58357272406c20e677f34777d792bdecc67f8502616621858a609d9cd8e3bd7e

Analysis

max time kernel
140s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 14:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RFQ Metabo.exe
Size

365KB
MD5

8860d299597463c63b673807c8bbf88a
SHA1

c3a0c0892a745d2c543483323f8d7550df0ef6cf
SHA256

58357272406c20e677f34777d792bdecc67f8502616621858a609d9cd8e3bd7e
SHA512

cab519122088f15ce9169c343d679e8b06df706e1521edf74cbb21c88684b89d88369a7768097913666921cf5407515a61341ea010c24380916668e3b601faa1
SSDEEP

6144:LnPdudwDO1Gzve+hNYRtbEJxIm0mayUPA4NyoWJUE/zKV01ribs8gH7KpqUT4HL/:LnPdC1a3SRtb79JVcoWJUQzKV01rio8k

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4292	crbnlxhju.exe
4804	crbnlxhju.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4292 set thread context of 4804	4292	crbnlxhju.exe	87

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4296	4804	WerFault.exe	87

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4292	crbnlxhju.exe
4292	crbnlxhju.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 4292	1720	RFQ Metabo.exe	83
PID 1720 wrote to memory of 4292	1720	RFQ Metabo.exe	83
PID 1720 wrote to memory of 4292	1720	RFQ Metabo.exe	83
PID 4292 wrote to memory of 4804	4292	crbnlxhju.exe	87
PID 4292 wrote to memory of 4804	4292	crbnlxhju.exe	87
PID 4292 wrote to memory of 4804	4292	crbnlxhju.exe	87
PID 4292 wrote to memory of 4804	4292	crbnlxhju.exe	87

C:\Users\Admin\AppData\Local\Temp\RFQ Metabo.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ Metabo.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Users\Admin\AppData\Local\Temp\crbnlxhju.exe
  "C:\Users\Admin\AppData\Local\Temp\crbnlxhju.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4292
- - C:\Users\Admin\AppData\Local\Temp\crbnlxhju.exe
    "C:\Users\Admin\AppData\Local\Temp\crbnlxhju.exe"
    3⤵
    - Executes dropped EXE
    PID:4804
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 184
      4⤵
      Program crash
      PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4804 -ip 4804
1⤵
PID:1788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\crbnlxhju.exe

Filesize
176KB

MD5
55d885aa63740085aac08943963387f8

SHA1
57efc4cd02df273a7c801749890cfca84d438776

SHA256
12b2a55f7a47a0b31b3f205a29255edf2c3244e0b12b3a02343dc3669cb80e8b

SHA512
bc7eff12c4ce0ea6caf3cc817d10772ed76f61a7301722d322cce5c7470b0cfde0417450234ff03269bbd57025198d7895b04d72c0f89cf331f48ba851e5f274

Download Submit
C:\Users\Admin\AppData\Local\Temp\crbnlxhju.exe

Filesize
176KB

MD5
55d885aa63740085aac08943963387f8

SHA1
57efc4cd02df273a7c801749890cfca84d438776

SHA256
12b2a55f7a47a0b31b3f205a29255edf2c3244e0b12b3a02343dc3669cb80e8b

SHA512
bc7eff12c4ce0ea6caf3cc817d10772ed76f61a7301722d322cce5c7470b0cfde0417450234ff03269bbd57025198d7895b04d72c0f89cf331f48ba851e5f274

Download Submit
C:\Users\Admin\AppData\Local\Temp\crbnlxhju.exe

Filesize
176KB

MD5
55d885aa63740085aac08943963387f8

SHA1
57efc4cd02df273a7c801749890cfca84d438776

SHA256
12b2a55f7a47a0b31b3f205a29255edf2c3244e0b12b3a02343dc3669cb80e8b

SHA512
bc7eff12c4ce0ea6caf3cc817d10772ed76f61a7301722d322cce5c7470b0cfde0417450234ff03269bbd57025198d7895b04d72c0f89cf331f48ba851e5f274

Download Submit
C:\Users\Admin\AppData\Local\Temp\fpcozbyxrur.l

Filesize
250KB

MD5
0922d35c8e925d490ea52939eca4afef

SHA1
12436881172a6a13852a46bf6e7a37f3dc1258f8

SHA256
32fba6466a5cd04ceb0fa43caabb409a4f5f7398972569f7a7a3ee53e299e4b1

SHA512
6fe786f644c281ca6a884e1865f77cd75209a5ad5b1fa3d3f46edcd50292ef6330036cf5a0b79577284ea2d74f1bd7fb9452975eb59a545b854cc87fe72b6021

Download Submit
memory/4292-5-0x0000000002680000-0x0000000002682000-memory.dmp

Filesize
8KB

Download
memory/4804-7-0x0000000000730000-0x000000000076A000-memory.dmp

Filesize
232KB

Download