e0049227c1a82ac9ac8cf1ad3b265a4ede2dbb376e90af23dcc9834bb2b1c32e

General

Target

Purchase Contract#436564.exe
Size

651KB
MD5

b5a3a2bb77f27cc5a51d582d4f35e7a0
SHA1

49a6a5773bb72a4cc8cc0338365fdd8b7ce6f38a
SHA256

e0049227c1a82ac9ac8cf1ad3b265a4ede2dbb376e90af23dcc9834bb2b1c32e
SHA512

c38ab307149ec67dfb795513f199b768bf2f034b8016967dcd8c01e94d7c19f5c67c823fc4bd9c8a25afef46eb139963b185fe294d3f435348f3d020346195fd
SSDEEP

6144:WYa6TckK9k9MWbdTDZvJw7qeYL2NLWb29fBAnzeEafC8TkWmmtmDEFgHR7:WY9B9MePZvJ6wLA6CNB2LaYWRta

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1940	rqvtxxgmxu.exe
1740	rqvtxxgmxu.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation	rqvtxxgmxu.exe

Loads dropped DLL 3 IoCs

pid	Process
1784	Purchase Contract#436564.exe
1940	rqvtxxgmxu.exe
2024	systray.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1940 set thread context of 1740	1940	rqvtxxgmxu.exe	30
PID 1740 set thread context of 1220	1740	rqvtxxgmxu.exe	16
PID 2024 set thread context of 1220	2024	systray.exe	16

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	systray.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
1740	rqvtxxgmxu.exe
1740	rqvtxxgmxu.exe
1740	rqvtxxgmxu.exe
1740	rqvtxxgmxu.exe
2024	systray.exe
2024	systray.exe
2024	systray.exe
2024	systray.exe
2024	systray.exe
2024	systray.exe
2024	systray.exe
2024	systray.exe
2024	systray.exe
2024	systray.exe
2024	systray.exe
2024	systray.exe
2024	systray.exe
2024	systray.exe
2024	systray.exe
2024	systray.exe
2024	systray.exe
2024	systray.exe
2024	systray.exe
2024	systray.exe
2024	systray.exe
2024	systray.exe
2024	systray.exe
2024	systray.exe

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
1940	rqvtxxgmxu.exe
1740	rqvtxxgmxu.exe
1740	rqvtxxgmxu.exe
1740	rqvtxxgmxu.exe
2024	systray.exe
2024	systray.exe
2024	systray.exe
2024	systray.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1740	rqvtxxgmxu.exe
Token: SeDebugPrivilege	2024	systray.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1220	Explorer.EXE
1220	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1220	Explorer.EXE
1220	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1784 wrote to memory of 1940	1784	Purchase Contract#436564.exe	28
PID 1784 wrote to memory of 1940	1784	Purchase Contract#436564.exe	28
PID 1784 wrote to memory of 1940	1784	Purchase Contract#436564.exe	28
PID 1784 wrote to memory of 1940	1784	Purchase Contract#436564.exe	28
PID 1940 wrote to memory of 1740	1940	rqvtxxgmxu.exe	30
PID 1940 wrote to memory of 1740	1940	rqvtxxgmxu.exe	30
PID 1940 wrote to memory of 1740	1940	rqvtxxgmxu.exe	30
PID 1940 wrote to memory of 1740	1940	rqvtxxgmxu.exe	30
PID 1940 wrote to memory of 1740	1940	rqvtxxgmxu.exe	30
PID 1220 wrote to memory of 2024	1220	Explorer.EXE	31
PID 1220 wrote to memory of 2024	1220	Explorer.EXE	31
PID 1220 wrote to memory of 2024	1220	Explorer.EXE	31
PID 1220 wrote to memory of 2024	1220	Explorer.EXE	31
PID 2024 wrote to memory of 1496	2024	systray.exe	34
PID 2024 wrote to memory of 1496	2024	systray.exe	34
PID 2024 wrote to memory of 1496	2024	systray.exe	34
PID 2024 wrote to memory of 1496	2024	systray.exe	34
PID 2024 wrote to memory of 1496	2024	systray.exe	34

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Users\Admin\AppData\Local\Temp\Purchase Contract#436564.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase Contract#436564.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1784
- - C:\Users\Admin\AppData\Local\Temp\rqvtxxgmxu.exe
    "C:\Users\Admin\AppData\Local\Temp\rqvtxxgmxu.exe" C:\Users\Admin\AppData\Local\Temp\vnbpm.b
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1940
  - - C:\Users\Admin\AppData\Local\Temp\rqvtxxgmxu.exe
      "C:\Users\Admin\AppData\Local\Temp\rqvtxxgmxu.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:1740
- C:\Windows\SysWOW64\systray.exe
  "C:\Windows\SysWOW64\systray.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:1496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fnjbf.yob

Filesize
205KB

MD5
bace35e0b3c975bab15d8b2f8cdf6f62

SHA1
ec93871f01efd20d4dc36a99d23046190d72238c

SHA256
28b3c3562aa89b879276569fd20f127039416c26929727a7c81a9c328a831c24

SHA512
66eab0d5605ea9b5ae2402de68cb06ef13ceb901586aafeba8db3b842c54fc3fae9337c27bf373d2ee32e56f8399ed833de937dd934c85769a6ffdd1cf8aeee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\rqvtxxgmxu.exe

Filesize
90KB

MD5
0bbd9e5455fd2a5462a251a2a209569d

SHA1
d5b8112de33509e69244b2fc545cc8233222f028

SHA256
446cd7a02d2a607d7343f5ece2325d07392a282497e17b699f8492804d8c7b70

SHA512
231e53468eb1ac3ec3d560c62be2df54f79208dd3a523a46296e6e4edbcd4e5ac63ea18efe300e8db6af08f8dc49328dfad7e94f554e4062d779f57fb2656348

Download Submit
C:\Users\Admin\AppData\Local\Temp\rqvtxxgmxu.exe

Filesize
90KB

MD5
0bbd9e5455fd2a5462a251a2a209569d

SHA1
d5b8112de33509e69244b2fc545cc8233222f028

SHA256
446cd7a02d2a607d7343f5ece2325d07392a282497e17b699f8492804d8c7b70

SHA512
231e53468eb1ac3ec3d560c62be2df54f79208dd3a523a46296e6e4edbcd4e5ac63ea18efe300e8db6af08f8dc49328dfad7e94f554e4062d779f57fb2656348

Download Submit
C:\Users\Admin\AppData\Local\Temp\rqvtxxgmxu.exe

Filesize
90KB

MD5
0bbd9e5455fd2a5462a251a2a209569d

SHA1
d5b8112de33509e69244b2fc545cc8233222f028

SHA256
446cd7a02d2a607d7343f5ece2325d07392a282497e17b699f8492804d8c7b70

SHA512
231e53468eb1ac3ec3d560c62be2df54f79208dd3a523a46296e6e4edbcd4e5ac63ea18efe300e8db6af08f8dc49328dfad7e94f554e4062d779f57fb2656348

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnbpm.b

Filesize
5KB

MD5
48143f52cea2b7aec0a6213c47157d40

SHA1
166020c4204d98e1e9aaf7f10f0151f3e604c653

SHA256
c250588297fac965daf64d348a5d4249fba3b7f578fda6c0f593c373427e3314

SHA512
9523e6c9f120f20181e21f4f2a652180d23270501d735b8b4808a40d6c2ef890c8e9028f88cec05d44a9a0fcc2266f7b76275f8bb5203cc7dce3a1c22e025c74

Download Submit
\Users\Admin\AppData\Local\Temp\rqvtxxgmxu.exe

Filesize
90KB

MD5
0bbd9e5455fd2a5462a251a2a209569d

SHA1
d5b8112de33509e69244b2fc545cc8233222f028

SHA256
446cd7a02d2a607d7343f5ece2325d07392a282497e17b699f8492804d8c7b70

SHA512
231e53468eb1ac3ec3d560c62be2df54f79208dd3a523a46296e6e4edbcd4e5ac63ea18efe300e8db6af08f8dc49328dfad7e94f554e4062d779f57fb2656348

Download Submit
\Users\Admin\AppData\Local\Temp\rqvtxxgmxu.exe

Filesize
90KB

MD5
0bbd9e5455fd2a5462a251a2a209569d

SHA1
d5b8112de33509e69244b2fc545cc8233222f028

SHA256
446cd7a02d2a607d7343f5ece2325d07392a282497e17b699f8492804d8c7b70

SHA512
231e53468eb1ac3ec3d560c62be2df54f79208dd3a523a46296e6e4edbcd4e5ac63ea18efe300e8db6af08f8dc49328dfad7e94f554e4062d779f57fb2656348

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
828KB

MD5
d5ea9b5814553bd2f9bbb8bf0ea94ed6

SHA1
29629836c088dcd968efb321832edcbcfaac5b51

SHA256
5ea67d6b7f67301ca214af511740f26b9e6cc9e16b2c0ec7bba071d05b9bde78

SHA512
6867452995c8354622fe22ce4fb4868d2b9cb28bb31aa60b42f06e494b952f66c427aa66c7af09240954bf55ebcde62d4c7feb9d99e742ea3bc5beb3756a7a1e

Download Submit
memory/1220-67-0x0000000007060000-0x0000000007180000-memory.dmp

Filesize
1.1MB

Download
memory/1220-74-0x0000000006870000-0x000000000693E000-memory.dmp

Filesize
824KB

Download
memory/1220-73-0x0000000006870000-0x000000000693E000-memory.dmp

Filesize
824KB

Download
memory/1740-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1740-66-0x00000000000A0000-0x00000000000B0000-memory.dmp

Filesize
64KB

Download
memory/1740-65-0x00000000008F0000-0x0000000000BF3000-memory.dmp

Filesize
3.0MB

Download
memory/1784-54-0x00000000753C1000-0x00000000753C3000-memory.dmp

Filesize
8KB

Download
memory/2024-70-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/2024-69-0x0000000000E30000-0x0000000000E35000-memory.dmp

Filesize
20KB

Download
memory/2024-71-0x0000000002240000-0x0000000002543000-memory.dmp

Filesize
3.0MB

Download
memory/2024-72-0x00000000004A0000-0x000000000052F000-memory.dmp

Filesize
572KB

Download

Analysis

Sharing