Analysis
-
max time kernel
175s -
max time network
188s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
13-12-2022 22:46
Static task
static1
Behavioral task
behavioral1
Sample
RFQ PT089110.exe
Resource
win7-20221111-en
General
-
Target
RFQ PT089110.exe
-
Size
272KB
-
MD5
8ea739a14035ea523b015f33eafe6953
-
SHA1
228ee69b1fccea68b79f9c1a9bb9796882696cf3
-
SHA256
1a685538deaab9e0cfe393b43f4f08e48c076ce115911c46e93952a121322c87
-
SHA512
76d462569c16143c41ce75eb8e5f4f6304f32f42f939433752a5aa3fefcfa4550da8a55179dfef2d3eef0c6a41a9de8018de785669bfc6daf337a14323f98f2a
-
SSDEEP
6144:9kwrUMSvXxBADF+bVEN8fyqNkpHVtxgWljiXcU0GfJyqI2q:/UMEBBAAJVfjS1EWljiXcU0EJyqy
Malware Config
Extracted
formbook
m5oe
HdR8hG6r12hBYuHY4zv6YeeFPQ==
tD1V9gswYvgQXEGd
1xKtJ1LdqRYMRMC84U1A
MbhjiWb7Lz8z7KIWl3UyUIJwA6Tb
joVB5Xggy2RtE+odsZg=
TrduAIay6Y3SvoIK20xI
pSna7LOsXXwXT/zz3Iow4g==
QnthmO4Qst5gC3sDoA==
eAirzOOgO7SOCenz3Iow4g==
xg0uSbfLTg==
YWQXwyGRzPEHzGrDFE8CBSE=
ujLnfuXoH9dbgHIK20xI
291v0XsGFrYQXEGd
MRvTd/qMuaHpjCM=
X131fLC6VWX4MsvCb2IPjIfq8wlksWfg
Y9Bur8DbgqFt/Yni86MMCCE=
q6RTBmJkmy5pWTmmCCrvmuCDPw==
mQS26DojT+EQXEGd
sjHQ+Kav2Wx9FeodsZg=
JA24UKnTA5re1LhcQaVo/w==
+nMYDuKNduLsjSE=
0Y9DVy/Tc9l+yjQ=
y7lwdkvTChreCREDpQ==
Ii3WdB9OaKHpjCM=
CMWQ4A8JKbwoNFp9nu7t6g==
gbV4IoyzQljj18uoLgjx6g==
6K5hYUwJtU5ySf92shofvBfYrldksWfg
HShGoi6WeQZh
+XRHCtltpLisZhq8oQP3tsIn
H92Mnqi1WFbtCREDpQ==
ScNmhoycwTWCnCciRLFr/A92fk4lLrXv
/mcDDzqp2eN+iqKcQzk8IFpI47Z1oDSkYg==
4Zw22mgivXjUVwsKrQ==
H6BuCCqWeQZh
AXgnNxLA5SJB/+odsZg=
ewIhwqy9EmQJYg==
r2QP0TaWeQZh
wH0tLEHAY/MrFNYtfK1ScJWi7cI=
CC3fiO5tJLm2VNIwxwNPYSP0u4nR
Fx7Zhw2aS6HpjCM=
IJxWlqZEdZpwDuodsZg=
yUjv9d2BuOS0KOodsZg=
3p9Rc2X7ORpG8LMaPbR8DkBwu0YHcGeudQ==
1HEaIfD3b79KiDEL3Iow4g==
wWMAE/eTvqHpjCM=
vLlwIqnDnTWyCREDpQ==
5Zw354BpX25V+MYFrJI=
bqtnHoun2nf7CREDpQ==
rWETGOZxl6iRGP8fuokZ/GMv
sn1e9rsTPWA=
nN+z3PKiu6HpjCM=
qifMPKbZgoXSZjD1FJA=
wJAvzTSWeQZh
XYVBzCOsTvAQXEGd
tCi/4MTHdZ9v9pT5FGwZ/GMv
uWdW5jhhSjC67o2V
IejMbKK5EmQJYg==
2ptC9k/Nex0+/uodsZg=
69+iVeaYNOokmEsorQ==
f4MkxCEdWBSt5WJD5cLF7EoRn8M=
d7dR4opPbeIZwWovuA==
4alR50ZbhAxOJfHUaVhA
g403rfwQH7w9ZvHron4xbLDfMg==
m9aSQLs51jmh18uoLgjx6g==
singglostudio.com
Extracted
xloader
3.Æ…
m5oe
HdR8hG6r12hBYuHY4zv6YeeFPQ==
tD1V9gswYvgQXEGd
1xKtJ1LdqRYMRMC84U1A
MbhjiWb7Lz8z7KIWl3UyUIJwA6Tb
joVB5Xggy2RtE+odsZg=
TrduAIay6Y3SvoIK20xI
pSna7LOsXXwXT/zz3Iow4g==
QnthmO4Qst5gC3sDoA==
eAirzOOgO7SOCenz3Iow4g==
xg0uSbfLTg==
YWQXwyGRzPEHzGrDFE8CBSE=
ujLnfuXoH9dbgHIK20xI
291v0XsGFrYQXEGd
MRvTd/qMuaHpjCM=
X131fLC6VWX4MsvCb2IPjIfq8wlksWfg
Y9Bur8DbgqFt/Yni86MMCCE=
q6RTBmJkmy5pWTmmCCrvmuCDPw==
mQS26DojT+EQXEGd
sjHQ+Kav2Wx9FeodsZg=
JA24UKnTA5re1LhcQaVo/w==
+nMYDuKNduLsjSE=
0Y9DVy/Tc9l+yjQ=
y7lwdkvTChreCREDpQ==
Ii3WdB9OaKHpjCM=
CMWQ4A8JKbwoNFp9nu7t6g==
gbV4IoyzQljj18uoLgjx6g==
6K5hYUwJtU5ySf92shofvBfYrldksWfg
HShGoi6WeQZh
+XRHCtltpLisZhq8oQP3tsIn
H92Mnqi1WFbtCREDpQ==
ScNmhoycwTWCnCciRLFr/A92fk4lLrXv
/mcDDzqp2eN+iqKcQzk8IFpI47Z1oDSkYg==
4Zw22mgivXjUVwsKrQ==
H6BuCCqWeQZh
AXgnNxLA5SJB/+odsZg=
ewIhwqy9EmQJYg==
r2QP0TaWeQZh
wH0tLEHAY/MrFNYtfK1ScJWi7cI=
CC3fiO5tJLm2VNIwxwNPYSP0u4nR
Fx7Zhw2aS6HpjCM=
IJxWlqZEdZpwDuodsZg=
yUjv9d2BuOS0KOodsZg=
3p9Rc2X7ORpG8LMaPbR8DkBwu0YHcGeudQ==
1HEaIfD3b79KiDEL3Iow4g==
wWMAE/eTvqHpjCM=
vLlwIqnDnTWyCREDpQ==
5Zw354BpX25V+MYFrJI=
bqtnHoun2nf7CREDpQ==
rWETGOZxl6iRGP8fuokZ/GMv
sn1e9rsTPWA=
nN+z3PKiu6HpjCM=
qifMPKbZgoXSZjD1FJA=
wJAvzTSWeQZh
XYVBzCOsTvAQXEGd
tCi/4MTHdZ9v9pT5FGwZ/GMv
uWdW5jhhSjC67o2V
IejMbKK5EmQJYg==
2ptC9k/Nex0+/uodsZg=
69+iVeaYNOokmEsorQ==
f4MkxCEdWBSt5WJD5cLF7EoRn8M=
d7dR4opPbeIZwWovuA==
4alR50ZbhAxOJfHUaVhA
g403rfwQH7w9ZvHron4xbLDfMg==
m9aSQLs51jmh18uoLgjx6g==
singglostudio.com
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
faclv.exefaclv.exepid process 956 faclv.exe 888 faclv.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
faclv.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\International\Geo\Nation faclv.exe -
Loads dropped DLL 3 IoCs
Processes:
RFQ PT089110.exefaclv.exemstsc.exepid process 1964 RFQ PT089110.exe 956 faclv.exe 268 mstsc.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
faclv.exefaclv.exemstsc.exedescription pid process target process PID 956 set thread context of 888 956 faclv.exe faclv.exe PID 888 set thread context of 1212 888 faclv.exe Explorer.EXE PID 888 set thread context of 1212 888 faclv.exe Explorer.EXE PID 268 set thread context of 1212 268 mstsc.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
mstsc.exedescription ioc process Key created \Registry\User\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 mstsc.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
faclv.exemstsc.exepid process 888 faclv.exe 888 faclv.exe 888 faclv.exe 888 faclv.exe 888 faclv.exe 268 mstsc.exe 268 mstsc.exe 268 mstsc.exe 268 mstsc.exe 268 mstsc.exe 268 mstsc.exe 268 mstsc.exe 268 mstsc.exe 268 mstsc.exe 268 mstsc.exe 268 mstsc.exe 268 mstsc.exe 268 mstsc.exe 268 mstsc.exe 268 mstsc.exe 268 mstsc.exe 268 mstsc.exe 268 mstsc.exe 268 mstsc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1212 Explorer.EXE -
Suspicious behavior: MapViewOfSection 9 IoCs
Processes:
faclv.exefaclv.exemstsc.exepid process 956 faclv.exe 888 faclv.exe 888 faclv.exe 888 faclv.exe 888 faclv.exe 268 mstsc.exe 268 mstsc.exe 268 mstsc.exe 268 mstsc.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
faclv.exemstsc.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 888 faclv.exe Token: SeDebugPrivilege 268 mstsc.exe Token: SeShutdownPrivilege 1212 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1212 Explorer.EXE 1212 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1212 Explorer.EXE 1212 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
RFQ PT089110.exefaclv.exeExplorer.EXEmstsc.exedescription pid process target process PID 1964 wrote to memory of 956 1964 RFQ PT089110.exe faclv.exe PID 1964 wrote to memory of 956 1964 RFQ PT089110.exe faclv.exe PID 1964 wrote to memory of 956 1964 RFQ PT089110.exe faclv.exe PID 1964 wrote to memory of 956 1964 RFQ PT089110.exe faclv.exe PID 956 wrote to memory of 888 956 faclv.exe faclv.exe PID 956 wrote to memory of 888 956 faclv.exe faclv.exe PID 956 wrote to memory of 888 956 faclv.exe faclv.exe PID 956 wrote to memory of 888 956 faclv.exe faclv.exe PID 956 wrote to memory of 888 956 faclv.exe faclv.exe PID 1212 wrote to memory of 268 1212 Explorer.EXE mstsc.exe PID 1212 wrote to memory of 268 1212 Explorer.EXE mstsc.exe PID 1212 wrote to memory of 268 1212 Explorer.EXE mstsc.exe PID 1212 wrote to memory of 268 1212 Explorer.EXE mstsc.exe PID 268 wrote to memory of 1740 268 mstsc.exe Firefox.exe PID 268 wrote to memory of 1740 268 mstsc.exe Firefox.exe PID 268 wrote to memory of 1740 268 mstsc.exe Firefox.exe PID 268 wrote to memory of 1740 268 mstsc.exe Firefox.exe PID 268 wrote to memory of 1740 268 mstsc.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RFQ PT089110.exe"C:\Users\Admin\AppData\Local\Temp\RFQ PT089110.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\faclv.exe"C:\Users\Admin\AppData\Local\Temp\faclv.exe" C:\Users\Admin\AppData\Local\Temp\jjqrtywbglb.t3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\faclv.exe"C:\Users\Admin\AppData\Local\Temp\faclv.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\SysWOW64\mstsc.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\faclv.exeFilesize
141KB
MD5f88b0229271ec4a4962ade420916973f
SHA18c3eff757988b1b43213b85dd272af0289a85f2f
SHA256e66c55f14ddcfb93aa5f236b67829bc4b43916e1ff84bf89ee90275bc873729e
SHA512f09c5cc0a50169582d0578fb2959a15841394c2a391b7a31be8a6e2cd90586b37b18e39d3395e176a250ac5dbba1db091206c3b3364221ec92cde78a182dba53
-
C:\Users\Admin\AppData\Local\Temp\faclv.exeFilesize
141KB
MD5f88b0229271ec4a4962ade420916973f
SHA18c3eff757988b1b43213b85dd272af0289a85f2f
SHA256e66c55f14ddcfb93aa5f236b67829bc4b43916e1ff84bf89ee90275bc873729e
SHA512f09c5cc0a50169582d0578fb2959a15841394c2a391b7a31be8a6e2cd90586b37b18e39d3395e176a250ac5dbba1db091206c3b3364221ec92cde78a182dba53
-
C:\Users\Admin\AppData\Local\Temp\faclv.exeFilesize
141KB
MD5f88b0229271ec4a4962ade420916973f
SHA18c3eff757988b1b43213b85dd272af0289a85f2f
SHA256e66c55f14ddcfb93aa5f236b67829bc4b43916e1ff84bf89ee90275bc873729e
SHA512f09c5cc0a50169582d0578fb2959a15841394c2a391b7a31be8a6e2cd90586b37b18e39d3395e176a250ac5dbba1db091206c3b3364221ec92cde78a182dba53
-
C:\Users\Admin\AppData\Local\Temp\jjqrtywbglb.tFilesize
5KB
MD5c4da7b1938a01beace3d69275e1826f9
SHA1bb7e8c0d6b9e404551d45e9d1701a49a6aa41eda
SHA2567d1696aa4c800e800aa5b49124b66cc00e94d155e78cd06aece207a9d7b7e47d
SHA5129a6493fb8eaee411248e0eb65b134baee7d2746d9ff0af493f7083c6403f80c1c0588971409e2c1a5d785b674b029eaf6122d2f60bce7cc16154d91947e97fb0
-
C:\Users\Admin\AppData\Local\Temp\zhphjyjg.axkFilesize
185KB
MD5c290c052854d20566294229800e4471d
SHA1eb4cef65b362a4ade2977078286e60b06551d2c3
SHA25669c12b29ea58482fa5a07f00810e350c9436d40808f4b9bcc6567b32f8104255
SHA512d199fc2fed053c1d5107084fd9930630bcb297ce281b3fdc62e83ecf641e62f1b9d64049b446f9d546347ca025305dd4f699defb1c661a1646dd9583a0207d7d
-
\Users\Admin\AppData\Local\Temp\faclv.exeFilesize
141KB
MD5f88b0229271ec4a4962ade420916973f
SHA18c3eff757988b1b43213b85dd272af0289a85f2f
SHA256e66c55f14ddcfb93aa5f236b67829bc4b43916e1ff84bf89ee90275bc873729e
SHA512f09c5cc0a50169582d0578fb2959a15841394c2a391b7a31be8a6e2cd90586b37b18e39d3395e176a250ac5dbba1db091206c3b3364221ec92cde78a182dba53
-
\Users\Admin\AppData\Local\Temp\faclv.exeFilesize
141KB
MD5f88b0229271ec4a4962ade420916973f
SHA18c3eff757988b1b43213b85dd272af0289a85f2f
SHA256e66c55f14ddcfb93aa5f236b67829bc4b43916e1ff84bf89ee90275bc873729e
SHA512f09c5cc0a50169582d0578fb2959a15841394c2a391b7a31be8a6e2cd90586b37b18e39d3395e176a250ac5dbba1db091206c3b3364221ec92cde78a182dba53
-
\Users\Admin\AppData\Local\Temp\sqlite3.dllFilesize
910KB
MD5d79258c5189103d69502eac786addb04
SHA1f34b33681cfe8ce649218173a7f58b237821c1ef
SHA25657d89a52061d70d87e40281f1196d53273f87860c4d707d667a8c7d9573da675
SHA512da797f4dd1ad628aa4e8004b2e00b7c278facbc57a313f56b70dc8fcfbdb0050ea8b025b3475098223cce96ea53537d678273656d46c2d33d81b496d90da34b2
-
memory/268-77-0x0000000002070000-0x0000000002373000-memory.dmpFilesize
3.0MB
-
memory/268-79-0x0000000000780000-0x000000000080F000-memory.dmpFilesize
572KB
-
memory/268-81-0x00000000000C0000-0x00000000000ED000-memory.dmpFilesize
180KB
-
memory/268-76-0x00000000000C0000-0x00000000000ED000-memory.dmpFilesize
180KB
-
memory/268-75-0x0000000000840000-0x0000000000944000-memory.dmpFilesize
1.0MB
-
memory/268-72-0x0000000000000000-mapping.dmp
-
memory/888-70-0x00000000003F0000-0x0000000000400000-memory.dmpFilesize
64KB
-
memory/888-68-0x00000000002B0000-0x00000000002C0000-memory.dmpFilesize
64KB
-
memory/888-65-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/888-73-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/888-67-0x0000000000770000-0x0000000000A73000-memory.dmpFilesize
3.0MB
-
memory/888-66-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/888-63-0x00000000004012B0-mapping.dmp
-
memory/956-56-0x0000000000000000-mapping.dmp
-
memory/1212-69-0x0000000004B60000-0x0000000004C62000-memory.dmpFilesize
1.0MB
-
memory/1212-78-0x0000000004D20000-0x0000000004E21000-memory.dmpFilesize
1.0MB
-
memory/1212-80-0x0000000004E30000-0x0000000004FA0000-memory.dmpFilesize
1.4MB
-
memory/1212-82-0x0000000004E30000-0x0000000004FA0000-memory.dmpFilesize
1.4MB
-
memory/1212-71-0x0000000004D20000-0x0000000004E21000-memory.dmpFilesize
1.0MB
-
memory/1964-54-0x0000000074D81000-0x0000000074D83000-memory.dmpFilesize
8KB