Analysis
-
max time kernel
141s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
22-04-2024 12:09
Static task
static1
Behavioral task
behavioral1
Sample
RFQ 1Z8A6A658669149902.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
RFQ 1Z8A6A658669149902.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral3
Sample
ravnemorens/Frsteinstanserne/Instantiations.ps1
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
ravnemorens/Frsteinstanserne/Instantiations.ps1
Resource
win10v2004-20240412-en
General
-
Target
RFQ 1Z8A6A658669149902.exe
-
Size
520KB
-
MD5
ef53493176b714d7c8c972a756cfd806
-
SHA1
c7c08850f9dd1706a2a2a5b456f5de2b25eb200c
-
SHA256
1353d2318463be28ebcffe36398b90b873ee21e2bde3d03f929103729c4b95ea
-
SHA512
eab8465a629001a43631724aaa9293c229286bebb33c943ce197ce5f17419b9b91c6f9be86c4dec68d4b099871abf3fa05807e99876ffa0ee3497f3a5abac2fa
-
SSDEEP
12288:fnPdhsFldr2BFS3Cr3HUNdAfZBAfYKBuyhleDJB:vPdhoeBYSrHU7K9KBuRJB
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
RFQ 1Z8A6A658669149902.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation RFQ 1Z8A6A658669149902.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2096 1684 WerFault.exe powershell.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
powershell.exepid process 1684 powershell.exe 1684 powershell.exe 1684 powershell.exe 1684 powershell.exe 1684 powershell.exe 1684 powershell.exe 1684 powershell.exe 1684 powershell.exe 1684 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1684 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
RFQ 1Z8A6A658669149902.exepowershell.exedescription pid process target process PID 1824 wrote to memory of 1684 1824 RFQ 1Z8A6A658669149902.exe powershell.exe PID 1824 wrote to memory of 1684 1824 RFQ 1Z8A6A658669149902.exe powershell.exe PID 1824 wrote to memory of 1684 1824 RFQ 1Z8A6A658669149902.exe powershell.exe PID 1684 wrote to memory of 4984 1684 powershell.exe cmd.exe PID 1684 wrote to memory of 4984 1684 powershell.exe cmd.exe PID 1684 wrote to memory of 4984 1684 powershell.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ 1Z8A6A658669149902.exe"C:\Users\Admin\AppData\Local\Temp\RFQ 1Z8A6A658669149902.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden ; $limpiness=Get-Content 'C:\Users\Admin\AppData\Roaming\Usitative\healthless\hovedanpartshaver\ravnemorens\Frsteinstanserne\Instantiations.Lil';$Sears=$limpiness.SubString(55857,3);.$Sears($limpiness)2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "set /A 1^^0"3⤵PID:4984
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 27443⤵
- Program crash
PID:2096
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1684 -ip 16841⤵PID:2816
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Usitative\healthless\hovedanpartshaver\ravnemorens\Frsteinstanserne\Instantiations.Lil
Filesize54KB
MD563d0c546b30964e943c2ac8fd5e236db
SHA17d46713cb1d3cbfe25efcaf24369fb067d310920
SHA256eb26aa5b4ec7a1c0c0ad2be344c02a23f770815a40e84e5b1b5fe24c9b64edda
SHA51291399fec920e3be9526e1af39a632512c6c00cea3566a9ce43fdbadf813c5b2b830620bfc381747b195a4e2c52b8ef4d81295b484ea6ed925979a97b8cf6a1ed
-
Filesize
1KB
MD5e31864d7f4f0248a79d9dcd7003846ec
SHA1bc5b79b0b008b099f68678e47516193e9d2919c2
SHA256649f4ecbe9697b696cc9419b4b534ac22530b4ba2ac4c57ef40432d57f2d049a
SHA51288702cc800909a05d4f21797fa37d73bac7d28bf70597aa05132d73e303f3f1f0695c0f16717b8150c883fcdd63affa98ecfb250ef5a86ecf80060bfdb3ca089