954040312a1428eb46018d927bd9f453c6df97e3f1509cf23d89a10662ef3d2e

General

Target

xcfgsfaa.exe
Size

1.5MB
MD5

45fd8c84b44a20b4188de744bdf0a3f8
SHA1

37a13e9a7d5af87b82e55630fe78a8e12059dad5
SHA256

59f62f44fbd11163cb3eeb68f2b4606130dd8a01f569624ee4e4c50691c94391
SHA512

70e3fb0696ad94a98bef78b3fb5d8267596032eb5345b160a0820977e5a8988a382da01ff1b4eb140ac9e319f2dcf0ca7978bbb61b78880c9de5741a49fcddcf
SSDEEP

24576:Q4z87j9s0ML+6lvQ0QGTr8ZtkYa5yVke+MomAstHC7w3H79RBWKP:QvfWbLd7Y75+MomAstHC7wr5W

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

rfmfm.exe

pid process

4164 rfmfm.exe

pid	process
4164	rfmfm.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/664-140-0x0000000000700000-0x0000000000AE4000-memory.dmp	upx
behavioral2/memory/664-141-0x0000000000700000-0x0000000000AE4000-memory.dmp	upx
behavioral2/memory/3240-149-0x0000000000FA0000-0x0000000001384000-memory.dmp	upx
behavioral2/memory/3240-150-0x0000000000FA0000-0x0000000001384000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 2 IoCs

Processes:

xcfgsfaa.exerfmfm.exe

description pid process target process

PID 1864 set thread context of 664 1864 xcfgsfaa.exe vbc.exe
PID 4164 set thread context of 3240 4164 rfmfm.exe vbc.exe
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

3944 664 WerFault.exe vbc.exe
3532 664 WerFault.exe vbc.exe
8 3240 WerFault.exe vbc.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1444 schtasks.exe
2464 schtasks.exe

description	pid	process	target process
PID 1864 set thread context of 664	1864	xcfgsfaa.exe	vbc.exe
PID 4164 set thread context of 3240	4164	rfmfm.exe	vbc.exe

pid	pid_target	process	target process
3944	664	WerFault.exe	vbc.exe
3532	664	WerFault.exe	vbc.exe
8	3240	WerFault.exe	vbc.exe

pid	process
1444	schtasks.exe
2464	schtasks.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

xcfgsfaa.execmd.exerfmfm.execmd.exe

description	pid	process	target process
PID 1864 wrote to memory of 4992	1864	xcfgsfaa.exe	cmd.exe
PID 1864 wrote to memory of 4992	1864	xcfgsfaa.exe	cmd.exe
PID 1864 wrote to memory of 4992	1864	xcfgsfaa.exe	cmd.exe
PID 1864 wrote to memory of 4548	1864	xcfgsfaa.exe	cmd.exe
PID 1864 wrote to memory of 4548	1864	xcfgsfaa.exe	cmd.exe
PID 1864 wrote to memory of 4548	1864	xcfgsfaa.exe	cmd.exe
PID 4992 wrote to memory of 1444	4992	cmd.exe	schtasks.exe
PID 4992 wrote to memory of 1444	4992	cmd.exe	schtasks.exe
PID 4992 wrote to memory of 1444	4992	cmd.exe	schtasks.exe
PID 1864 wrote to memory of 664	1864	xcfgsfaa.exe	vbc.exe
PID 1864 wrote to memory of 664	1864	xcfgsfaa.exe	vbc.exe
PID 1864 wrote to memory of 664	1864	xcfgsfaa.exe	vbc.exe
PID 1864 wrote to memory of 664	1864	xcfgsfaa.exe	vbc.exe
PID 1864 wrote to memory of 664	1864	xcfgsfaa.exe	vbc.exe
PID 1864 wrote to memory of 664	1864	xcfgsfaa.exe	vbc.exe
PID 1864 wrote to memory of 664	1864	xcfgsfaa.exe	vbc.exe
PID 4164 wrote to memory of 4608	4164	rfmfm.exe	cmd.exe
PID 4164 wrote to memory of 4608	4164	rfmfm.exe	cmd.exe
PID 4164 wrote to memory of 4608	4164	rfmfm.exe	cmd.exe
PID 4164 wrote to memory of 716	4164	rfmfm.exe	cmd.exe
PID 4164 wrote to memory of 716	4164	rfmfm.exe	cmd.exe
PID 4164 wrote to memory of 716	4164	rfmfm.exe	cmd.exe
PID 4164 wrote to memory of 3240	4164	rfmfm.exe	vbc.exe
PID 4164 wrote to memory of 3240	4164	rfmfm.exe	vbc.exe
PID 4164 wrote to memory of 3240	4164	rfmfm.exe	vbc.exe
PID 4164 wrote to memory of 3240	4164	rfmfm.exe	vbc.exe
PID 4164 wrote to memory of 3240	4164	rfmfm.exe	vbc.exe
PID 4164 wrote to memory of 3240	4164	rfmfm.exe	vbc.exe
PID 4164 wrote to memory of 3240	4164	rfmfm.exe	vbc.exe
PID 4608 wrote to memory of 2464	4608	cmd.exe	schtasks.exe
PID 4608 wrote to memory of 2464	4608	cmd.exe	schtasks.exe
PID 4608 wrote to memory of 2464	4608	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\xcfgsfaa.exe
"C:\Users\Admin\AppData\Local\Temp\xcfgsfaa.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1864

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\rfmfm.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4992

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\rfmfm.exe'" /f
3⤵
- Creates scheduled task(s)
PID:1444

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\xcfgsfaa.exe" "C:\Users\Admin\AppData\Roaming\rfmfm.exe"
2⤵
PID:4548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 664 -s 184
3⤵
- Program crash
PID:3944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 664 -s 188
3⤵
- Program crash
PID:3532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 664 -ip 664
1⤵
PID:1604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 664 -ip 664
1⤵
PID:4184

C:\Users\Admin\AppData\Roaming\rfmfm.exe
C:\Users\Admin\AppData\Roaming\rfmfm.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4164

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\rfmfm.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4608

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\rfmfm.exe'" /f
3⤵
- Creates scheduled task(s)
PID:2464

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\rfmfm.exe" "C:\Users\Admin\AppData\Roaming\rfmfm.exe"
2⤵
PID:716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:3240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3240 -s 188
3⤵
- Program crash
PID:8

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3240 -ip 3240
1⤵
PID:4988

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\rfmfm.exe
Filesize
1.5MB

MD5
45fd8c84b44a20b4188de744bdf0a3f8

SHA1
37a13e9a7d5af87b82e55630fe78a8e12059dad5

SHA256
59f62f44fbd11163cb3eeb68f2b4606130dd8a01f569624ee4e4c50691c94391

SHA512
70e3fb0696ad94a98bef78b3fb5d8267596032eb5345b160a0820977e5a8988a382da01ff1b4eb140ac9e319f2dcf0ca7978bbb61b78880c9de5741a49fcddcf

Download Submit
C:\Users\Admin\AppData\Roaming\rfmfm.exe
Filesize
1.5MB

MD5
45fd8c84b44a20b4188de744bdf0a3f8

SHA1
37a13e9a7d5af87b82e55630fe78a8e12059dad5

SHA256
59f62f44fbd11163cb3eeb68f2b4606130dd8a01f569624ee4e4c50691c94391

SHA512
70e3fb0696ad94a98bef78b3fb5d8267596032eb5345b160a0820977e5a8988a382da01ff1b4eb140ac9e319f2dcf0ca7978bbb61b78880c9de5741a49fcddcf

Download Submit
memory/664-138-0x0000000000000000-mapping.dmp

Download
memory/664-141-0x0000000000700000-0x0000000000AE4000-memory.dmp

Filesize
3.9MB

Download
memory/664-140-0x0000000000700000-0x0000000000AE4000-memory.dmp

Filesize
3.9MB

Download
memory/716-145-0x0000000000000000-mapping.dmp

Download
memory/1444-137-0x0000000000000000-mapping.dmp

Download
memory/1864-134-0x0000000005CB0000-0x0000000006254000-memory.dmp

Filesize
5.6MB

Download
memory/1864-133-0x0000000005450000-0x00000000054B6000-memory.dmp

Filesize
408KB

Download
memory/1864-132-0x00000000009B0000-0x0000000000B3A000-memory.dmp

Filesize
1.5MB

Download
memory/2464-147-0x0000000000000000-mapping.dmp

Download
memory/3240-146-0x0000000000000000-mapping.dmp

Download
memory/3240-149-0x0000000000FA0000-0x0000000001384000-memory.dmp

Filesize
3.9MB

Download
memory/3240-150-0x0000000000FA0000-0x0000000001384000-memory.dmp

Filesize
3.9MB

Download
memory/4548-136-0x0000000000000000-mapping.dmp

Download
memory/4608-144-0x0000000000000000-mapping.dmp

Download
memory/4992-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads