Analysis
-
max time kernel
171s -
max time network
210s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 13:12
Static task
static1
Behavioral task
behavioral1
Sample
RFQ 8525-22.exe
Resource
win7-20220901-en
General
-
Target
RFQ 8525-22.exe
-
Size
388KB
-
MD5
11160a2dacd444402d8ba3d97be284ec
-
SHA1
8e4c00a7e42b4c35c57cd970d21981c7697df195
-
SHA256
fdc647398dc8d60cba61b2f6c4120c1829a78d845c3bf545ce7857380735c390
-
SHA512
1a8a2d321099b20254cb2b10965fc27038117a9444569188c5ee5a8aac87311ef08952113de554135c5c85b7068fd3ed6ad87e536977b17d17742f67eb7c952e
-
SSDEEP
6144:hBn7A5jMUCoQR7h3Xfbxp0Cw1g1+B4iX8OUYilXUqD:vrR7hn70Lg1+v8ONilXUqD
Malware Config
Extracted
formbook
m9ae
nWTQpX6TYm6dfT3Lcw==
7JaBLgMm8EKn2AlTy5Ksj4Jq
yWRJIhE3viQgqEpZS3o=
ES9dFo0bytF8vlvRcg==
aX/aBZn29pD+cg==
lU64sYOZV7ZVpUy1ag==
9BpOCYAPv8L8TyIFAiTp2PSqLg==
uEJ2RyQ1BcBXfFr8kT5Z1KV0
oVM42Ury9pD+cg==
0Zl3VkcuKaY+
OjZeGI8dw67Z6eWtnOoBfoI=
ytwFn9j4i+N8nKYRSgcfh3xn5LU=
xMb1+YkOyxmbxJ53JsP7Pg==
HODQpzTBS1gVoi4X0hStKQ==
fQ417ycwD+ziKt1u0hStKQ==
nsApOqE62sA8uS735uCXVP+YcrQ=
4aobG3oZ3AHqTPs=
P2LEwJatZbQZUTayTW0=
/bopO7NR6clCfT3Lcw==
bBxRRkFY01R+20pZS3o=
enylSY//R0Euo5Hc
s3hoHGn+blzIzLD2XcWsj4Jq
MvZlcWyHEnNHRGHB
qDJgM38Zlp2BriDZBnI=
JlaRDbpPJo43fT3Lcw==
aZgM/YERpLJOfT3Lcw==
dgcdTgcuKaY+
N12TQ5X0uI7/dA==
85d5Cn4gEuXNHOY=
XGyjNRUvzkzpFEb98NiZYf+YcrQ=
nUc1kamtJHlHRGHB
M+1WZ6NvT6VHRGHB
k1iSQqU6E3biHW3Ev1x/
yoeZZ9suKaY+
yiqErKzdOA==
I8FYQ4Mx9pD+cg==
e3sMggibmaRHRGHB
YBxPTjVYD4c2WVRYdfxP9f/w5W+IU0g=
A6GFXmNsA4y3ByPuEXU=
RkSck9R+79lCe5vEv1x/
c4Hf8OWx18LuWN4pPnA=
IK6UOZcpvKTL2/PbBHI=
dpbLY0FV8mxHRGHB
RoTt48Dgi/aZtJ/Ev1x/
4/FRPhpH3TPGD0uYB7Yf2PSqLg==
5A5CBZYyzanG52lgk7V7K8G4gdDu5w==
p8IpCMzdxqyj2UpZS3o=
cToa+3QRpLJOfT3Lcw==
Lat9/Yk19pD+cg==
CrjklYWQN6tXfIjEv1x/
SfQyB+TxpJSt20pZS3o=
eTEdrAOeVYJ4Cx6WSxqnYGgz01Yv7w==
NP7rnOJz7QXxQfk=
hrYdLa1V+exp20UX0hStKQ==
R+gl+MvhTQHqTPs=
CC6YqK+3hWJYpEseExvt2PSqLg==
VmybWD1f6EIreDUVP47Yw5la3rI=
Sgv5moChVKcQSZYjwYWyvbeuMw==
rtxt7QYo5mxHRGHB
cH/l/4Ecn61OfT3Lcw==
T4iddmuQEGhd1NwMviZm
cyH/sQGRb8s6e5vEv1x/
Y3DL3M3XS86ftJ7Ev1x/
U2jGyqnCYcDDJt3mAjZDxf+YcrQ=
spirituallyzen.com
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
vjdrvjdg.exevjdrvjdg.exepid process 3052 vjdrvjdg.exe 4008 vjdrvjdg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
vjdrvjdg.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation vjdrvjdg.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
vjdrvjdg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\efsstbl = "C:\\Users\\Admin\\AppData\\Roaming\\ddujovngpv\\eotgiqtx.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\vjdrvjdg.exe\" C:\\Users\\Admin\\AppData\\Loģ¹£" vjdrvjdg.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
vjdrvjdg.exevjdrvjdg.exewlanext.exedescription pid process target process PID 3052 set thread context of 4008 3052 vjdrvjdg.exe vjdrvjdg.exe PID 4008 set thread context of 2508 4008 vjdrvjdg.exe Explorer.EXE PID 3136 set thread context of 2508 3136 wlanext.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 38 IoCs
Processes:
vjdrvjdg.exewlanext.exepid process 4008 vjdrvjdg.exe 4008 vjdrvjdg.exe 4008 vjdrvjdg.exe 4008 vjdrvjdg.exe 4008 vjdrvjdg.exe 4008 vjdrvjdg.exe 4008 vjdrvjdg.exe 4008 vjdrvjdg.exe 3136 wlanext.exe 3136 wlanext.exe 3136 wlanext.exe 3136 wlanext.exe 3136 wlanext.exe 3136 wlanext.exe 3136 wlanext.exe 3136 wlanext.exe 3136 wlanext.exe 3136 wlanext.exe 3136 wlanext.exe 3136 wlanext.exe 3136 wlanext.exe 3136 wlanext.exe 3136 wlanext.exe 3136 wlanext.exe 3136 wlanext.exe 3136 wlanext.exe 3136 wlanext.exe 3136 wlanext.exe 3136 wlanext.exe 3136 wlanext.exe 3136 wlanext.exe 3136 wlanext.exe 3136 wlanext.exe 3136 wlanext.exe 3136 wlanext.exe 3136 wlanext.exe 3136 wlanext.exe 3136 wlanext.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2508 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
vjdrvjdg.exevjdrvjdg.exewlanext.exepid process 3052 vjdrvjdg.exe 4008 vjdrvjdg.exe 4008 vjdrvjdg.exe 4008 vjdrvjdg.exe 3136 wlanext.exe 3136 wlanext.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
vjdrvjdg.exewlanext.exedescription pid process Token: SeDebugPrivilege 4008 vjdrvjdg.exe Token: SeDebugPrivilege 3136 wlanext.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
RFQ 8525-22.exevjdrvjdg.exeExplorer.EXEdescription pid process target process PID 1560 wrote to memory of 3052 1560 RFQ 8525-22.exe vjdrvjdg.exe PID 1560 wrote to memory of 3052 1560 RFQ 8525-22.exe vjdrvjdg.exe PID 1560 wrote to memory of 3052 1560 RFQ 8525-22.exe vjdrvjdg.exe PID 3052 wrote to memory of 4008 3052 vjdrvjdg.exe vjdrvjdg.exe PID 3052 wrote to memory of 4008 3052 vjdrvjdg.exe vjdrvjdg.exe PID 3052 wrote to memory of 4008 3052 vjdrvjdg.exe vjdrvjdg.exe PID 3052 wrote to memory of 4008 3052 vjdrvjdg.exe vjdrvjdg.exe PID 2508 wrote to memory of 3136 2508 Explorer.EXE wlanext.exe PID 2508 wrote to memory of 3136 2508 Explorer.EXE wlanext.exe PID 2508 wrote to memory of 3136 2508 Explorer.EXE wlanext.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RFQ 8525-22.exe"C:\Users\Admin\AppData\Local\Temp\RFQ 8525-22.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vjdrvjdg.exe"C:\Users\Admin\AppData\Local\Temp\vjdrvjdg.exe" C:\Users\Admin\AppData\Local\Temp\ovnhsfisr.c3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vjdrvjdg.exe"C:\Users\Admin\AppData\Local\Temp\vjdrvjdg.exe" C:\Users\Admin\AppData\Local\Temp\ovnhsfisr.c4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ovnhsfisr.cFilesize
7KB
MD547b4b620db59baa3aeebf13bd207887a
SHA15d8e4172fafb73ff2866d2c4b5f7923ddbcc13f0
SHA25612e30c3f96700b492ed8fb83d58aed0c7495e31bba3b89bd31548c7b42234ac2
