66fa9e8d1cb0406ee13e9441b65b0f0405d6c847dc5cfa2e232342d0d8081dec

General

Target

RFQ02212420.exe
Size

753KB
MD5

a8bd1b12d450b9f4513524f0eacb7359
SHA1

30d688c3923e089ff08facbacbc0cd55499bbca8
SHA256

66fa9e8d1cb0406ee13e9441b65b0f0405d6c847dc5cfa2e232342d0d8081dec
SHA512

7f7f78c08250dcafc0ba3ceb9b2d05e3bf2e62deeba0def71cf6de9e3fc5fee21a7855e2a37b753c1f47ee101ddfbf0801f3daf424cbff58b0de683520a27c4d
SSDEEP

12288:T+DbgnB778QeyRP4az8lAU7Bg6CptS+DWByepN7R6soWWot21y1PknyjVn6cFc4H:6gnBlP4aYlAU9dC/SgMyszFWoQQ8nyj3

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2292 set thread context of 3068	2292	RFQ02212420.exe	29
PID 3068 set thread context of 1208	3068	RFQ02212420.exe	21
PID 3068 set thread context of 3020	3068	RFQ02212420.exe	32
PID 3020 set thread context of 1208	3020	replace.exe	21

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2292	RFQ02212420.exe
3068	RFQ02212420.exe
3068	RFQ02212420.exe
3068	RFQ02212420.exe
3068	RFQ02212420.exe
3068	RFQ02212420.exe
3068	RFQ02212420.exe
3068	RFQ02212420.exe
3068	RFQ02212420.exe
3020	replace.exe
3020	replace.exe
3020	replace.exe
3020	replace.exe
3020	replace.exe
3020	replace.exe
3020	replace.exe
3020	replace.exe
3020	replace.exe
3020	replace.exe
3020	replace.exe
3020	replace.exe
3020	replace.exe
3020	replace.exe
3020	replace.exe
3020	replace.exe
3020	replace.exe
3020	replace.exe
3020	replace.exe
3020	replace.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
3068	RFQ02212420.exe
3068	RFQ02212420.exe
3020	replace.exe
3020	replace.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2292	RFQ02212420.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2640	2292	RFQ02212420.exe	28
PID 2292 wrote to memory of 2640	2292	RFQ02212420.exe	28
PID 2292 wrote to memory of 2640	2292	RFQ02212420.exe	28
PID 2292 wrote to memory of 2640	2292	RFQ02212420.exe	28
PID 2292 wrote to memory of 3068	2292	RFQ02212420.exe	29
PID 2292 wrote to memory of 3068	2292	RFQ02212420.exe	29
PID 2292 wrote to memory of 3068	2292	RFQ02212420.exe	29
PID 2292 wrote to memory of 3068	2292	RFQ02212420.exe	29
PID 2292 wrote to memory of 3068	2292	RFQ02212420.exe	29
PID 2292 wrote to memory of 3068	2292	RFQ02212420.exe	29
PID 2292 wrote to memory of 3068	2292	RFQ02212420.exe	29
PID 3068 wrote to memory of 3020	3068	RFQ02212420.exe	32
PID 3068 wrote to memory of 3020	3068	RFQ02212420.exe	32
PID 3068 wrote to memory of 3020	3068	RFQ02212420.exe	32
PID 3068 wrote to memory of 3020	3068	RFQ02212420.exe	32

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\RFQ02212420.exe
  "C:\Users\Admin\AppData\Local\Temp\RFQ02212420.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Users\Admin\AppData\Local\Temp\RFQ02212420.exe
    "C:\Users\Admin\AppData\Local\Temp\RFQ02212420.exe"
    3⤵
    PID:2640
- - C:\Users\Admin\AppData\Local\Temp\RFQ02212420.exe
    "C:\Users\Admin\AppData\Local\Temp\RFQ02212420.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:3068
  - - C:\Windows\SysWOW64\replace.exe
      "C:\Windows\SysWOW64\replace.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:3020

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1208-17-0x0000000003160000-0x0000000003260000-memory.dmp

Filesize
1024KB

Download
memory/1208-19-0x0000000008ED0000-0x000000000BFCE000-memory.dmp

Filesize
49.0MB

Download
memory/2292-12-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download
memory/2292-1-0x0000000000A20000-0x0000000000AE0000-memory.dmp

Filesize
768KB

Download
memory/2292-2-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download
memory/2292-3-0x00000000005C0000-0x00000000005D8000-memory.dmp

Filesize
96KB

Download
memory/2292-4-0x00000000005F0000-0x00000000005FE000-memory.dmp

Filesize
56KB

Download
memory/2292-5-0x0000000000680000-0x0000000000696000-memory.dmp

Filesize
88KB

Download
memory/2292-6-0x0000000005280000-0x000000000530A000-memory.dmp

Filesize
552KB

Download
memory/2292-0-0x0000000073FBE000-0x0000000073FBF000-memory.dmp

Filesize
4KB

Download
memory/3020-28-0x00000000000C0000-0x00000000000FF000-memory.dmp

Filesize
252KB

Download
memory/3020-25-0x00000000000C0000-0x00000000000FF000-memory.dmp

Filesize
252KB

Download
memory/3020-24-0x0000000002100000-0x0000000002403000-memory.dmp

Filesize
3.0MB

Download
memory/3020-21-0x00000000000C0000-0x00000000000FF000-memory.dmp

Filesize
252KB

Download
memory/3020-26-0x0000000001F70000-0x0000000002015000-memory.dmp

Filesize
660KB

Download
memory/3020-29-0x0000000001F70000-0x0000000002015000-memory.dmp

Filesize
660KB

Download
memory/3020-20-0x00000000000C0000-0x00000000000FF000-memory.dmp

Filesize
252KB

Download
memory/3068-15-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3068-16-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3068-18-0x0000000000160000-0x0000000000186000-memory.dmp

Filesize
152KB

Download
memory/3068-14-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3068-23-0x0000000000160000-0x0000000000186000-memory.dmp

Filesize
152KB

Download
memory/3068-22-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3068-13-0x0000000000C70000-0x0000000000F73000-memory.dmp

Filesize
3.0MB

Download
memory/3068-7-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3068-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3068-11-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3068-8-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing