Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
15/11/2022, 11:38
Static task
static1
Behavioral task
behavioral1
Sample
RFQ.exe
Resource
win7-20221111-en
General
-
Target
RFQ.exe
-
Size
1.4MB
-
MD5
30324eabfb10bf176f913b539a895635
-
SHA1
52729961abfa1a435685a67bd1536323a6676c17
-
SHA256
f2c7a204dd011ce0e8466c7fdd0e62de4e5bd919c00846233e8dd7adca7c1888
-
SHA512
a4c8440249ceab6e5f7c278a3972d4fe8305497cca71286b1d097abc28367fef0dfa7d69a22c3dd14be68c7f1aa81d9d81a625bb982f0f4264a362f30bfd8bce
-
SSDEEP
24576:oAOcZqzzl+uTN9kQs+ikcTuo2uFiKVxOHmFRbr6+L/r:GhkQs+uTuoXFiXibr6G
Malware Config
Extracted
nanocore
1.2.2.0
azizurfattahtradin.ddns.net:7664
91.193.75.132:7664
e7a222f2-0bee-4c79-b641-e16bdd86f638
-
activate_away_mode
true
-
backup_connection_host
91.193.75.132
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2022-08-06T10:19:05.704905436Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
7664
-
default_group
binxl
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
e7a222f2-0bee-4c79-b641-e16bdd86f638
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
azizurfattahtradin.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4804 ihnevm.exe 4768 RegSvcs.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation RFQ.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation WScript.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AutoUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8_77\\Update.vbs" ihnevm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AGP Monitor = "C:\\Program Files (x86)\\AGP Monitor\\agpmon.exe" RegSvcs.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ihnevm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8_77\\ihnevm.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\8_77\\ooxfh.rcj" ihnevm.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4804 set thread context of 4768 4804 ihnevm.exe 81 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\AGP Monitor\agpmon.exe RegSvcs.exe File opened for modification C:\Program Files (x86)\AGP Monitor\agpmon.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings RFQ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WScript.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4804 ihnevm.exe 4804 ihnevm.exe 4768 RegSvcs.exe 4768 RegSvcs.exe 4768 RegSvcs.exe 4804 ihnevm.exe 4804 ihnevm.exe 4804 ihnevm.exe 4804 ihnevm.exe 4804 ihnevm.exe 4804 ihnevm.exe 4804 ihnevm.exe 4804 ihnevm.exe 4804 ihnevm.exe 4804 ihnevm.exe 4804 ihnevm.exe 4804 ihnevm.exe 4804 ihnevm.exe 4804 ihnevm.exe 4804 ihnevm.exe 4804 ihnevm.exe 4804 ihnevm.exe 4804 ihnevm.exe 4804 ihnevm.exe 4804 ihnevm.exe 4804 ihnevm.exe 4804 ihnevm.exe 4804 ihnevm.exe 4804 ihnevm.exe 4804 ihnevm.exe 4804 ihnevm.exe 4804 ihnevm.exe 4804 ihnevm.exe 4804 ihnevm.exe 4804 ihnevm.exe 4804 ihnevm.exe 4804 ihnevm.exe 4804 ihnevm.exe 4804 ihnevm.exe 4804 ihnevm.exe 4804 ihnevm.exe 4804 ihnevm.exe 4804 ihnevm.exe 4804 ihnevm.exe 4804 ihnevm.exe 4804 ihnevm.exe 4804 ihnevm.exe 4804 ihnevm.exe 4804 ihnevm.exe 4804 ihnevm.exe 4804 ihnevm.exe 4804 ihnevm.exe 4804 ihnevm.exe 4804 ihnevm.exe 4804 ihnevm.exe 4804 ihnevm.exe 4804 ihnevm.exe 4804 ihnevm.exe 4804 ihnevm.exe 4804 ihnevm.exe 4804 ihnevm.exe 4804 ihnevm.exe 4804 ihnevm.exe 4804 ihnevm.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4768 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4768 RegSvcs.