66fa9e8d1cb0406ee13e9441b65b0f0405d6c847dc5cfa2e232342d0d8081dec

General

Target

RFQ02212420.exe
Size

753KB
MD5

a8bd1b12d450b9f4513524f0eacb7359
SHA1

30d688c3923e089ff08facbacbc0cd55499bbca8
SHA256

66fa9e8d1cb0406ee13e9441b65b0f0405d6c847dc5cfa2e232342d0d8081dec
SHA512

7f7f78c08250dcafc0ba3ceb9b2d05e3bf2e62deeba0def71cf6de9e3fc5fee21a7855e2a37b753c1f47ee101ddfbf0801f3daf424cbff58b0de683520a27c4d
SSDEEP

12288:T+DbgnB778QeyRP4az8lAU7Bg6CptS+DWByepN7R6soWWot21y1PknyjVn6cFc4H:6gnBlP4aYlAU9dC/SgMyszFWoQQ8nyj3

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 4860 set thread context of 1924	4860	RFQ02212420.exe	99
PID 1924 set thread context of 3316	1924	RFQ02212420.exe	57
PID 1924 set thread context of 1444	1924	RFQ02212420.exe	101
PID 1444 set thread context of 3316	1444	replace.exe	57
PID 1444 set thread context of 4024	1444	replace.exe	102

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	replace.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
1924	RFQ02212420.exe
1924	RFQ02212420.exe
1924	RFQ02212420.exe
1924	RFQ02212420.exe
1924	RFQ02212420.exe
1924	RFQ02212420.exe
1924	RFQ02212420.exe
1924	RFQ02212420.exe
1924	RFQ02212420.exe
1924	RFQ02212420.exe
1924	RFQ02212420.exe
1924	RFQ02212420.exe
1924	RFQ02212420.exe
1924	RFQ02212420.exe
1924	RFQ02212420.exe
1924	RFQ02212420.exe
1444	replace.exe
1444	replace.exe
1444	replace.exe
1444	replace.exe
1444	replace.exe
1444	replace.exe
1444	replace.exe
1444	replace.exe
1444	replace.exe
1444	replace.exe
1444	replace.exe
1444	replace.exe
1444	replace.exe
1444	replace.exe
1444	replace.exe
1444	replace.exe
1444	replace.exe
1444	replace.exe
1444	replace.exe
1444	replace.exe
1444	replace.exe
1444	replace.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
1924	RFQ02212420.exe
1924	RFQ02212420.exe
1444	replace.exe
1444	replace.exe
1444	replace.exe
1444	replace.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4860 wrote to memory of 1924	4860	RFQ02212420.exe	99
PID 4860 wrote to memory of 1924	4860	RFQ02212420.exe	99
PID 4860 wrote to memory of 1924	4860	RFQ02212420.exe	99
PID 4860 wrote to memory of 1924	4860	RFQ02212420.exe	99
PID 4860 wrote to memory of 1924	4860	RFQ02212420.exe	99
PID 4860 wrote to memory of 1924	4860	RFQ02212420.exe	99
PID 1924 wrote to memory of 1444	1924	RFQ02212420.exe	101
PID 1924 wrote to memory of 1444	1924	RFQ02212420.exe	101
PID 1924 wrote to memory of 1444	1924	RFQ02212420.exe	101
PID 1444 wrote to memory of 4024	1444	replace.exe	102
PID 1444 wrote to memory of 4024	1444	replace.exe	102

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3316
- C:\Users\Admin\AppData\Local\Temp\RFQ02212420.exe
  "C:\Users\Admin\AppData\Local\Temp\RFQ02212420.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4860
- - C:\Users\Admin\AppData\Local\Temp\RFQ02212420.exe
    "C:\Users\Admin\AppData\Local\Temp\RFQ02212420.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1924
  - - C:\Windows\SysWOW64\replace.exe
      "C:\Windows\SysWOW64\replace.exe"
      4⤵
      Suspicious use of SetThreadContext
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:1444
    - - C:\Program Files\Mozilla Firefox\Firefox.exe
        
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        5⤵
        
        PID:4024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4796 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
1⤵
PID:3884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1444-20-0x0000000001280000-0x00000000012BF000-memory.dmp

Filesize
252KB

Download
memory/1444-35-0x0000000001960000-0x0000000001A05000-memory.dmp

Filesize
660KB

Download
memory/1444-29-0x0000000001280000-0x00000000012BF000-memory.dmp

Filesize
252KB

Download
memory/1444-26-0x0000000001960000-0x0000000001A05000-memory.dmp

Filesize
660KB

Download
memory/1444-25-0x0000000001280000-0x00000000012BF000-memory.dmp

Filesize
252KB

Download
memory/1444-24-0x0000000001AC0000-0x0000000001E0A000-memory.dmp

Filesize
3.3MB

Download
memory/1444-21-0x0000000001280000-0x00000000012BF000-memory.dmp

Filesize
252KB

Download
memory/1924-17-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1924-16-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1924-22-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1924-23-0x0000000001D60000-0x0000000001D86000-memory.dmp

Filesize
152KB

Download
memory/1924-19-0x0000000001D60000-0x0000000001D86000-memory.dmp

Filesize
152KB

Download
memory/1924-12-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1924-18-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1924-15-0x0000000001A10000-0x0000000001D5A000-memory.dmp

Filesize
3.3MB

Download
memory/3316-27-0x00000000031D0000-0x00000000032B0000-memory.dmp

Filesize
896KB

Download
memory/3316-28-0x00000000031D0000-0x00000000032B0000-memory.dmp

Filesize
896KB

Download
memory/3316-37-0x00000000031D0000-0x00000000032B0000-memory.dmp

Filesize
896KB

Download
memory/4024-36-0x000002C7355C0000-0x000002C73568F000-memory.dmp

Filesize
828KB

Download
memory/4860-4-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/4860-6-0x00000000057F0000-0x0000000005808000-memory.dmp

Filesize
96KB

Download
memory/4860-10-0x0000000006CD0000-0x0000000006D5A000-memory.dmp

Filesize
552KB

Download
memory/4860-9-0x0000000005840000-0x0000000005856000-memory.dmp

Filesize
88KB

Download
memory/4860-5-0x00000000054E0000-0x00000000054EA000-memory.dmp

Filesize
40KB

Download
memory/4860-0-0x0000000074CBE000-0x0000000074CBF000-memory.dmp

Filesize
4KB

Download
memory/4860-3-0x0000000005540000-0x00000000055D2000-memory.dmp

Filesize
584KB

Download
memory/4860-8-0x0000000005820000-0x000000000582E000-memory.dmp

Filesize
56KB

Download
memory/4860-7-0x0000000074CBE000-0x0000000074CBF000-memory.dmp

Filesize
4KB

Download
memory/4860-2-0x0000000005C30000-0x00000000061D4000-memory.dmp

Filesize
5.6MB

Download
memory/4860-1-0x0000000000A30000-0x0000000000AF0000-memory.dmp

Filesize
768KB

Download
memory/4860-11-0x0000000009370000-0x000000000940C000-memory.dmp

Filesize
624KB

Download
memory/4860-14-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing