Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
15/11/2022, 11:38
Static task
static1
Behavioral task
behavioral1
Sample
RFQ.exe
Resource
win7-20221111-en
General
-
Target
RFQ.exe
-
Size
1.4MB
-
MD5
30324eabfb10bf176f913b539a895635
-
SHA1
52729961abfa1a435685a67bd1536323a6676c17
-
SHA256
f2c7a204dd011ce0e8466c7fdd0e62de4e5bd919c00846233e8dd7adca7c1888
-
SHA512
a4c8440249ceab6e5f7c278a3972d4fe8305497cca71286b1d097abc28367fef0dfa7d69a22c3dd14be68c7f1aa81d9d81a625bb982f0f4264a362f30bfd8bce
-
SSDEEP
24576:oAOcZqzzl+uTN9kQs+ikcTuo2uFiKVxOHmFRbr6+L/r:GhkQs+uTuoXFiXibr6G
Malware Config
Extracted
nanocore
1.2.2.0
azizurfattahtradin.ddns.net:7664
91.193.75.132:7664
e7a222f2-0bee-4c79-b641-e16bdd86f638
-
activate_away_mode
true
-
backup_connection_host
91.193.75.132
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2022-08-06T10:19:05.704905436Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
7664
-
default_group
binxl
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
e7a222f2-0bee-4c79-b641-e16bdd86f638
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
azizurfattahtradin.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1508 ihnevm.exe 820 RegSvcs.exe -
Loads dropped DLL 2 IoCs
pid Process 2032 WScript.exe 1508 ihnevm.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run ihnevm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8_77\\ihnevm.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\8_77\\ooxfh.rcj" ihnevm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AutoUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8_77\\Update.vbs" ihnevm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Subsystem = "C:\\Program Files (x86)\\DDP Subsystem\\ddpss.exe" RegSvcs.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1508 set thread context of 820 1508 ihnevm.exe 30 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\DDP Subsystem\ddpss.exe RegSvcs.exe File opened for modification C:\Program Files (x86)\DDP Subsystem\ddpss.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1508 ihnevm.exe 1508 ihnevm.exe 1508 ihnevm.exe 820 RegSvcs.exe 820 RegSvcs.exe 1508 ihnevm.exe 1508 ihnevm.exe 1508 ihnevm.exe 1508 ihnevm.exe 1508 ihnevm.exe 1508 ihnevm.exe 1508 ihnevm.exe 1508 ihnevm.exe 1508 ihnevm.exe 1508 ihnevm.exe 1508 ihnevm.exe 1508 ihnevm.exe 1508 ihnevm.exe 1508 ihnevm.exe 1508 ihnevm.exe 1508 ihnevm.exe 1508 ihnevm.exe 1508 ihnevm.exe 1508 ihnevm.exe 1508 ihnevm.exe 1508 ihnevm.exe 1508 ihnevm.exe 1508 ihnevm.exe 1508 ihnevm.exe 1508 ihnevm.exe 1508 ihnevm.exe 1508 ihnevm.exe 1508 ihnevm.exe 1508 ihnevm.exe 1508 ihnevm.exe 1508 ihnevm.exe 1508 ihnevm.exe 1508 ihnevm.exe 1508 ihnevm.exe 1508 ihnevm.exe 1508 ihnevm.exe 1508 ihnevm.exe 1508 ihnevm.exe 1508 ihnevm.exe 1508 ihnevm.exe 1508 ihnevm.exe 1508 ihnevm.exe 1508 ihnevm.exe 1508 ihnevm.exe 1508 ihnevm.exe 1508 ihnevm.exe 1508 ihnevm.exe 1508 ihnevm.exe 1508 ihnevm.exe 1508 ihnevm.exe 1508 ihnevm.exe 1508 ihnevm.exe 1508 ihnevm.exe 1508 ihnevm.exe 1508 ihnevm.exe 1508 ihnevm.exe 1508 ihnevm.exe 1508 ihnevm.exe 1508 ihnevm.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 820 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 820 RegSvcs.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1232 wrote to memory of 2032 1232 RFQ.exe 28 PID 1232 wrote to memory of 2032 1232 RFQ.exe 28 PID 1232 wrote to memory of 2032 1232 RFQ.exe 28 PID 1232 wrote to memory of 2032 1232 RFQ.exe 28 PID 2032 wrote to memory of 1508 2032 WScript.exe 29 PID 2032 wrote to memory of 1508 2032 WScript.exe 29 PID 2032 wrote to memory of 1508 2032 WScript.exe 29 PID 2032 wrote to memory of 1508 2032 WScript.exe 29 PID 2032 wrote to memory of 1508 2032 WScript.exe 29 PID 2032 wrote to memory of 1508 2032 WScript.exe 29 PID 2032 wrote to memory of 1508 2032 WScript.exe 29 PID 1508 wrote to memory of 820 1508 ihnevm.exe 30 PID 1508 wrote to memory of 820 1508 ihnevm.exe 30 PID 1508 wrote to memory of 820 1508 ihnevm.exe 30 PID 1508 wrote to memory of 820 1508 ihnevm.exe 30 PID 1508 wrote to memory of 820 1508 ihnevm.exe 30 PID 1508 wrote to memory of 820 1508 ihnevm.exe 30 PID 1508 wrote to memory of 820 1508 ihnevm.exe 30 PID 1508 wrote to memory of 820 1508 ihnevm.exe 30 PID 1508 wrote to memory of 820 1508 ihnevm.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ.exe"C:\Users\Admin\AppData\Local\Temp\RFQ.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\8_77\brriiae.vbe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Users\Admin\AppData\Local\Temp\8_77\ihnevm.exe"C:\Users\Admin\AppData\Local\Temp\8_77\ihnevm.exe" ooxfh.rcj3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:820
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD52ce687e95f82d96214d6b0b7a3b6d83c
SHA12e86f893b398aec16f74fc799b29f2c7d14ba7bb
SHA25648ba8154619448b749e4003781ddccf2da6696f7070dc95e3068b646aab9ace0
SHA5125949c2807cf4dfc9f04500aac97cc2c9d05f1e195ed43055a79c07877cef76c9aba73f46b658c2ac1d47d12b9510dc0592c1c72ca7845d9f85fa368aa56f4055
-
Filesize
1.4MB
MD52ce687e95f82d96214d6b0b7a3b6d83c
SHA12e86f893b398aec16f74fc799b29f2c7d14ba7bb
SHA25648ba8154619448b749e4003781ddccf2da6696f7070dc95e3068b646aab9ace0
SHA5125949c2807cf4dfc9f04500aac97cc2c9d05f1e195ed43055a79c07877cef76c9aba73f46b658c2ac1d47d12b9510dc0592c1c72ca7845d9f85fa368aa56f4055
-
Filesize
118.1MB
MD53a3c904e6c0654518f8d976cbb225c79
SHA14cfaabc24ed7966c781dfa8dbb1b7bcb33733d68
SHA25634a18bc96439be289cc16dd9dfc9e69f2a588d70a5024c3a57f099a2fdb0dd5e
SHA51275a230ffea7e5c4b22150bc8d384afb178caeb54ec094451b330b6a6ff5de16bd08f0496e8a75550bc65fde0c65c99418c3f5359596aa0a1ce3e09244ef3ab7c
-
Filesize
57KB
MD572bc84cf478aa689ba12c46705f99173
SHA16893a837376c41b088745fede67e7b806da31453
SHA256fbd5c66fbf2346f5b0e5fe3d2d3d9dfb89cd1dcc316878b728108d8460f694c7
SHA512a009917d69205a209392b855fd932f262e5468c526e3141a8fd65da1a8c1f59395962dede7b95a8ad1e19eb2c81851304848471db9e8d49985e8dc5310985caf
-
Filesize
405KB
MD532c53d0d3e94095c0280fa448820b3e6
SHA18006048315b51f05f52525c62410b02d0e467ad0
SHA256feb773a8447581c11e82e03c25762663f1b7712a849dd2e06e7e0e4db98462b9
SHA5120e314182e5bbb0a2a1ec40be13dbeb3805dd528701479199e02addba2b295b16f4c2768876d39009fa494013106d5e2485eaff8aa9dd446b9d4b64b4ad78a7bc
-
Filesize
44KB
MD50e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
Filesize
44KB
MD50e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
Filesize
23KB
MD5dd6f3886e42acd338b4283cdf14d0579
SHA1c453b254b9e91972b1c797218124e10d328598d0
SHA256aa089ac025032b2d9dad118c3b6ed01ab1690bbd6e2a80ee5a6fa4155c8b62b2
SHA512e23ffb60eff82d7589feb08b2096608e2e4ecad26514c912837f895f1a4a9690bf1e5c71364c7acff37183d827a19bab193e82d5566d4e0e45e781e9c9533791
-
Filesize
1.4MB
MD52ce687e95f82d96214d6b0b7a3b6d83c
SHA12e86f893b398aec16f74fc799b29f2c7d14ba7bb
SHA25648ba8154619448b749e4003781ddccf2da6696f7070dc95e3068b646aab9ace0
SHA5125949c2807cf4dfc9f04500aac97cc2c9d05f1e195ed43055a79c07877cef76c9aba73f46b658c2ac1d47d12b9510dc0592c1c72ca7845d9f85fa368aa56f4055
-
Filesize
44KB
MD50e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215