Analysis
-
max time kernel
150s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230703-en -
resource tags
arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system -
submitted
04-07-2023 08:12
Static task
static1
Behavioral task
behavioral1
Sample
RFQ 6000066536.exe
Resource
win7-20230703-en
Behavioral task
behavioral2
Sample
RFQ 6000066536.exe
Resource
win10v2004-20230703-en
General
-
Target
RFQ 6000066536.exe
-
Size
373KB
-
MD5
e27c0c55beced8afe48593bfd8bf330a
-
SHA1
65d99ebb9c66bd65738c318727617e145cb7a331
-
SHA256
4f46b17d1db8bdb30b33dfa8ed5335149bb4f920780e349b6b02155e337c8b57
-
SHA512
0b11e5e5ac89fec53a57b7dcce85d01a7a9dd9774a1964644db2ec6ebdaa6cd7a465c088601b19c635534568100e10f6cbff711cf3368a5aea82d6af664d5214
-
SSDEEP
6144:vYa6fNfrzvw86FftvVMUVHS0ldyYcpco7Kk02gtZvvFcijeWUofUVkdyZ4:vYVNo86fSUVy0ObBivFtSdofeW
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Control Panel\International\Geo\Nation RFQ 6000066536.exe -
Loads dropped DLL 1 IoCs
pid Process 2148 RFQ 6000066536.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Windows\CurrentVersion\Run\ensnw = "C:\\Users\\Admin\\AppData\\Roaming\\jnwscxhq\\mvfbkgpyu.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\RFQ 6000066536.exe\"" RFQ 6000066536.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2148 set thread context of 2264 2148 RFQ 6000066536.exe 28 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 2264 RFQ 6000066536.exe 2264 RFQ 6000066536.exe 2264 RFQ 6000066536.exe 2264 RFQ 6000066536.exe 2264 RFQ 6000066536.exe 2264 RFQ 6000066536.exe 2264 RFQ 6000066536.exe 2264 RFQ 6000066536.exe 2264 RFQ 6000066536.exe 2264 RFQ 6000066536.exe 2264 RFQ 6000066536.exe 2264 RFQ 6000066536.exe 2264 RFQ 6000066536.exe 2264 RFQ 6000066536.exe 2264 RFQ 6000066536.exe 2264 RFQ 6000066536.exe 2264 RFQ 6000066536.exe 2264 RFQ 6000066536.exe 2264 RFQ 6000066536.exe 2264 RFQ 6000066536.exe 2264 RFQ 6000066536.exe 2264 RFQ 6000066536.exe 2264 RFQ 6000066536.exe 2264 RFQ 6000066536.exe 2264 RFQ 6000066536.exe 2264 RFQ 6000066536.exe 2264 RFQ 6000066536.exe 2264 RFQ 6000066536.exe 2264 RFQ 6000066536.exe 2264 RFQ 6000066536.exe 2264 RFQ 6000066536.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2148 RFQ 6000066536.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2264 RFQ 6000066536.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2148 wrote to memory of 2264 2148 RFQ 6000066536.exe 28 PID 2148 wrote to memory of 2264 2148 RFQ 6000066536.exe 28 PID 2148 wrote to memory of 2264 2148 RFQ 6000066536.exe 28 PID 2148 wrote to memory of 2264 2148 RFQ 6000066536.exe 28 PID 2148 wrote to memory of 2264 2148 RFQ 6000066536.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ 6000066536.exe"C:\Users\Admin\AppData\Local\Temp\RFQ 6000066536.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Users\Admin\AppData\Local\Temp\RFQ 6000066536.exe"C:\Users\Admin\AppData\Local\Temp\RFQ 6000066536.exe"2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2264
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
277KB
MD56335f447e0555fca1d51629ae9a39f35
SHA1a3c6efb1e8d5691f92036ef558a45e0f16ca9f9c
SHA25694dcfc7778c2e65c6d565a5ea966a5774667e25c325a932a43cb3da0d97bd98a
SHA512c987a6431663e9a82f27afda024731b667bc794cca7a6623efe4c4e55c74cc900d22795f8e78af83d12fc9d632e8ac129e41d406b54bba9b84276a11b2223cc4