SHA51240a81546bd7b5ad4493278420b25372513f3af0e2e6064639a38c4efaaccaba9b4e71ee434ec5a743dd8418fa9bfc4ea0ab332ca84341780d2979379064a665d
-
C:\Users\Admin\AppData\Local\Temp\svbcxznxc.wgFilesize
185KB
MD538931dd8ec15787023ca0bec5855b2c8
SHA151fb41644d6c3952bca31bd900e6483afeb6f695
SHA25600051b16f93009fdcc607627b53ec3fc7c7f7c8a37be000b5b8452d7a6ba9f98
SHA512f1d7b02e02bb241191cb7147e0686cabe4b9290b304e5dff02eb3ed2a1fe8671aa9d28c09e8a2c19c34a6cd26df1e360a26135236a51c361cf012d85468c30be
-
C:\Users\Admin\AppData\Local\Temp\vjdrvjdg.exeFilesize
122KB
MD53a9b0a1a143b4bbb337edc0aacbd7ffc
SHA10e1c4bf9d3aca2796ddfda3e633323228a5d9cff
SHA2563ab4cfdc61905541f75d91d375dac78bc9057eee579db753dece76961809737d
SHA512a21cb44596f03f91ac481e643b582a916e8951f1215d195d47d6425d8ddb2f0de94c0d0ad109a809aa32bbe59bb0a2ec01cde8eb2c2f28d0e530ef0f547a87ed
-
C:\Users\Admin\AppData\Local\Temp\vjdrvjdg.exeFilesize
122KB
MD53a9b0a1a143b4bbb337edc0aacbd7ffc
SHA10e1c4bf9d3aca2796ddfda3e633323228a5d9cff
SHA2563ab4cfdc61905541f75d91d375dac78bc9057eee579db753dece76961809737d
SHA512a21cb44596f03f91ac481e643b582a916e8951f1215d195d47d6425d8ddb2f0de94c0d0ad109a809aa32bbe59bb0a2ec01cde8eb2c2f28d0e530ef0f547a87ed
-
C:\Users\Admin\AppData\Local\Temp\vjdrvjdg.exeFilesize
122KB
MD53a9b0a1a143b4bbb337edc0aacbd7ffc
SHA10e1c4bf9d3aca2796ddfda3e633323228a5d9cff
SHA2563ab4cfdc61905541f75d91d375dac78bc9057eee579db753dece76961809737d
SHA512a21cb44596f03f91ac481e643b582a916e8951f1215d195d47d6425d8ddb2f0de94c0d0ad109a809aa32bbe59bb0a2ec01cde8eb2c2f28d0e530ef0f547a87ed
-
memory/2508-144-0x0000000007AC0000-0x0000000007BDA000-memory.dmpFilesize
1.1MB
-
memory/2508-153-0x0000000006F00000-0x0000000006FC0000-memory.dmpFilesize
768KB
-
memory/2508-151-0x0000000006F00000-0x0000000006FC0000-memory.dmpFilesize
768KB
-
memory/2508-147-0x0000000007AC0000-0x0000000007BDA000-memory.dmpFilesize
1.1MB
-
memory/3052-132-0x0000000000000000-mapping.dmp
-
memory/3136-152-0x00000000010A0000-0x00000000010CD000-memory.dmpFilesize
180KB
-
memory/3136-150-0x00000000015E0000-0x000000000166F000-memory.dmpFilesize
572KB
-
memory/3136-149-0x0000000001750000-0x0000000001A9A000-memory.dmpFilesize
3.3MB
-
memory/3136-148-0x00000000010A0000-0x00000000010CD000-memory.dmpFilesize
180KB
-
memory/3136-145-0x0000000000000000-mapping.dmp
-
memory/3136-146-0x0000000000050000-0x0000000000067000-memory.dmpFilesize
92KB
-
memory/4008-137-0x0000000000000000-mapping.dmp
-
memory/4008-143-0x00000000004B0000-0x00000000004C0000-memory.dmpFilesize
64KB
-
memory/4008-142-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4008-141-0x0000000000A00000-0x0000000000D4A000-memory.dmpFilesize
3.3MB
-
memory/4008-140-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4008-139-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB