238a52b29785c4a9706a591fafd362c6688b5c09da2d056eb183a3ff593b13d6

Analysis

max time kernel
149s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07/03/2024, 14:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8e79f92675f303e55c493932056f090.exe
Size

127KB
MD5

b8e79f92675f303e55c493932056f090
SHA1

e71cc63e2dcb2c07d3a1687679a1b46e0044a23b
SHA256

238a52b29785c4a9706a591fafd362c6688b5c09da2d056eb183a3ff593b13d6
SHA512

c7857cf83c2f5f73a7dc3323bbdd652a37716d88351014f53abf65062b80d8d42840cab9a6164200e70ee3b5e8c7af8d2413cf92bd8e6f82584843d86b9d46cc
SSDEEP

3072:5wbT6fueklnv/UyPl03CLYRr24OjiX1ce6ndCnMEoD:X7El03CLYRrijFnQgD

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2532	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2608	dconfig.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dconfig.exe	b8e79f92675f303e55c493932056f090.exe
File opened for modification	C:\Windows\SysWOW64\dconfig.exe	b8e79f92675f303e55c493932056f090.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process
PID 2892 set thread context of 0	2892	b8e79f92675f303e55c493932056f090.exe

Kills process with taskkill 8 IoCs

evasion

pid	Process
2656	taskkill.exe
2624	taskkill.exe
2664	taskkill.exe
2368	taskkill.exe
2428	taskkill.exe
2440	taskkill.exe
2984	taskkill.exe
2612	taskkill.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2892	b8e79f92675f303e55c493932056f090.exe
2892	b8e79f92675f303e55c493932056f090.exe
2892	b8e79f92675f303e55c493932056f090.exe
2608	dconfig.exe
2608	dconfig.exe
2608	dconfig.exe
2608	dconfig.exe
2608	dconfig.exe
2608	dconfig.exe
2608	dconfig.exe
2608	dconfig.exe
2608	dconfig.exe
2608	dconfig.exe
2608	dconfig.exe
2608	dconfig.exe
2608	dconfig.exe
2608	dconfig.exe
2608	dconfig.exe
2608	dconfig.exe
2608	dconfig.exe
2608	dconfig.exe
2608	dconfig.exe
2608	dconfig.exe
2608	dconfig.exe
2608	dconfig.exe
2608	dconfig.exe
2608	dconfig.exe
2608	dconfig.exe
2608	dconfig.exe
2608	dconfig.exe
2608	dconfig.exe
2608	dconfig.exe
2608	dconfig.exe
2608	dconfig.exe
2608	dconfig.exe
2608	dconfig.exe
2608	dconfig.exe
2608	dconfig.exe
2608	dconfig.exe
2608	dconfig.exe
2608	dconfig.exe
2608	dconfig.exe
2608	dconfig.exe
2608	dconfig.exe
2608	dconfig.exe
2608	dconfig.exe
2608	dconfig.exe
2608	dconfig.exe
2608	dconfig.exe
2608	dconfig.exe
2608	dconfig.exe
2608	dconfig.exe
2608	dconfig.exe
2608	dconfig.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2892	b8e79f92675f303e55c493932056f090.exe
Token: SeDebugPrivilege	2368	taskkill.exe
Token: SeDebugPrivilege	2440	taskkill.exe
Token: SeDebugPrivilege	2984	taskkill.exe
Token: SeDebugPrivilege	2664	taskkill.exe
Token: SeDebugPrivilege	2428	taskkill.exe
Token: SeDebugPrivilege	2624	taskkill.exe
Token: SeDebugPrivilege	2612	taskkill.exe
Token: SeDebugPrivilege	2656	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 2192	2892	b8e79f92675f303e55c493932056f090.exe	28
PID 2892 wrote to memory of 2192	2892	b8e79f92675f303e55c493932056f090.exe	28
PID 2892 wrote to memory of 2192	2892	b8e79f92675f303e55c493932056f090.exe	28
PID 2892 wrote to memory of 2192	2892	b8e79f92675f303e55c493932056f090.exe	28
PID 2892 wrote to memory of 2096	2892	b8e79f92675f303e55c493932056f090.exe	29
PID 2892 wrote to memory of 2096	2892	b8e79f92675f303e55c493932056f090.exe	29
PID 2892 wrote to memory of 2096	2892	b8e79f92675f303e55c493932056f090.exe	29
PID 2892 wrote to memory of 2096	2892	b8e79f92675f303e55c493932056f090.exe	29
PID 2892 wrote to memory of 2900	2892	b8e79f92675f303e55c493932056f090.exe	30
PID 2892 wrote to memory of 2900	2892	b8e79f92675f303e55c493932056f090.exe	30
PID 2892 wrote to memory of 2900	2892	b8e79f92675f303e55c493932056f090.exe	30
PID 2892 wrote to memory of 2900	2892	b8e79f92675f303e55c493932056f090.exe	30
PID 2892 wrote to memory of 2864	2892	b8e79f92675f303e55c493932056f090.exe	32
PID 2892 wrote to memory of 2864	2892	b8e79f92675f303e55c493932056f090.exe	32
PID 2892 wrote to memory of 2864	2892	b8e79f92675f303e55c493932056f090.exe	32
PID 2892 wrote to memory of 2864	2892	b8e79f92675f303e55c493932056f090.exe	32
PID 2096 wrote to memory of 2656	2096	cmd.exe	39
PID 2096 wrote to memory of 2656	2096	cmd.exe	39
PID 2096 wrote to memory of 2656	2096	cmd.exe	39
PID 2096 wrote to memory of 2656	2096	cmd.exe	39
PID 2864 wrote to memory of 2624	2864	cmd.exe	37
PID 2864 wrote to memory of 2624	2864	cmd.exe	37
PID 2864 wrote to memory of 2624	2864	cmd.exe	37
PID 2864 wrote to memory of 2624	2864	cmd.exe	37
PID 2192 wrote to memory of 2664	2192	cmd.exe	38
PID 2192 wrote to memory of 2664	2192	cmd.exe	38
PID 2192 wrote to memory of 2664	2192	cmd.exe	38
PID 2192 wrote to memory of 2664	2192	cmd.exe	38
PID 2900 wrote to memory of 2612	2900	cmd.exe	40
PID 2900 wrote to memory of 2612	2900	cmd.exe	40
PID 2900 wrote to memory of 2612	2900	cmd.exe	40
PID 2900 wrote to memory of 2612	2900	cmd.exe	40
PID 2608 wrote to memory of 2488	2608	dconfig.exe	41
PID 2608 wrote to memory of 2488	2608	dconfig.exe	41
PID 2608 wrote to memory of 2488	2608	dconfig.exe	41
PID 2608 wrote to memory of 2488	2608	dconfig.exe	41
PID 2608 wrote to memory of 2496	2608	dconfig.exe	42
PID 2608 wrote to memory of 2496	2608	dconfig.exe	42
PID 2608 wrote to memory of 2496	2608	dconfig.exe	42
PID 2608 wrote to memory of 2496	2608	dconfig.exe	42
PID 2608 wrote to memory of 2292	2608	dconfig.exe	43
PID 2608 wrote to memory of 2292	2608	dconfig.exe	43
PID 2608 wrote to memory of 2292	2608	dconfig.exe	43
PID 2608 wrote to memory of 2292	2608	dconfig.exe	43
PID 2608 wrote to memory of 2652	2608	dconfig.exe	46
PID 2608 wrote to memory of 2652	2608	dconfig.exe	46
PID 2608 wrote to memory of 2652	2608	dconfig.exe	46
PID 2608 wrote to memory of 2652	2608	dconfig.exe	46
PID 2892 wrote to memory of 2532	2892	b8e79f92675f303e55c493932056f090.exe	49
PID 2892 wrote to memory of 2532	2892	b8e79f92675f303e55c493932056f090.exe	49
PID 2892 wrote to memory of 2532	2892	b8e79f92675f303e55c493932056f090.exe	49
PID 2892 wrote to memory of 2532	2892	b8e79f92675f303e55c493932056f090.exe	49
PID 2496 wrote to memory of 2368	2496	cmd.exe	50
PID 2496 wrote to memory of 2368	2496	cmd.exe	50
PID 2496 wrote to memory of 2368	2496	cmd.exe	50
PID 2496 wrote to memory of 2368	2496	cmd.exe	50
PID 2488 wrote to memory of 2428	2488	cmd.exe	51
PID 2488 wrote to memory of 2428	2488	cmd.exe	51
PID 2488 wrote to memory of 2428	2488	cmd.exe	51
PID 2488 wrote to memory of 2428	2488	cmd.exe	51
PID 2292 wrote to memory of 2440	2292	cmd.exe	52
PID 2292 wrote to memory of 2440	2292	cmd.exe	52
PID 2292 wrote to memory of 2440	2292	cmd.exe	52
PID 2292 wrote to memory of 2440	2292	cmd.exe	52

C:\Users\Admin\AppData\Local\Temp\b8e79f92675f303e55c493932056f090.exe
"C:\Users\Admin\AppData\Local\Temp\b8e79f92675f303e55c493932056f090.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im rfwmain.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfwmain.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2664
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im rfwsrv.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfwsrv.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2656
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im rfwstub.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfwstub.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2612
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im rfwproxy.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfwproxy.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\B8E79F~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2532

C:\Windows\SysWOW64\dconfig.exe
C:\Windows\SysWOW64\dconfig.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im rfwmain.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfwmain.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2428
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im rfwsrv.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfwsrv.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2368
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im rfwstub.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfwstub.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2440
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im rfwproxy.exe
  2⤵
  PID:2652
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfwproxy.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2984

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\dconfig.exe

Filesize
127KB

MD5
b8e79f92675f303e55c493932056f090

SHA1
e71cc63e2dcb2c07d3a1687679a1b46e0044a23b

SHA256
238a52b29785c4a9706a591fafd362c6688b5c09da2d056eb183a3ff593b13d6

SHA512
c7857cf83c2f5f73a7dc3323bbdd652a37716d88351014f53abf65062b80d8d42840cab9a6164200e70ee3b5e8c7af8d2413cf92bd8e6f82584843d86b9d46cc

Download Submit
memory/2608-11-0x0000000000400000-0x0000000000425500-memory.dmp

Filesize
149KB

Download
memory/2608-13-0x0000000000400000-0x0000000000425500-memory.dmp

Filesize
149KB

Download
memory/2608-20-0x0000000000400000-0x0000000000425500-memory.dmp

Filesize
149KB

Download
memory/2608-7-0x0000000000400000-0x0000000000425500-memory.dmp

Filesize
149KB

Download
memory/2608-8-0x0000000000400000-0x0000000000425500-memory.dmp

Filesize
149KB

Download
memory/2608-9-0x0000000000400000-0x0000000000425500-memory.dmp

Filesize
149KB

Download
memory/2608-10-0x0000000000400000-0x0000000000425500-memory.dmp

Filesize
149KB

Download
memory/2608-19-0x0000000000400000-0x0000000000425500-memory.dmp

Filesize
149KB

Download
memory/2608-5-0x0000000000400000-0x0000000000425500-memory.dmp

Filesize
149KB

Download
memory/2608-14-0x0000000000400000-0x0000000000425500-memory.dmp

Filesize
149KB

Download
memory/2608-12-0x0000000000400000-0x0000000000425500-memory.dmp

Filesize
149KB

Download
memory/2608-15-0x0000000000400000-0x0000000000425500-memory.dmp

Filesize
149KB

Download
memory/2608-16-0x0000000000400000-0x0000000000425500-memory.dmp

Filesize
149KB

Download
memory/2608-17-0x0000000000400000-0x0000000000425500-memory.dmp

Filesize
149KB

Download
memory/2608-18-0x0000000000400000-0x0000000000425500-memory.dmp

Filesize
149KB

Download
memory/2892-0-0x0000000000400000-0x0000000000425500-memory.dmp

Filesize
149KB

Download
memory/2892-6-0x0000000000400000-0x0000000000425500-memory.dmp

Filesize
149KB

Download