4fe82d810dd80e56a8e2effdf825a9259a812bc9e14193f22193342bf5e66641

General

Target

RFQ 17253536373.exe
Size

1015KB
MD5

f8a2ad4544d211df3b2698e5cecaf2dc
SHA1

b2045de3aaa3c49ebb35f25771d762cf70c5a3fa
SHA256

4fe82d810dd80e56a8e2effdf825a9259a812bc9e14193f22193342bf5e66641
SHA512

fb94796b343d75d98b512e9f2f35fa17a5b33d6a382ba6188671bc232649f0428d969e37d7a2b35a427dea14c697d9ba9e27c9395770412960b2be77ee987ffd
SSDEEP

24576:XM+L74mBfNUstzoxdpt3hvMCggcrf8PAqyU9YH3r8JN:qnt3hrgde9YHI

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1972 schtasks.exe

pid	process
1972	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

RFQ 17253536373.exepowershell.exepowershell.exe

pid	process
956	RFQ 17253536373.exe
956	RFQ 17253536373.exe
956	RFQ 17253536373.exe
956	RFQ 17253536373.exe
956	RFQ 17253536373.exe
956	RFQ 17253536373.exe
1892	powershell.exe
592	powershell.exe
956	RFQ 17253536373.exe
956	RFQ 17253536373.exe
956	RFQ 17253536373.exe
956	RFQ 17253536373.exe
956	RFQ 17253536373.exe
956	RFQ 17253536373.exe
956	RFQ 17253536373.exe
956	RFQ 17253536373.exe
956	RFQ 17253536373.exe
956	RFQ 17253536373.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

RFQ 17253536373.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 956 RFQ 17253536373.exe
Token: SeDebugPrivilege 1892 powershell.exe
Token: SeDebugPrivilege 592 powershell.exe

description	pid	process
Token: SeDebugPrivilege	956	RFQ 17253536373.exe
Token: SeDebugPrivilege	1892	powershell.exe
Token: SeDebugPrivilege	592	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

RFQ 17253536373.exe

description	pid	process	target process
PID 956 wrote to memory of 1892	956	RFQ 17253536373.exe	powershell.exe
PID 956 wrote to memory of 1892	956	RFQ 17253536373.exe	powershell.exe
PID 956 wrote to memory of 1892	956	RFQ 17253536373.exe	powershell.exe
PID 956 wrote to memory of 1892	956	RFQ 17253536373.exe	powershell.exe
PID 956 wrote to memory of 592	956	RFQ 17253536373.exe	powershell.exe
PID 956 wrote to memory of 592	956	RFQ 17253536373.exe	powershell.exe
PID 956 wrote to memory of 592	956	RFQ 17253536373.exe	powershell.exe
PID 956 wrote to memory of 592	956	RFQ 17253536373.exe	powershell.exe
PID 956 wrote to memory of 1972	956	RFQ 17253536373.exe	schtasks.exe
PID 956 wrote to memory of 1972	956	RFQ 17253536373.exe	schtasks.exe
PID 956 wrote to memory of 1972	956	RFQ 17253536373.exe	schtasks.exe
PID 956 wrote to memory of 1972	956	RFQ 17253536373.exe	schtasks.exe
PID 956 wrote to memory of 608	956	RFQ 17253536373.exe	RFQ 17253536373.exe
PID 956 wrote to memory of 608	956	RFQ 17253536373.exe	RFQ 17253536373.exe
PID 956 wrote to memory of 608	956	RFQ 17253536373.exe	RFQ 17253536373.exe
PID 956 wrote to memory of 608	956	RFQ 17253536373.exe	RFQ 17253536373.exe
PID 956 wrote to memory of 1688	956	RFQ 17253536373.exe	RFQ 17253536373.exe
PID 956 wrote to memory of 1688	956	RFQ 17253536373.exe	RFQ 17253536373.exe
PID 956 wrote to memory of 1688	956	RFQ 17253536373.exe	RFQ 17253536373.exe
PID 956 wrote to memory of 1688	956	RFQ 17253536373.exe	RFQ 17253536373.exe
PID 956 wrote to memory of 392	956	RFQ 17253536373.exe	RFQ 17253536373.exe
PID 956 wrote to memory of 392	956	RFQ 17253536373.exe	RFQ 17253536373.exe
PID 956 wrote to memory of 392	956	RFQ 17253536373.exe	RFQ 17253536373.exe
PID 956 wrote to memory of 392	956	RFQ 17253536373.exe	RFQ 17253536373.exe
PID 956 wrote to memory of 1656	956	RFQ 17253536373.exe	RFQ 17253536373.exe
PID 956 wrote to memory of 1656	956	RFQ 17253536373.exe	RFQ 17253536373.exe
PID 956 wrote to memory of 1656	956	RFQ 17253536373.exe	RFQ 17253536373.exe
PID 956 wrote to memory of 1656	956	RFQ 17253536373.exe	RFQ 17253536373.exe
PID 956 wrote to memory of 1268	956	RFQ 17253536373.exe	RFQ 17253536373.exe
PID 956 wrote to memory of 1268	956	RFQ 17253536373.exe	RFQ 17253536373.exe
PID 956 wrote to memory of 1268	956	RFQ 17253536373.exe	RFQ 17253536373.exe
PID 956 wrote to memory of 1268	956	RFQ 17253536373.exe	RFQ 17253536373.exe

C:\Users\Admin\AppData\Local\Temp\RFQ 17253536373.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ 17253536373.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RFQ 17253536373.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1892
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\yOQsDFUUU.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:592
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yOQsDFUUU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp34D7.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1972
- C:\Users\Admin\AppData\Local\Temp\RFQ 17253536373.exe
  "C:\Users\Admin\AppData\Local\Temp\RFQ 17253536373.exe"
  2⤵
  PID:608
- C:\Users\Admin\AppData\Local\Temp\RFQ 17253536373.exe
  "C:\Users\Admin\AppData\Local\Temp\RFQ 17253536373.exe"
  2⤵
  PID:1688
- C:\Users\Admin\AppData\Local\Temp\RFQ 17253536373.exe
  "C:\Users\Admin\AppData\Local\Temp\RFQ 17253536373.exe"
  2⤵
  PID:392
- C:\Users\Admin\AppData\Local\Temp\RFQ 17253536373.exe
  "C:\Users\Admin\AppData\Local\Temp\RFQ 17253536373.exe"
  2⤵
  PID:1656
- C:\Users\Admin\AppData\Local\Temp\RFQ 17253536373.exe
  "C:\Users\Admin\AppData\Local\Temp\RFQ 17253536373.exe"
  2⤵
  PID:1268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp34D7.tmp

Filesize
1KB

MD5
f447cebf8faae2d1a103bfdbecb8c5a7

SHA1
04616101b62dcc8b08210c667ad702da1e4d8b86

SHA256
050bf7450cae2c6d13a6a1f91388f66c9516500635ca362ffbaf997adc05af36

SHA512
3d0adeeb498f0de8bfd3f681f56b50938464af76d8228b8892a9c7ebd7ee004ce2a2f91fc15da8448623186acb66d9caec106da8b790f89095b25be7941d8d25

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
dba8a279088683fd8c53acd04f17f1eb

SHA1
9119179d3341babd3831b0f3e0aa642a48a461f0

SHA256
f882ebd0cdddced9e3b2b1a6f6d2885cdc2e52026010a3f79faf3ab477e57d74

SHA512
6e8557d989deaf28c5b708a1f170d32a3f4a35d913c730c5547339a95c050c43ce6439de9a3efc3f0208ec76a609f1374db711c5b0722a766c72a28fbdda7f42

Download Submit
memory/592-61-0x0000000000000000-mapping.dmp

Download
memory/592-66-0x000000006E200000-0x000000006E7AB000-memory.dmp

Filesize
5.7MB

Download
memory/956-54-0x00000000003B0000-0x00000000004B2000-memory.dmp

Filesize
1.0MB

Download
memory/956-55-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/956-56-0x0000000000510000-0x0000000000528000-memory.dmp

Filesize
96KB

Download
memory/956-57-0x0000000000290000-0x000000000029C000-memory.dmp

Filesize
48KB

Download
memory/956-58-0x00000000055C0000-0x0000000005662000-memory.dmp

Filesize
648KB

Download
memory/956-67-0x0000000005C30000-0x0000000005C9A000-memory.dmp

Filesize
424KB

Download
memory/1892-59-0x0000000000000000-mapping.dmp

Download
memory/1972-62-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads