Analysis
-
max time kernel
76s -
max time network
116s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-09-2022 13:28
Static task
static1
Behavioral task
behavioral1
Sample
Fattoruso Tech Srl RFQ.exe
Resource
win10v2004-20220812-en
General
-
Target
Fattoruso Tech Srl RFQ.exe
-
Size
620KB
-
MD5
260f6e729e919bef46b9fde9584e62cf
-
SHA1
f9861fe9d82a7d8ac405b6a4adf8ebae60133692
-
SHA256
021a0fc05ac41240f0388f147781324d51e1a31ce772a628d7ad9705aad3a8d4
-
SHA512
6fd3caf7b08706ee8e24c60caf5d90d5a49091ebf362222fbdf4a40d8f20f0f658be318f67ca1f559ac9f5e56e5bfffff395e7b3f3f826a48d4f393016edadd6
-
SSDEEP
12288:HToPWBv/cpGrU3yx3meidRqvZuyd+ZgBNV9W3PkdE:HTbBv5rUKm20y8ZgN94KE
Malware Config
Extracted
Protocol: ftp- Host:
ftp.lizaneya.com - Port:
21 - Username:
[email protected] - Password:
@lizaneya.com
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
wtwneqwyfkze.exepid process 4596 wtwneqwyfkze.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Fattoruso Tech Srl RFQ.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation Fattoruso Tech Srl RFQ.exe -
Loads dropped DLL 1 IoCs
Processes:
wtwneqwyfkze.exepid process 5016 wtwneqwyfkze.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
wtwneqwyfkze.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 wtwneqwyfkze.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 wtwneqwyfkze.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 wtwneqwyfkze.exe -
Drops file in System32 directory 1 IoCs
Processes:
mmc.exedescription ioc process File opened for modification C:\Windows\system32\services.msc mmc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
wtwneqwyfkze.exedescription pid process target process PID 4596 set thread context of 5016 4596 wtwneqwyfkze.exe wtwneqwyfkze.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2024 4596 WerFault.exe wtwneqwyfkze.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
wtwneqwyfkze.exepid process 5016 wtwneqwyfkze.exe 5016 wtwneqwyfkze.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
mmc.exepid process 4608 mmc.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
wtwneqwyfkze.exemmc.exedescription pid process Token: SeDebugPrivilege 5016 wtwneqwyfkze.exe Token: 33 4608 mmc.exe Token: SeIncBasePriorityPrivilege 4608 mmc.exe Token: 33 4608 mmc.exe Token: SeIncBasePriorityPrivilege 4608 mmc.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
mmc.exepid process 4608 mmc.exe 4608 mmc.exe 4608 mmc.exe 4608 mmc.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
Fattoruso Tech Srl RFQ.exewtwneqwyfkze.exedescription pid process target process PID 3300 wrote to memory of 4596 3300 Fattoruso Tech Srl RFQ.exe wtwneqwyfkze.exe PID 3300 wrote to memory of 4596 3300 Fattoruso Tech Srl RFQ.exe wtwneqwyfkze.exe PID 3300 wrote to memory of 4596 3300 Fattoruso Tech Srl RFQ.exe wtwneqwyfkze.exe PID 4596 wrote to memory of 5016 4596 wtwneqwyfkze.exe wtwneqwyfkze.exe PID 4596 wrote to memory of 5016 4596 wtwneqwyfkze.exe wtwneqwyfkze.exe PID 4596 wrote to memory of 5016 4596 wtwneqwyfkze.exe wtwneqwyfkze.exe PID 4596 wrote to memory of 5016 4596 wtwneqwyfkze.exe wtwneqwyfkze.exe -
outlook_office_path 1 IoCs
Processes:
wtwneqwyfkze.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 wtwneqwyfkze.exe -
outlook_win_path 1 IoCs
Processes:
wtwneqwyfkze.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 wtwneqwyfkze.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Fattoruso Tech Srl RFQ.exe"C:\Users\Admin\AppData\Local\Temp\Fattoruso Tech Srl RFQ.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\wtwneqwyfkze.exe"C:\Users\Admin\AppData\Local\Temp\wtwneqwyfkze.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\wtwneqwyfkze.exe"C:\Users\Admin\AppData\Local\Temp\wtwneqwyfkze.exe"3⤵
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 4603⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4596 -ip 45961⤵
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\services.msc"1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\bezxgqnld.fFilesize
4KB
MD5df7b91634fc1d56dd3048980a8bf6d33
SHA1716b83bec07c9a05d90478d71f456ddabd4877c2
SHA256272a642d13de5d72710d59b26900bc314569be5b29f220aded6dd81057b352e7
SHA512893ace0e57401f78e02f42c362aa8579282988c013916580f6736ecfd8b77bce5d086838d4938d49a0eedccd544698bae4fd66bf625adc4d7f85bd44ab2756f2
-
C:\Users\Admin\AppData\Local\Temp\qdonaofiwo.yFilesize
287KB
MD5b9ed3775ace564793d6474ed8457c7c8
SHA1e325a2da394bed7a9b3d40106a5949164bcb9ca0
SHA256a3ad142d0725d1e759c50d76d8e74aff30ead2c3160d088d14eaca17a30bbd72
SHA512154862300a9c1f1a0125bdcaf69968e58a3e7ff966e3a106d4f1e75226723631ed59c1fe0f82e73c4376ef2344d4645f356cfb7853375b5ed451ea20553a49fe
-
C:\Users\Admin\AppData\Local\Temp\wtwneqwyfkze.exeFilesize
56KB
MD51621979c40f8555bcdc436d9ddf1e0d2
SHA16632b1e5c58e7df15cdfb47f40f531627138e956
SHA256194ddf309c2471eccfedd7327bbcdc44e0a5f1b0f692f13b57b166909d52c6ec
SHA512f393d182487ceebca7f62a506b316a2058b67ea682ad5a533f4563e958e290d35cf954f497177716915aee38b976eb8dae626cee237a1426bf90cbda6572f153
-
C:\Users\Admin\AppData\Local\Temp\wtwneqwyfkze.exeFilesize
56KB
MD51621979c40f8555bcdc436d9ddf1e0d2
SHA16632b1e5c58e7df15cdfb47f40f531627138e956
SHA256194ddf309c2471eccfedd7327bbcdc44e0a5f1b0f692f13b57b166909d52c6ec
SHA512f393d182487ceebca7f62a506b316a2058b67ea682ad5a533f4563e958e290d35cf954f497177716915aee38b976eb8dae626cee237a1426bf90cbda6572f153
-
C:\Users\Admin\AppData\Local\Temp\wtwneqwyfkze.exeFilesize
56KB
MD51621979c40f8555bcdc436d9ddf1e0d2
SHA16632b1e5c58e7df15cdfb47f40f531627138e956
SHA256194ddf309c2471eccfedd7327bbcdc44e0a5f1b0f692f13b57b166909d52c6ec
SHA512f393d182487ceebca7f62a506b316a2058b67ea682ad5a533f4563e958e290d35cf954f497177716915aee38b976eb8dae626cee237a1426bf90cbda6572f153
-
memory/4596-132-0x0000000000000000-mapping.dmp
-
memory/5016-137-0x0000000000000000-mapping.dmp
-
memory/5016-139-0x0000000005A20000-0x0000000005FC4000-memory.dmpFilesize
5.6MB
-
memory/5016-140-0x0000000005560000-0x00000000055FC000-memory.dmpFilesize
624KB
-
memory/5016-141-0x00000000064B0000-0x0000000006516000-memory.dmpFilesize
408KB
-
memory/5016-142-0x0000000006930000-0x0000000006980000-memory.dmpFilesize
320KB
-
memory/5016-143-0x0000000006EA0000-0x0000000006F32000-memory.dmpFilesize
584KB
-
memory/5016-144-0x0000000006E50000-0x0000000006E5A000-memory.dmpFilesize
40KB