Analysis
-
max time kernel
135s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
21/07/2023, 07:20
Static task
static1
Behavioral task
behavioral1
Sample
ENERCOV RFQ (PO 20225181).exe
Resource
win7-20230712-en
General
-
Target
ENERCOV RFQ (PO 20225181).exe
-
Size
1.1MB
-
MD5
2a46dbb7dd532d1d6624887801988e5e
-
SHA1
0908803bedca22350152b0be22eba35f84d5b6d0
-
SHA256
8114a7dc930bc7b12b35b25d097b7136649c1633f9a0cb2792498aaab7a68936
-
SHA512
a0b735c1490bc802e701049039a29c624e086e4797091e2dbd78d9ba9c743995c7275e979f543fc129f71d0040d2573643619746e48811dbe6a6993021d23f56
-
SSDEEP
24576:ltmmjBGjFVtUxZPux3AGjUCUMqQnFPZitJ4z4WQ:lKPt+5uxVwQnhAazpQ
Malware Config
Extracted
darkcloud
- email_from
- email_to
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2308 set thread context of 756 2308 ENERCOV RFQ (PO 20225181).exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2232 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2636 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2636 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 756 ENERCOV RFQ (PO 20225181).exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2308 wrote to memory of 2636 2308 ENERCOV RFQ (PO 20225181).exe 30 PID 2308 wrote to memory of 2636 2308 ENERCOV RFQ (PO 20225181).exe 30 PID 2308 wrote to memory of 2636 2308 ENERCOV RFQ (PO 20225181).exe 30 PID 2308 wrote to memory of 2636 2308 ENERCOV RFQ (PO 20225181).exe 30 PID 2308 wrote to memory of 2232 2308 ENERCOV RFQ (PO 20225181).exe 32 PID 2308 wrote to memory of 2232 2308 ENERCOV RFQ (PO 20225181).exe 32 PID 2308 wrote to memory of 2232 2308 ENERCOV RFQ (PO 20225181).exe 32 PID 2308 wrote to memory of 2232 2308 ENERCOV RFQ (PO 20225181).exe 32 PID 2308 wrote to memory of 756 2308 ENERCOV RFQ (PO 20225181).exe 34 PID 2308 wrote to memory of 756 2308 ENERCOV RFQ (PO 20225181).exe 34 PID 2308 wrote to memory of 756 2308 ENERCOV RFQ (PO 20225181).exe 34 PID 2308 wrote to memory of 756 2308 ENERCOV RFQ (PO 20225181).exe 34 PID 2308 wrote to memory of 756 2308 ENERCOV RFQ (PO 20225181).exe 34 PID 2308 wrote to memory of 756 2308 ENERCOV RFQ (PO 20225181).exe 34 PID 2308 wrote to memory of 756 2308 ENERCOV RFQ (PO 20225181).exe 34 PID 2308 wrote to memory of 756 2308 ENERCOV RFQ (PO 20225181).exe 34 PID 2308 wrote to memory of 756 2308 ENERCOV RFQ (PO 20225181).exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\ENERCOV RFQ (PO 20225181).exe"C:\Users\Admin\AppData\Local\Temp\ENERCOV RFQ (PO 20225181).exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\RWIZKkp.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2636
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RWIZKkp" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7262.tmp"2⤵
- Creates scheduled task(s)
PID:2232
-
-
C:\Users\Admin\AppData\Local\Temp\ENERCOV RFQ (PO 20225181).exe"C:\Users\Admin\AppData\Local\Temp\ENERCOV RFQ (PO 20225181).exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:756
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5015fe15eff137801062f8d4d8f416d34
SHA199af22b69c1712f460013384b267f4009c87d836
SHA256d513f8b138f7dbfcb2872f7b4c1e1712a85448c0826248e466305f614451f4c6
SHA5120e0e2d3a717985798dc0e756e529bb754312c2807ae6c9e0c6d241fa0b1a8b7e60e55a3d88ed25356aad5a9868dea6f0303b5e543a0632320da26101f68089e2