01ff1b4eb140ac9e319f2dcf0ca7978bbb61b78880c9de5741a49fcddcf
-
memory/268-58-0x0000000000000000-mapping.dmp
-
memory/556-67-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/556-70-0x0000000000250000-0x000000000025A000-memory.dmpFilesize
40KB
-
memory/556-59-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/556-60-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/556-62-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/556-64-0x00000000007E2730-mapping.dmp
-
memory/556-63-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/556-65-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/556-66-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/556-74-0x0000000000250000-0x000000000025A000-memory.dmpFilesize
40KB
-
memory/556-68-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/556-73-0x0000000000250000-0x000000000025A000-memory.dmpFilesize
40KB
-
memory/556-71-0x0000000000250000-0x000000000025A000-memory.dmpFilesize
40KB
-
memory/556-72-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1064-54-0x00000000001D0000-0x000000000035A000-memory.dmpFilesize
1.5MB
-
memory/1064-55-0x0000000075BB1000-0x0000000075BB3000-memory.dmpFilesize
8KB
-
memory/1264-82-0x0000000000000000-mapping.dmp
-
memory/1280-81-0x0000000000000000-mapping.dmp
-
memory/1480-76-0x0000000000000000-mapping.dmp
-
memory/1480-78-0x0000000000200000-0x000000000038A000-memory.dmpFilesize
1.5MB
-
memory/1564-88-0x00000000007E2730-mapping.dmp
-
memory/1636-57-0x0000000000000000-mapping.dmp
-
memory/1640-56-0x0000000000000000-mapping.dmp
-
memory/2028-80-0x0000000000000000-mapping.dmp