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1960 wrote to memory of 4952 1960 RFQ.exe 79 PID 1960 wrote to memory of 4952 1960 RFQ.exe 79 PID 1960 wrote to memory of 4952 1960 RFQ.exe 79 PID 4952 wrote to memory of 4804 4952 WScript.exe 80 PID 4952 wrote to memory of 4804 4952 WScript.exe 80 PID 4952 wrote to memory of 4804 4952 WScript.exe 80 PID 4804 wrote to memory of 4768 4804 ihnevm.exe 81 PID 4804 wrote to memory of 4768 4804 ihnevm.exe 81 PID 4804 wrote to memory of 4768 4804 ihnevm.exe 81 PID 4804 wrote to memory of 4768 4804 ihnevm.exe 81 PID 4804 wrote to memory of 4768 4804 ihnevm.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ.exe"C:\Users\Admin\AppData\Local\Temp\RFQ.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\8_77\brriiae.vbe"2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Users\Admin\AppData\Local\Temp\8_77\ihnevm.exe"C:\Users\Admin\AppData\Local\Temp\8_77\ihnevm.exe" ooxfh.rcj3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4768
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD52ce687e95f82d96214d6b0b7a3b6d83c
SHA12e86f893b398aec16f74fc799b29f2c7d14ba7bb
SHA25648ba8154619448b749e4003781ddccf2da6696f7070dc95e3068b646aab9ace0
SHA5125949c2807cf4dfc9f04500aac97cc2c9d05f1e195ed43055a79c07877cef76c9aba73f46b658c2ac1d47d12b9510dc0592c1c72ca7845d9f85fa368aa56f4055
-
Filesize
1.4MB
MD52ce687e95f82d96214d6b0b7a3b6d83c
SHA12e86f893b398aec16f74fc799b29f2c7d14ba7bb
SHA25648ba8154619448b749e4003781ddccf2da6696f7070dc95e3068b646aab9ace0
SHA5125949c2807cf4dfc9f04500aac97cc2c9d05f1e195ed43055a79c07877cef76c9aba73f46b658c2ac1d47d12b9510dc0592c1c72ca7845d9f85fa368aa56f4055
-
Filesize
118.1MB
MD53a3c904e6c0654518f8d976cbb225c79
SHA14cfaabc24ed7966c781dfa8dbb1b7bcb33733d68
SHA25634a18bc96439be289cc16dd9dfc9e69f2a588d70a5024c3a57f099a2fdb0dd5e
SHA51275a230ffea7e5c4b22150bc8d384afb178caeb54ec094451b330b6a6ff5de16bd08f0496e8a75550bc65fde0c65c99418c3f5359596aa0a1ce3e09244ef3ab7c
-
Filesize
57KB
MD572bc84cf478aa689ba12c46705f99173
SHA16893a837376c41b088745fede67e7b806da31453
SHA256fbd5c66fbf2346f5b0e5fe3d2d3d9dfb89cd1dcc316878b728108d8460f694c7
SHA512a009917d69205a209392b855fd932f262e5468c526e3141a8fd65da1a8c1f59395962dede7b95a8ad1e19eb2c81851304848471db9e8d49985e8dc5310985caf
-
Filesize
405KB
MD532c53d0d3e94095c0280fa448820b3e6
SHA18006048315b51f05f52525c62410b02d0e467ad0
SHA256feb773a8447581c11e82e03c25762663f1b7712a849dd2e06e7e0e4db98462b9
SHA5120e314182e5bbb0a2a1ec40be13dbeb3805dd528701479199e02addba2b295b16f4c2768876d39009fa494013106d5e2485eaff8aa9dd446b9d4b64b4ad78a7bc
-
Filesize
44KB
MD59d352bc46709f0cb5ec974633a0c3c94
SHA11969771b2f022f9a86d77ac4d4d239becdf08d07
SHA2562c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA51213c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b
-
Filesize
44KB
MD59d352bc46709f0cb5ec974633a0c3c94
SHA11969771b2f022f9a86d77ac4d4d239becdf08d07
SHA2562c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA51213c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b
-
Filesize
23KB
MD5dd6f3886e42acd338b4283cdf14d0579
SHA1c453b254b9e91972b1c797218124e10d328598d0
SHA256aa089ac025032b2d9dad118c3b6ed01ab1690bbd6e2a80ee5a6fa4155c8b62b2
SHA512e23ffb60eff82d7589feb08b2096608e2e4ecad26514c912837f895f1a4a9690bf1e5c71364c7acff37183d827a19bab193e82d5566d4e0e45e781e9c9533791