238a52b29785c4a9706a591fafd362c6688b5c09da2d056eb183a3ff593b13d6

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2024, 14:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8e79f92675f303e55c493932056f090.exe
Size

127KB
MD5

b8e79f92675f303e55c493932056f090
SHA1

e71cc63e2dcb2c07d3a1687679a1b46e0044a23b
SHA256

238a52b29785c4a9706a591fafd362c6688b5c09da2d056eb183a3ff593b13d6
SHA512

c7857cf83c2f5f73a7dc3323bbdd652a37716d88351014f53abf65062b80d8d42840cab9a6164200e70ee3b5e8c7af8d2413cf92bd8e6f82584843d86b9d46cc
SSDEEP

3072:5wbT6fueklnv/UyPl03CLYRr24OjiX1ce6ndCnMEoD:X7El03CLYRrijFnQgD

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4088	dconfig.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dconfig.exe	b8e79f92675f303e55c493932056f090.exe
File opened for modification	C:\Windows\SysWOW64\dconfig.exe	b8e79f92675f303e55c493932056f090.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process
PID 4908 set thread context of 0	4908	b8e79f92675f303e55c493932056f090.exe

Kills process with taskkill 8 IoCs

evasion

pid	Process
4992	taskkill.exe
3808	taskkill.exe
2420	taskkill.exe
2148	taskkill.exe
4584	taskkill.exe
2536	taskkill.exe
4864	taskkill.exe
4420	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4908	b8e79f92675f303e55c493932056f090.exe
4908	b8e79f92675f303e55c493932056f090.exe
4908	b8e79f92675f303e55c493932056f090.exe
4908	b8e79f92675f303e55c493932056f090.exe
4908	b8e79f92675f303e55c493932056f090.exe
4908	b8e79f92675f303e55c493932056f090.exe
4088	dconfig.exe
4088	dconfig.exe
4088	dconfig.exe
4088	dconfig.exe
4088	dconfig.exe
4088	dconfig.exe
4088	dconfig.exe
4088	dconfig.exe
4088	dconfig.exe
4088	dconfig.exe
4088	dconfig.exe
4088	dconfig.exe
4088	dconfig.exe
4088	dconfig.exe
4088	dconfig.exe
4088	dconfig.exe
4088	dconfig.exe
4088	dconfig.exe
4088	dconfig.exe
4088	dconfig.exe
4088	dconfig.exe
4088	dconfig.exe
4088	dconfig.exe
4088	dconfig.exe
4088	dconfig.exe
4088	dconfig.exe
4088	dconfig.exe
4088	dconfig.exe
4088	dconfig.exe
4088	dconfig.exe
4088	dconfig.exe
4088	dconfig.exe
4088	dconfig.exe
4088	dconfig.exe
4088	dconfig.exe
4088	dconfig.exe
4088	dconfig.exe
4088	dconfig.exe
4088	dconfig.exe
4088	dconfig.exe
4088	dconfig.exe
4088	dconfig.exe
4088	dconfig.exe
4088	dconfig.exe
4088	dconfig.exe
4088	dconfig.exe
4088	dconfig.exe
4088	dconfig.exe
4088	dconfig.exe
4088	dconfig.exe
4088	dconfig.exe
4088	dconfig.exe
4088	dconfig.exe
4088	dconfig.exe
4088	dconfig.exe
4088	dconfig.exe
4088	dconfig.exe
4088	dconfig.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4908	b8e79f92675f303e55c493932056f090.exe
Token: SeDebugPrivilege	2148	taskkill.exe
Token: SeDebugPrivilege	4584	taskkill.exe
Token: SeDebugPrivilege	2536	taskkill.exe
Token: SeDebugPrivilege	4864	taskkill.exe
Token: SeDebugPrivilege	4420	taskkill.exe
Token: SeDebugPrivilege	4992	taskkill.exe
Token: SeDebugPrivilege	3808	taskkill.exe
Token: SeDebugPrivilege	2420	taskkill.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 4908 wrote to memory of 1932	4908	b8e79f92675f303e55c493932056f090.exe	88
PID 4908 wrote to memory of 1932	4908	b8e79f92675f303e55c493932056f090.exe	88
PID 4908 wrote to memory of 1932	4908	b8e79f92675f303e55c493932056f090.exe	88
PID 4908 wrote to memory of 3268	4908	b8e79f92675f303e55c493932056f090.exe	89
PID 4908 wrote to memory of 3268	4908	b8e79f92675f303e55c493932056f090.exe	89
PID 4908 wrote to memory of 3268	4908	b8e79f92675f303e55c493932056f090.exe	89
PID 4908 wrote to memory of 2720	4908	b8e79f92675f303e55c493932056f090.exe	90
PID 4908 wrote to memory of 2720	4908	b8e79f92675f303e55c493932056f090.exe	90
PID 4908 wrote to memory of 2720	4908	b8e79f92675f303e55c493932056f090.exe	90
PID 4908 wrote to memory of 1780	4908	b8e79f92675f303e55c493932056f090.exe	91
PID 4908 wrote to memory of 1780	4908	b8e79f92675f303e55c493932056f090.exe	91
PID 4908 wrote to memory of 1780	4908	b8e79f92675f303e55c493932056f090.exe	91
PID 4088 wrote to memory of 4048	4088	dconfig.exe	97
PID 4088 wrote to memory of 4048	4088	dconfig.exe	97
PID 4088 wrote to memory of 4048	4088	dconfig.exe	97
PID 4088 wrote to memory of 1320	4088	dconfig.exe	98
PID 4088 wrote to memory of 1320	4088	dconfig.exe	98
PID 4088 wrote to memory of 1320	4088	dconfig.exe	98
PID 4088 wrote to memory of 1764	4088	dconfig.exe	99
PID 4088 wrote to memory of 1764	4088	dconfig.exe	99
PID 4088 wrote to memory of 1764	4088	dconfig.exe	99
PID 4088 wrote to memory of 1532	4088	dconfig.exe	100
PID 4088 wrote to memory of 1532	4088	dconfig.exe	100
PID 4088 wrote to memory of 1532	4088	dconfig.exe	100
PID 4908 wrote to memory of 1452	4908	b8e79f92675f303e55c493932056f090.exe	101
PID 4908 wrote to memory of 1452	4908	b8e79f92675f303e55c493932056f090.exe	101
PID 4908 wrote to memory of 1452	4908	b8e79f92675f303e55c493932056f090.exe	101
PID 3268 wrote to memory of 2148	3268	cmd.exe	106
PID 3268 wrote to memory of 2148	3268	cmd.exe	106
PID 3268 wrote to memory of 2148	3268	cmd.exe	106
PID 4048 wrote to memory of 4584	4048	cmd.exe	107
PID 4048 wrote to memory of 4584	4048	cmd.exe	107
PID 4048 wrote to memory of 4584	4048	cmd.exe	107
PID 1932 wrote to memory of 4864	1932	cmd.exe	108
PID 1932 wrote to memory of 4864	1932	cmd.exe	108
PID 1932 wrote to memory of 4864	1932	cmd.exe	108
PID 2720 wrote to memory of 2536	2720	cmd.exe	109
PID 2720 wrote to memory of 2536	2720	cmd.exe	109
PID 2720 wrote to memory of 2536	2720	cmd.exe	109
PID 1532 wrote to memory of 4420	1532	cmd.exe	110
PID 1532 wrote to memory of 4420	1532	cmd.exe	110
PID 1532 wrote to memory of 4420	1532	cmd.exe	110
PID 1764 wrote to memory of 3808	1764	cmd.exe	111
PID 1764 wrote to memory of 3808	1764	cmd.exe	111
PID 1764 wrote to memory of 3808	1764	cmd.exe	111
PID 1320 wrote to memory of 4992	1320	cmd.exe	112
PID 1320 wrote to memory of 4992	1320	cmd.exe	112
PID 1320 wrote to memory of 4992	1320	cmd.exe	112
PID 1780 wrote to memory of 2420	1780	cmd.exe	113
PID 1780 wrote to memory of 2420	1780	cmd.exe	113
PID 1780 wrote to memory of 2420	1780	cmd.exe	113

C:\Users\Admin\AppData\Local\Temp\b8e79f92675f303e55c493932056f090.exe
"C:\Users\Admin\AppData\Local\Temp\b8e79f92675f303e55c493932056f090.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4908
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im rfwmain.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfwmain.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4864
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im rfwsrv.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3268
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfwsrv.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2148
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im rfwstub.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfwstub.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2536
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im rfwproxy.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfwproxy.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2420
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\B8E79F~1.EXE > nul
  2⤵
  PID:1452

C:\Windows\SysWOW64\dconfig.exe
C:\Windows\SysWOW64\dconfig.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4088
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im rfwmain.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4048
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfwmain.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4584
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im rfwsrv.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1320
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfwsrv.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4992
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im rfwstub.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfwstub.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3808
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im rfwproxy.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1532
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfwproxy.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4420

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\dconfig.exe

Filesize
127KB

MD5
b8e79f92675f303e55c493932056f090

SHA1
e71cc63e2dcb2c07d3a1687679a1b46e0044a23b

SHA256
238a52b29785c4a9706a591fafd362c6688b5c09da2d056eb183a3ff593b13d6

SHA512
c7857cf83c2f5f73a7dc3323bbdd652a37716d88351014f53abf65062b80d8d42840cab9a6164200e70ee3b5e8c7af8d2413cf92bd8e6f82584843d86b9d46cc

Download Submit
memory/4088-11-0x0000000000400000-0x0000000000425500-memory.dmp

Filesize
149KB

Download
memory/4088-13-0x0000000000400000-0x0000000000425500-memory.dmp

Filesize
149KB

Download
memory/4088-6-0x0000000000400000-0x0000000000425500-memory.dmp

Filesize
149KB

Download
memory/4088-7-0x0000000000400000-0x0000000000425500-memory.dmp

Filesize
149KB

Download
memory/4088-8-0x0000000000400000-0x0000000000425500-memory.dmp

Filesize
149KB

Download
memory/4088-9-0x0000000000400000-0x0000000000425500-memory.dmp

Filesize
149KB

Download
memory/4088-19-0x0000000000400000-0x0000000000425500-memory.dmp

Filesize
149KB

Download
memory/4088-10-0x0000000000400000-0x0000000000425500-memory.dmp

Filesize
149KB

Download
memory/4088-12-0x0000000000400000-0x0000000000425500-memory.dmp

Filesize
149KB

Download
memory/4088-18-0x0000000000400000-0x0000000000425500-memory.dmp

Filesize
149KB

Download
memory/4088-14-0x0000000000400000-0x0000000000425500-memory.dmp

Filesize
149KB

Download
memory/4088-15-0x0000000000400000-0x0000000000425500-memory.dmp

Filesize
149KB

Download
memory/4088-16-0x0000000000400000-0x0000000000425500-memory.dmp

Filesize
149KB

Download
memory/4088-17-0x0000000000400000-0x0000000000425500-memory.dmp

Filesize
149KB

Download
memory/4908-0-0x0000000000400000-0x0000000000425500-memory.dmp

Filesize
149KB

Download
memory/4908-5-0x0000000000400000-0x0000000000425500-memory.dmp

Filesize
149KB

Download