4900b43d5fd24f95b56bc3777deeeb6d972f0e7863b988620bfb65bf48a6f2b2

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RFQ_4183321000004562E20000.exe
Size

150.0MB
MD5

379450e55ebb28dfdab7e41b314325c4
SHA1

cdf9ff655925aa8fbd8b8f98285374ae1c122971
SHA256

bf6597b26b2649f2850ba9daa3ee4fbd2d46cbb3ded37cb659137eb5f37893b8
SHA512

dc5bf8483462a638d004240856d65d53b0b79779e6a9b1d05266c06ae1969f422b32a9b73f8daad38ca9ef99226caaa56526c19f708d3edff727e302c47892db
SSDEEP

6144:S2MApbs63Hn2Y594nAqkXJWgPZhZ1L5NGikZF3NjhpH3565Xnnzf0sv4jctw:Zbx4nByJ7PvZ5DwN

Score

9^/10

Malware Config

Signatures

Detects executables packed with SmartAssembly 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3944-0-0x000001CF43370000-0x000001CF433E8000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly

Suspicious use of SetThreadContext 1 IoCs

Processes:

RFQ_4183321000004562E20000.exe

description pid process target process

PID 3944 set thread context of 676 3944 RFQ_4183321000004562E20000.exe InstallUtil.exe

description	pid	process	target process
PID 3944 set thread context of 676	3944	RFQ_4183321000004562E20000.exe	InstallUtil.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

RFQ_4183321000004562E20000.exe

pid	process
3944	RFQ_4183321000004562E20000.exe
3944	RFQ_4183321000004562E20000.exe
3944	RFQ_4183321000004562E20000.exe
3944	RFQ_4183321000004562E20000.exe
3944	RFQ_4183321000004562E20000.exe
3944	RFQ_4183321000004562E20000.exe
3944	RFQ_4183321000004562E20000.exe
3944	RFQ_4183321000004562E20000.exe
3944	RFQ_4183321000004562E20000.exe
3944	RFQ_4183321000004562E20000.exe
3944	RFQ_4183321000004562E20000.exe
3944	RFQ_4183321000004562E20000.exe
3944	RFQ_4183321000004562E20000.exe
3944	RFQ_4183321000004562E20000.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

RFQ_4183321000004562E20000.exeInstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	3944	RFQ_4183321000004562E20000.exe
Token: SeDebugPrivilege	3944	RFQ_4183321000004562E20000.exe
Token: SeDebugPrivilege	676	InstallUtil.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

RFQ_4183321000004562E20000.exe

description	pid	process	target process
PID 3944 wrote to memory of 3040	3944	RFQ_4183321000004562E20000.exe	InstallUtil.exe
PID 3944 wrote to memory of 3040	3944	RFQ_4183321000004562E20000.exe	InstallUtil.exe
PID 3944 wrote to memory of 312	3944	RFQ_4183321000004562E20000.exe	InstallUtil.exe
PID 3944 wrote to memory of 312	3944	RFQ_4183321000004562E20000.exe	InstallUtil.exe
PID 3944 wrote to memory of 3740	3944	RFQ_4183321000004562E20000.exe	InstallUtil.exe
PID 3944 wrote to memory of 3740	3944	RFQ_4183321000004562E20000.exe	InstallUtil.exe
PID 3944 wrote to memory of 5040	3944	RFQ_4183321000004562E20000.exe	InstallUtil.exe
PID 3944 wrote to memory of 5040	3944	RFQ_4183321000004562E20000.exe	InstallUtil.exe
PID 3944 wrote to memory of 2488	3944	RFQ_4183321000004562E20000.exe	InstallUtil.exe
PID 3944 wrote to memory of 2488	3944	RFQ_4183321000004562E20000.exe	InstallUtil.exe
PID 3944 wrote to memory of 1368	3944	RFQ_4183321000004562E20000.exe	InstallUtil.exe
PID 3944 wrote to memory of 1368	3944	RFQ_4183321000004562E20000.exe	InstallUtil.exe
PID 3944 wrote to memory of 3176	3944	RFQ_4183321000004562E20000.exe	InstallUtil.exe
PID 3944 wrote to memory of 3176	3944	RFQ_4183321000004562E20000.exe	InstallUtil.exe
PID 3944 wrote to memory of 676	3944	RFQ_4183321000004562E20000.exe	InstallUtil.exe
PID 3944 wrote to memory of 676	3944	RFQ_4183321000004562E20000.exe	InstallUtil.exe
PID 3944 wrote to memory of 676	3944	RFQ_4183321000004562E20000.exe	InstallUtil.exe
PID 3944 wrote to memory of 676	3944	RFQ_4183321000004562E20000.exe	InstallUtil.exe
PID 3944 wrote to memory of 676	3944	RFQ_4183321000004562E20000.exe	InstallUtil.exe
PID 3944 wrote to memory of 676	3944	RFQ_4183321000004562E20000.exe	InstallUtil.exe
PID 3944 wrote to memory of 676	3944	RFQ_4183321000004562E20000.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\RFQ_4183321000004562E20000.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ_4183321000004562E20000.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3944

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
2⤵
PID:3040

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
2⤵
PID:312

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
2⤵
PID:3740

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
2⤵
PID:5040

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
2⤵
PID:2488

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
2⤵
PID:1368

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
2⤵
PID:3176

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:676

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/676-4903-0x0000022AF1500000-0x0000022AF1616000-memory.dmp

Filesize
1.1MB

Download
memory/676-4904-0x00007FFE2FA00000-0x00007FFE304C1000-memory.dmp

Filesize
10.8MB

Download
memory/676-4905-0x00007FFE2FA00000-0x00007FFE304C1000-memory.dmp

Filesize
10.8MB

Download
memory/676-7208-0x0000022AF1610000-0x0000022AF16AE000-memory.dmp

Filesize
632KB

Download
memory/676-7209-0x00007FFE2FA00000-0x00007FFE304C1000-memory.dmp

Filesize
10.8MB

Download
memory/3944-31-0x000001CF5DC40000-0x000001CF5DF25000-memory.dmp

Filesize
2.9MB

Download
memory/3944-4897-0x000001CF45130000-0x000001CF45184000-memory.dmp

Filesize
336KB

Download
memory/3944-2-0x00007FFE2FA00000-0x00007FFE304C1000-memory.dmp

Filesize
10.8MB

Download
memory/3944-3-0x00007FFE2FA03000-0x00007FFE2FA05000-memory.dmp

Filesize
8KB

Download
memory/3944-4-0x00007FFE2FA00000-0x00007FFE304C1000-memory.dmp

Filesize
10.8MB

Download
memory/3944-5-0x000001CF5DC40000-0x000001CF5DF2A000-memory.dmp

Filesize
2.9MB

Download
memory/3944-11-0x000001CF5DC40000-0x000001CF5DF25000-memory.dmp

Filesize
2.9MB

Download
memory/3944-13-0x000001CF5DC40000-0x000001CF5DF25000-memory.dmp

Filesize
2.9MB

Download
memory/3944-21-0x000001CF5DC40000-0x000001CF5DF25000-memory.dmp

Filesize
2.9MB

Download
memory/3944-27-0x000001CF5DC40000-0x000001CF5DF25000-memory.dmp

Filesize
2.9MB

Download
memory/3944-29-0x000001CF5DC40000-0x000001CF5DF25000-memory.dmp

Filesize
2.9MB

Download
memory/3944-25-0x000001CF5DC40000-0x000001CF5DF25000-memory.dmp

Filesize
2.9MB

Download
memory/3944-23-0x000001CF5DC40000-0x000001CF5DF25000-memory.dmp

Filesize
2.9MB

Download
memory/3944-19-0x000001CF5DC40000-0x000001CF5DF25000-memory.dmp

Filesize
2.9MB

Download
memory/3944-17-0x000001CF5DC40000-0x000001CF5DF25000-memory.dmp

Filesize
2.9MB

Download
memory/3944-15-0x000001CF5DC40000-0x000001CF5DF25000-memory.dmp

Filesize
2.9MB

Download
memory/3944-41-0x000001CF5DC40000-0x000001CF5DF25000-memory.dmp

Filesize
2.9MB

Download
memory/3944-7-0x000001CF5DC40000-0x000001CF5DF25000-memory.dmp

Filesize
2.9MB

Download
memory/3944-6-0x000001CF5DC40000-0x000001CF5DF25000-memory.dmp

Filesize
2.9MB

Download
memory/3944-0-0x000001CF43370000-0x000001CF433E8000-memory.dmp

Filesize
480KB

Download
memory/3944-37-0x000001CF5DC40000-0x000001CF5DF25000-memory.dmp

Filesize
2.9MB

Download
memory/3944-43-0x000001CF5DC40000-0x000001CF5DF25000-memory.dmp

Filesize
2.9MB

Download
memory/3944-67-0x000001CF5DC40000-0x000001CF5DF25000-memory.dmp

Filesize
2.9MB

Download
memory/3944-1-0x00007FFE2FA03000-0x00007FFE2FA05000-memory.dmp

Filesize
8KB

Download
memory/3944-9-0x000001CF5DC40000-0x000001CF5DF25000-memory.dmp

Filesize
2.9MB

Download
memory/3944-65-0x000001CF5DC40000-0x000001CF5DF25000-memory.dmp

Filesize
2.9MB

Download
memory/3944-63-0x000001CF5DC40000-0x000001CF5DF25000-memory.dmp

Filesize
2.9MB

Download
memory/3944-59-0x000001CF5DC40000-0x000001CF5DF25000-memory.dmp

Filesize
2.9MB

Download
memory/3944-57-0x000001CF5DC40000-0x000001CF5DF25000-memory.dmp

Filesize
2.9MB

Download
memory/3944-55-0x000001CF5DC40000-0x000001CF5DF25000-memory.dmp

Filesize
2.9MB

Download
memory/3944-53-0x000001CF5DC40000-0x000001CF5DF25000-memory.dmp

Filesize
2.9MB

Download
memory/3944-51-0x000001CF5DC40000-0x000001CF5DF25000-memory.dmp

Filesize
2.9MB

Download
memory/3944-49-0x000001CF5DC40000-0x000001CF5DF25000-memory.dmp

Filesize
2.9MB

Download
memory/3944-47-0x000001CF5DC40000-0x000001CF5DF25000-memory.dmp

Filesize
2.9MB

Download
memory/3944-45-0x000001CF5DC40000-0x000001CF5DF25000-memory.dmp

Filesize
2.9MB

Download
memory/3944-39-0x000001CF5DC40000-0x000001CF5DF25000-memory.dmp

Filesize
2.9MB

Download
memory/3944-35-0x000001CF5DC40000-0x000001CF5DF25000-memory.dmp

Filesize
2.9MB

Download
memory/3944-33-0x000001CF5DC40000-0x000001CF5DF25000-memory.dmp

Filesize
2.9MB

Download
memory/3944-69-0x000001CF5DC40000-0x000001CF5DF25000-memory.dmp

Filesize
2.9MB

Download
memory/3944-4892-0x00007FFE2FA00000-0x00007FFE304C1000-memory.dmp

Filesize
10.8MB

Download
memory/3944-4893-0x000001CF43860000-0x000001CF43866000-memory.dmp

Filesize
24KB

Download
memory/3944-4894-0x000001CF5DF30000-0x000001CF5E058000-memory.dmp

Filesize
1.2MB

Download
memory/3944-4895-0x000001CF45090000-0x000001CF450DC000-memory.dmp

Filesize
304KB

Download
memory/3944-4896-0x00007FFE2FA00000-0x00007FFE304C1000-memory.dmp

Filesize
10.8MB

Download
memory/3944-61-0x000001CF5DC40000-0x000001CF5DF25000-memory.dmp

Filesize
2.9MB

Download
memory/3944-4902-0x00007FFE2FA00000-0x00007FFE304C1000-memory.dmp

Filesize
10.8MB

Download