Analysis
-
max time kernel
148s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
05-10-2022 03:23
Static task
static1
Behavioral task
behavioral1
Sample
RFQ 2290.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
RFQ 2290.exe
Resource
win10v2004-20220812-en
General
-
Target
RFQ 2290.exe
-
Size
1.3MB
-
MD5
85e8ae98556d7927fa40c5cba4e4a16a
-
SHA1
3013724dbc0bedda4bc2528ba01c7495f26614b1
-
SHA256
f851ccd89ef8f8e28648ff600789364e9caf5c522a5e7238cee619a229cc821d
-
SHA512
25e6158d69a61945d1513d0a12ffe1d1178a5c9e2ffeb032791b2dadc294d4f1e6b4d73242183b1ce0059e7421c9a9eea62cca6a3683002ee841e42cedce9969
-
SSDEEP
24576:WqHo1sfbYnNTHIsxcb5V9zpn8jte3q/3uASeA8vOE/dkJw1:WqIafENUkcb5rpn8Y3q/eAYU
Malware Config
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
RFQ 2290.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions RFQ 2290.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
RFQ 2290.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools RFQ 2290.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
RFQ 2290.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RFQ 2290.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion RFQ 2290.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
RFQ 2290.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 RFQ 2290.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum RFQ 2290.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 40 IoCs
Processes:
RFQ 2290.exepowershell.exepowershell.exepid process 1972 RFQ 2290.exe 556 powershell.exe 1408 powershell.exe 1972 RFQ 2290.exe 1972 RFQ 2290.exe 1972 RFQ 2290.exe 1972 RFQ 2290.exe 1972 RFQ 2290.exe 1972 RFQ 2290.exe 1972 RFQ 2290.exe 1972 RFQ 2290.exe 1972 RFQ 2290.exe 1972 RFQ 2290.exe 1972 RFQ 2290.exe 1972 RFQ 2290.exe 1972 RFQ 2290.exe 1972 RFQ 2290.exe 1972 RFQ 2290.exe 1972 RFQ 2290.exe 1972 RFQ 2290.exe 1972 RFQ 2290.exe 1972 RFQ 2290.exe 1972 RFQ 2290.exe 1972 RFQ 2290.exe 1972 RFQ 2290.exe 1972 RFQ 2290.exe 1972 RFQ 2290.exe 1972 RFQ 2290.exe 1972 RFQ 2290.exe 1972 RFQ 2290.exe 1972 RFQ 2290.exe 1972 RFQ 2290.exe 1972 RFQ 2290.exe 1972 RFQ 2290.exe 1972 RFQ 2290.exe 1972 RFQ 2290.exe 1972 RFQ 2290.exe 1972 RFQ 2290.exe 1972 RFQ 2290.exe 1972 RFQ 2290.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
RFQ 2290.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1972 RFQ 2290.exe Token: SeDebugPrivilege 556 powershell.exe Token: SeDebugPrivilege 1408 powershell.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
RFQ 2290.exepowershell.exedescription pid process target process PID 1972 wrote to memory of 1408 1972 RFQ 2290.exe powershell.exe PID 1972 wrote to memory of 1408 1972 RFQ 2290.exe powershell.exe PID 1972 wrote to memory of 1408 1972 RFQ 2290.exe powershell.exe PID 1972 wrote to memory of 1408 1972 RFQ 2290.exe powershell.exe PID 1972 wrote to memory of 556 1972 RFQ 2290.exe powershell.exe PID 1972 wrote to memory of 556 1972 RFQ 2290.exe powershell.exe PID 1972 wrote to memory of 556 1972 RFQ 2290.exe powershell.exe PID 1972 wrote to memory of 556 1972 RFQ 2290.exe powershell.exe PID 1972 wrote to memory of 1380 1972 RFQ 2290.exe schtasks.exe PID 1972 wrote to memory of 1380 1972 RFQ 2290.exe schtasks.exe PID 1972 wrote to memory of 1380 1972 RFQ 2290.exe schtasks.exe PID 1972 wrote to memory of 1380 1972 RFQ 2290.exe schtasks.exe PID 556 wrote to memory of 932 556 powershell.exe dw20.exe PID 556 wrote to memory of 932 556 powershell.exe dw20.exe PID 556 wrote to memory of 932 556 powershell.exe dw20.exe PID 556 wrote to memory of 932 556 powershell.exe dw20.exe PID 1972 wrote to memory of 1800 1972 RFQ 2290.exe RFQ 2290.exe PID 1972 wrote to memory of 1800 1972 RFQ 2290.exe RFQ 2290.exe PID 1972 wrote to memory of 1800 1972 RFQ 2290.exe RFQ 2290.exe PID 1972 wrote to memory of 1800 1972 RFQ 2290.exe RFQ 2290.exe PID 1972 wrote to memory of 1800 1972 RFQ 2290.exe RFQ 2290.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ 2290.exe"C:\Users\Admin\AppData\Local\Temp\RFQ 2290.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RFQ 2290.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\iDKZenUzizmrGT.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 8123⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iDKZenUzizmrGT" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA507.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\RFQ 2290.exe"C:\Users\Admin\AppData\Local\Temp\RFQ 2290.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpA507.tmpFilesize
1KB
MD5e9d5a3ec959b393eab974e9cf5ec80c0
SHA1ef93695935187159db3a359cfd7b6f7ba192b16f
SHA2563e14bd3a2b3b1acfcf5eec1be0528f134ff070e78382088fe4bde3ac2bc6d85a
SHA51283263f5f4d5bc6416f60bd0894a3978eae9b9ccb920220e92797cb0cd1f02b703a91a0b3a43e037be5253801ddf34940ce66503b8d1cf779a684533df24fba2d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5620cfc57cc4ae01cacfa85edf729367b
SHA1123d9067fbb9c1cf894a7c2e6072c365e4c3fb3f
SHA256dc21e751bf7095548ec849dcbadf204ec16cb92b81580bebc79f4b03ae8a44c1
SHA512a55cd2266a1e693c3c9628c0406eb2aa945a0942dac719401dcbb9de2ec81da6ae19aff243fd73e46cf042c4a3f81ab89a42f235a0a18a92c4309272fefd26c4
-
memory/556-75-0x000000006F1B0000-0x000000006F75B000-memory.dmpFilesize
5.7MB
-
memory/556-73-0x000000006F1B0000-0x000000006F75B000-memory.dmpFilesize
5.7MB
-
memory/556-61-0x0000000000000000-mapping.dmp
-
memory/932-66-0x0000000000000000-mapping.dmp
-
memory/1380-62-0x0000000000000000-mapping.dmp
-
memory/1408-74-0x000000006F1B0000-0x000000006F75B000-memory.dmpFilesize
5.7MB
-
memory/1408-72-0x000000006F1B0000-0x000000006F75B000-memory.dmpFilesize
5.7MB
-
memory/1408-59-0x0000000000000000-mapping.dmp
-
memory/1800-69-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1800-70-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1972-67-0x0000000008DF0000-0x0000000008EAC000-memory.dmpFilesize
752KB
-
memory/1972-54-0x0000000001360000-0x00000000014B8000-memory.dmpFilesize
1.3MB
-
memory/1972-58-0x0000000005B80000-0x0000000005C8E000-memory.dmpFilesize
1.1MB
-
memory/1972-57-0x00000000005A0000-0x00000000005AC000-memory.dmpFilesize
48KB
-
memory/1972-56-0x00000000003E0000-0x00000000003F4000-memory.dmpFilesize
80KB
-
memory/1972-55-0x00000000751A1000-0x00000000751A3000-memory.dmpFilesize
8KB