Analysis
-
max time kernel
142s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
21/07/2023, 07:20
Static task
static1
Behavioral task
behavioral1
Sample
ENERCOV RFQ (PO 20225181).exe
Resource
win7-20230712-en
General
-
Target
ENERCOV RFQ (PO 20225181).exe
-
Size
1.1MB
-
MD5
2a46dbb7dd532d1d6624887801988e5e
-
SHA1
0908803bedca22350152b0be22eba35f84d5b6d0
-
SHA256
8114a7dc930bc7b12b35b25d097b7136649c1633f9a0cb2792498aaab7a68936
-
SHA512
a0b735c1490bc802e701049039a29c624e086e4797091e2dbd78d9ba9c743995c7275e979f543fc129f71d0040d2573643619746e48811dbe6a6993021d23f56
-
SSDEEP
24576:ltmmjBGjFVtUxZPux3AGjUCUMqQnFPZitJ4z4WQ:lKPt+5uxVwQnhAazpQ
Malware Config
Extracted
darkcloud
- email_from
- email_to
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Control Panel\International\Geo\Nation ENERCOV RFQ (PO 20225181).exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2080 set thread context of 4848 2080 ENERCOV RFQ (PO 20225181).exe 102 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4416 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4908 powershell.exe 4908 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4908 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4848 ENERCOV RFQ (PO 20225181).exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2080 wrote to memory of 4908 2080 ENERCOV RFQ (PO 20225181).exe 98 PID 2080 wrote to memory of 4908 2080 ENERCOV RFQ (PO 20225181).exe 98 PID 2080 wrote to memory of 4908 2080 ENERCOV RFQ (PO 20225181).exe 98 PID 2080 wrote to memory of 4416 2080 ENERCOV RFQ (PO 20225181).exe 100 PID 2080 wrote to memory of 4416 2080 ENERCOV RFQ (PO 20225181).exe 100 PID 2080 wrote to memory of 4416 2080 ENERCOV RFQ (PO 20225181).exe 100 PID 2080 wrote to memory of 4848 2080 ENERCOV RFQ (PO 20225181).exe 102 PID 2080 wrote to memory of 4848 2080 ENERCOV RFQ (PO 20225181).exe 102 PID 2080 wrote to memory of 4848 2080 ENERCOV RFQ (PO 20225181).exe 102 PID 2080 wrote to memory of 4848 2080 ENERCOV RFQ (PO 20225181).exe 102 PID 2080 wrote to memory of 4848 2080 ENERCOV RFQ (PO 20225181).exe 102 PID 2080 wrote to memory of 4848 2080 ENERCOV RFQ (PO 20225181).exe 102 PID 2080 wrote to memory of 4848 2080 ENERCOV RFQ (PO 20225181).exe 102 PID 2080 wrote to memory of 4848 2080 ENERCOV RFQ (PO 20225181).exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\ENERCOV RFQ (PO 20225181).exe"C:\Users\Admin\AppData\Local\Temp\ENERCOV RFQ (PO 20225181).exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\RWIZKkp.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4908
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RWIZKkp" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1325.tmp"2⤵
- Creates scheduled task(s)
PID:4416
-
-
C:\Users\Admin\AppData\Local\Temp\ENERCOV RFQ (PO 20225181).exe"C:\Users\Admin\AppData\Local\Temp\ENERCOV RFQ (PO 20225181).exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:4848
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5171425d9d3c02678a76b7eb54235434b
SHA17f4f945f7516471ae5f9f4b9fdd254fe9d220ccb
SHA2562083f2e3d5d0e2a26c220cca27974a17dae201276ce6328763543e1c6be3a736
SHA51218b8cabe6073a697069010a0d14916349e5613be3da86914bab2d6747f392a6084f843e53c6581933e7f5b43d7128bcf1c4387f2a0e06652fe983f02e1233acc