731f8467492e53038d6e0ee012349433beb55070b7dc9efe94ebca5441c92997

General

Target

RFQ QUG24-2003700542XXX.exe
Size

735KB
MD5

67e8394308a06ffee627c77b7d3d16ea
SHA1

e0d9daad8296d2f757cc442d1d1f1302d7aec13b
SHA256

631e9daaee241678334ffae4db8bae66a2781fac9bacb73676ee248917deae3f
SHA512

2081ce36d917c75157c9c2be12dfee62ea7ffee18c809eee51c7415e5ef9b1868398f2d95412b71a7d2e5d1d24570513d6a5f242f67a30744ef9ca6a401bf48a
SSDEEP

12288:IWEY5/l9s22BEEzFatnMwpOl555EQK+AlkKr0HBZR6ZUlo8if:gA/l9s3BEWwpOz55/K+Alk0IeUloP

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

3020 powershell.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

RFQ QUG24-2003700542XXX.exe

description pid process target process

PID 2168 set thread context of 2732 2168 RFQ QUG24-2003700542XXX.exe RFQ QUG24-2003700542XXX.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3000 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RFQ QUG24-2003700542XXX.exepowershell.exe

pid process

2168 RFQ QUG24-2003700542XXX.exe
3020 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

RFQ QUG24-2003700542XXX.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2168 RFQ QUG24-2003700542XXX.exe
Token: SeDebugPrivilege 3020 powershell.exe

pid	process
3020	powershell.exe

description	pid	process	target process
PID 2168 set thread context of 2732	2168	RFQ QUG24-2003700542XXX.exe	RFQ QUG24-2003700542XXX.exe

pid	process
3000	schtasks.exe

pid	process
2168	RFQ QUG24-2003700542XXX.exe
3020	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2168	RFQ QUG24-2003700542XXX.exe
Token: SeDebugPrivilege	3020	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

RFQ QUG24-2003700542XXX.exe

description	pid	process	target process
PID 2168 wrote to memory of 3020	2168	RFQ QUG24-2003700542XXX.exe	powershell.exe
PID 2168 wrote to memory of 3020	2168	RFQ QUG24-2003700542XXX.exe	powershell.exe
PID 2168 wrote to memory of 3020	2168	RFQ QUG24-2003700542XXX.exe	powershell.exe
PID 2168 wrote to memory of 3000	2168	RFQ QUG24-2003700542XXX.exe	schtasks.exe
PID 2168 wrote to memory of 3000	2168	RFQ QUG24-2003700542XXX.exe	schtasks.exe
PID 2168 wrote to memory of 3000	2168	RFQ QUG24-2003700542XXX.exe	schtasks.exe
PID 2168 wrote to memory of 2732	2168	RFQ QUG24-2003700542XXX.exe	RFQ QUG24-2003700542XXX.exe
PID 2168 wrote to memory of 2732	2168	RFQ QUG24-2003700542XXX.exe	RFQ QUG24-2003700542XXX.exe
PID 2168 wrote to memory of 2732	2168	RFQ QUG24-2003700542XXX.exe	RFQ QUG24-2003700542XXX.exe
PID 2168 wrote to memory of 2732	2168	RFQ QUG24-2003700542XXX.exe	RFQ QUG24-2003700542XXX.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\RFQ QUG24-2003700542XXX.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ QUG24-2003700542XXX.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mZpTaf.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3020

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mZpTaf" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAED5.tmp"
2⤵
- Creates scheduled task(s)
PID:3000

C:\Users\Admin\AppData\Local\Temp\RFQ QUG24-2003700542XXX.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ QUG24-2003700542XXX.exe"
2⤵
PID:2732

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpAED5.tmp
Filesize
1KB

MD5
0022c86fd8f76dc506e033e2a80b430a

SHA1
faa77e76c025f3c6749ff141656d7f65c94b59d7

SHA256
d4dc52edab06e14e0caf53129ea07f39ee25a2d35613440292bfb48fecd5f3f7

SHA512
f5ce2c9f1e2f42b8c201f6de0b383e30e87f78fa85711c5e8cf7cdcc26ebc6b799b15ddbc00d86611293c397a1bc1731b99bec9696325d20f0f662ecf0386396

Download Submit
memory/2168-3-0x0000000000A40000-0x0000000000A5C000-memory.dmp

Filesize
112KB

Download
memory/2168-2-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp

Filesize
9.9MB

Download
memory/2168-1-0x000000013FB40000-0x000000013FBFC000-memory.dmp

Filesize
752KB

Download
memory/2168-0-0x000007FEF5063000-0x000007FEF5064000-memory.dmp

Filesize
4KB

Download
memory/2168-4-0x0000000000770000-0x0000000000784000-memory.dmp

Filesize
80KB

Download
memory/2168-5-0x000000001BF30000-0x000000001BFB0000-memory.dmp

Filesize
512KB

Download
memory/2168-16-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp

Filesize
9.9MB

Download
memory/2732-15-0x000007FFFFFDC000-0x000007FFFFFDD000-memory.dmp

Filesize
4KB

Download
memory/3020-17-0x000000001B310000-0x000000001B5F2000-memory.dmp

Filesize
2.9MB

Download
memory/3020-18-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads