f851ccd89ef8f8e28648ff600789364e9caf5c522a5e7238cee619a229cc821d

General

Target

RFQ 2290.exe
Size

1.3MB
MD5

85e8ae98556d7927fa40c5cba4e4a16a
SHA1

3013724dbc0bedda4bc2528ba01c7495f26614b1
SHA256

f851ccd89ef8f8e28648ff600789364e9caf5c522a5e7238cee619a229cc821d
SHA512

25e6158d69a61945d1513d0a12ffe1d1178a5c9e2ffeb032791b2dadc294d4f1e6b4d73242183b1ce0059e7421c9a9eea62cca6a3683002ee841e42cedce9969
SSDEEP

24576:WqHo1sfbYnNTHIsxcb5V9zpn8jte3q/3uASeA8vOE/dkJw1:WqIafENUkcb5rpn8Y3q/eAYU

Score

9^/10

evasion

Malware Config

Signatures

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

RFQ 2290.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions RFQ 2290.exe
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

RFQ 2290.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools RFQ 2290.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	RFQ 2290.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	RFQ 2290.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RFQ 2290.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RFQ 2290.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RFQ 2290.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

RFQ 2290.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	RFQ 2290.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	RFQ 2290.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1380 schtasks.exe

pid	process
1380	schtasks.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

RFQ 2290.exepowershell.exepowershell.exe

pid	process
1972	RFQ 2290.exe
556	powershell.exe
1408	powershell.exe
1972	RFQ 2290.exe
1972	RFQ 2290.exe
1972	RFQ 2290.exe
1972	RFQ 2290.exe
1972	RFQ 2290.exe
1972	RFQ 2290.exe
1972	RFQ 2290.exe
1972	RFQ 2290.exe
1972	RFQ 2290.exe
1972	RFQ 2290.exe
1972	RFQ 2290.exe
1972	RFQ 2290.exe
1972	RFQ 2290.exe
1972	RFQ 2290.exe
1972	RFQ 2290.exe
1972	RFQ 2290.exe
1972	RFQ 2290.exe
1972	RFQ 2290.exe
1972	RFQ 2290.exe
1972	RFQ 2290.exe
1972	RFQ 2290.exe
1972	RFQ 2290.exe
1972	RFQ 2290.exe
1972	RFQ 2290.exe
1972	RFQ 2290.exe
1972	RFQ 2290.exe
1972	RFQ 2290.exe
1972	RFQ 2290.exe
1972	RFQ 2290.exe
1972	RFQ 2290.exe
1972	RFQ 2290.exe
1972	RFQ 2290.exe
1972	RFQ 2290.exe
1972	RFQ 2290.exe
1972	RFQ 2290.exe
1972	RFQ 2290.exe
1972	RFQ 2290.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

RFQ 2290.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1972 RFQ 2290.exe
Token: SeDebugPrivilege 556 powershell.exe
Token: SeDebugPrivilege 1408 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1972	RFQ 2290.exe
Token: SeDebugPrivilege	556	powershell.exe
Token: SeDebugPrivilege	1408	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

RFQ 2290.exepowershell.exe

description	pid	process	target process
PID 1972 wrote to memory of 1408	1972	RFQ 2290.exe	powershell.exe
PID 1972 wrote to memory of 1408	1972	RFQ 2290.exe	powershell.exe
PID 1972 wrote to memory of 1408	1972	RFQ 2290.exe	powershell.exe
PID 1972 wrote to memory of 1408	1972	RFQ 2290.exe	powershell.exe
PID 1972 wrote to memory of 556	1972	RFQ 2290.exe	powershell.exe
PID 1972 wrote to memory of 556	1972	RFQ 2290.exe	powershell.exe
PID 1972 wrote to memory of 556	1972	RFQ 2290.exe	powershell.exe
PID 1972 wrote to memory of 556	1972	RFQ 2290.exe	powershell.exe
PID 1972 wrote to memory of 1380	1972	RFQ 2290.exe	schtasks.exe
PID 1972 wrote to memory of 1380	1972	RFQ 2290.exe	schtasks.exe
PID 1972 wrote to memory of 1380	1972	RFQ 2290.exe	schtasks.exe
PID 1972 wrote to memory of 1380	1972	RFQ 2290.exe	schtasks.exe
PID 556 wrote to memory of 932	556	powershell.exe	dw20.exe
PID 556 wrote to memory of 932	556	powershell.exe	dw20.exe
PID 556 wrote to memory of 932	556	powershell.exe	dw20.exe
PID 556 wrote to memory of 932	556	powershell.exe	dw20.exe
PID 1972 wrote to memory of 1800	1972	RFQ 2290.exe	RFQ 2290.exe
PID 1972 wrote to memory of 1800	1972	RFQ 2290.exe	RFQ 2290.exe
PID 1972 wrote to memory of 1800	1972	RFQ 2290.exe	RFQ 2290.exe
PID 1972 wrote to memory of 1800	1972	RFQ 2290.exe	RFQ 2290.exe
PID 1972 wrote to memory of 1800	1972	RFQ 2290.exe	RFQ 2290.exe

C:\Users\Admin\AppData\Local\Temp\RFQ 2290.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ 2290.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RFQ 2290.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1408

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\iDKZenUzizmrGT.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:556

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 812
3⤵
PID:932

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iDKZenUzizmrGT" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA507.tmp"
2⤵
- Creates scheduled task(s)
PID:1380

C:\Users\Admin\AppData\Local\Temp\RFQ 2290.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ 2290.exe"
2⤵
PID:1800

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA507.tmp
Filesize
1KB

MD5
e9d5a3ec959b393eab974e9cf5ec80c0

SHA1
ef93695935187159db3a359cfd7b6f7ba192b16f

SHA256
3e14bd3a2b3b1acfcf5eec1be0528f134ff070e78382088fe4bde3ac2bc6d85a

SHA512
83263f5f4d5bc6416f60bd0894a3978eae9b9ccb920220e92797cb0cd1f02b703a91a0b3a43e037be5253801ddf34940ce66503b8d1cf779a684533df24fba2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
620cfc57cc4ae01cacfa85edf729367b

SHA1
123d9067fbb9c1cf894a7c2e6072c365e4c3fb3f

SHA256
dc21e751bf7095548ec849dcbadf204ec16cb92b81580bebc79f4b03ae8a44c1

SHA512
a55cd2266a1e693c3c9628c0406eb2aa945a0942dac719401dcbb9de2ec81da6ae19aff243fd73e46cf042c4a3f81ab89a42f235a0a18a92c4309272fefd26c4

Download Submit
memory/556-75-0x000000006F1B0000-0x000000006F75B000-memory.dmp

Filesize
5.7MB

Download
memory/556-73-0x000000006F1B0000-0x000000006F75B000-memory.dmp

Filesize
5.7MB

Download
memory/556-61-0x0000000000000000-mapping.dmp

Download
memory/932-66-0x0000000000000000-mapping.dmp

Download
memory/1380-62-0x0000000000000000-mapping.dmp

Download
memory/1408-74-0x000000006F1B0000-0x000000006F75B000-memory.dmp

Filesize
5.7MB

Download
memory/1408-72-0x000000006F1B0000-0x000000006F75B000-memory.dmp

Filesize
5.7MB

Download
memory/1408-59-0x0000000000000000-mapping.dmp

Download
memory/1800-69-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1800-70-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1972-67-0x0000000008DF0000-0x0000000008EAC000-memory.dmp

Filesize
752KB

Download
memory/1972-54-0x0000000001360000-0x00000000014B8000-memory.dmp

Filesize
1.3MB

Download
memory/1972-58-0x0000000005B80000-0x0000000005C8E000-memory.dmp

Filesize
1.1MB

Download
memory/1972-57-0x00000000005A0000-0x00000000005AC000-memory.dmp

Filesize
48KB

Download
memory/1972-56-0x00000000003E0000-0x00000000003F4000-memory.dmp

Filesize
80KB

Download
memory/1972-55-0x00000000751A1000-0x00000000751A3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads