Overview

overview

8

Static

static

1

RFQ.exe

windows7-x64

8

RFQ.exe

windows10-2004-x64

8

Vaadomraad...et.ps1

windows7-x64

8

Vaadomraad...et.ps1

windows10-2004-x64

8

Analysis

  • max time kernel
    132s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    03/05/2024, 13:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Vaadomraadernes/Oilpaper/Mcens/fokusering/Drsalget.ps1

  • Size

    56KB

  • MD5

    beafe0ef9151f5c648d72af104138e55

  • SHA1

    dd5307005999c525a7ae1a078f693edb8641b3c6

  • SHA256

    563d93bcff692455852ef8163a9ffc651b5defa4473e82306d37e45e182e7ecc

  • SHA512

    768dc7b63dd5efb2c391a50a76416f8153f826d462ddf592034634913437e3aa21be1dab8ba5feeaec695f514ae4042f4401658d2b51057897c4859a03f756c5

  • SSDEEP

    1536:q3goIn4k04e2H/oCyxc2ulMNlqQmULJXIZCy0uDV2xhE:q3g9n5E2Hjh2uly+ULJ4p0uD8hE

Score
8/10
executionpersistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of FindShellTrayWindow 29 IoCs
  • Suspicious use of SendNotifyMessage 22 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Vaadomraadernes\Oilpaper\Mcens\fokusering\Drsalget.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2192
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
      2⤵
        PID:2572
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "2192" "1088"
        2⤵
          PID:2544
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2652

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259401870.txt
        Filesize

        1KB

        MD5

        0620e6f7ae7402fa3a055002b72884e6

        SHA1

        16d7c16e052c310233e1fece468c5522638f9633

        SHA256

        f85f14cdf583dc3b0855e503fbf2f3e19ae3ccb8f543cd77d1ed184f5d599ed6

        SHA512

        5cee2e2897c335b07161473016f7f3a4c54e0ee3b6f979a11dd09ec7c0bac02911120ff87a207d3623149469708984ea9477e318d276bb6d2745ca7c312e8dc6

        Download Submit

      • memory/2192-4-0x000007FEF5B9E000-0x000007FEF5B9F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2192-6-0x0000000001E80000-0x0000000001E88000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2192-5-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2192-7-0x000007FEF58E0000-0x000007FEF627D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2192-8-0x000007FEF58E0000-0x000007FEF627D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2192-9-0x000007FEF58E0000-0x000007FEF627D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2192-10-0x000007FEF58E0000-0x000007FEF627D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2192-11-0x000007FEF58E0000-0x000007FEF627D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2192-13-0x000007FEF58E0000-0x000007FEF627D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2192-16-0x000007FEF58E0000-0x000007FEF627D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2652-20-0x0000000002190000-0x00000000021A0000-memory.dmp

        Filesize

        64KB

        Download