32ea3e184f2828e89b9303e331ab16fa912033c678b68d583c0b0e8d4d970eb8

Analysis

max time kernel
134s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23/05/2024, 14:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RFQ_4183321000004562E20000.exe
Size

150.0MB
MD5

379450e55ebb28dfdab7e41b314325c4
SHA1

cdf9ff655925aa8fbd8b8f98285374ae1c122971
SHA256

bf6597b26b2649f2850ba9daa3ee4fbd2d46cbb3ded37cb659137eb5f37893b8
SHA512

dc5bf8483462a638d004240856d65d53b0b79779e6a9b1d05266c06ae1969f422b32a9b73f8daad38ca9ef99226caaa56526c19f708d3edff727e302c47892db
SSDEEP

6144:S2MApbs63Hn2Y594nAqkXJWgPZhZ1L5NGikZF3NjhpH3565Xnnzf0sv4jctw:Zbx4nByJ7PvZ5DwN

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1372 set thread context of 1876	1372	RFQ_4183321000004562E20000.exe	107

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1372	RFQ_4183321000004562E20000.exe
1372	RFQ_4183321000004562E20000.exe
1372	RFQ_4183321000004562E20000.exe
1372	RFQ_4183321000004562E20000.exe
1372	RFQ_4183321000004562E20000.exe
1372	RFQ_4183321000004562E20000.exe
1372	RFQ_4183321000004562E20000.exe
1372	RFQ_4183321000004562E20000.exe
1372	RFQ_4183321000004562E20000.exe
1372	RFQ_4183321000004562E20000.exe
1372	RFQ_4183321000004562E20000.exe
1372	RFQ_4183321000004562E20000.exe
1372	RFQ_4183321000004562E20000.exe
1372	RFQ_4183321000004562E20000.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1372	RFQ_4183321000004562E20000.exe
Token: SeDebugPrivilege	1372	RFQ_4183321000004562E20000.exe
Token: SeDebugPrivilege	1876	InstallUtil.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1372 wrote to memory of 1976	1372	RFQ_4183321000004562E20000.exe	100
PID 1372 wrote to memory of 1976	1372	RFQ_4183321000004562E20000.exe	100
PID 1372 wrote to memory of 3352	1372	RFQ_4183321000004562E20000.exe	101
PID 1372 wrote to memory of 3352	1372	RFQ_4183321000004562E20000.exe	101
PID 1372 wrote to memory of 4496	1372	RFQ_4183321000004562E20000.exe	102
PID 1372 wrote to memory of 4496	1372	RFQ_4183321000004562E20000.exe	102
PID 1372 wrote to memory of 1040	1372	RFQ_4183321000004562E20000.exe	103
PID 1372 wrote to memory of 1040	1372	RFQ_4183321000004562E20000.exe	103
PID 1372 wrote to memory of 3856	1372	RFQ_4183321000004562E20000.exe	104
PID 1372 wrote to memory of 3856	1372	RFQ_4183321000004562E20000.exe	104
PID 1372 wrote to memory of 2868	1372	RFQ_4183321000004562E20000.exe	105
PID 1372 wrote to memory of 2868	1372	RFQ_4183321000004562E20000.exe	105
PID 1372 wrote to memory of 4476	1372	RFQ_4183321000004562E20000.exe	106
PID 1372 wrote to memory of 4476	1372	RFQ_4183321000004562E20000.exe	106
PID 1372 wrote to memory of 1876	1372	RFQ_4183321000004562E20000.exe	107
PID 1372 wrote to memory of 1876	1372	RFQ_4183321000004562E20000.exe	107
PID 1372 wrote to memory of 1876	1372	RFQ_4183321000004562E20000.exe	107
PID 1372 wrote to memory of 1876	1372	RFQ_4183321000004562E20000.exe	107
PID 1372 wrote to memory of 1876	1372	RFQ_4183321000004562E20000.exe	107
PID 1372 wrote to memory of 1876	1372	RFQ_4183321000004562E20000.exe	107
PID 1372 wrote to memory of 1876	1372	RFQ_4183321000004562E20000.exe	107

C:\Users\Admin\AppData\Local\Temp\RFQ_4183321000004562E20000.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ_4183321000004562E20000.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:1976
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:3352
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:4496
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:1040
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:3856
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:2868
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:4476
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1876

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1372-1-0x000001237BA10000-0x000001237BA88000-memory.dmp

Filesize
480KB

Download
memory/1372-0-0x00007FF840F13000-0x00007FF840F15000-memory.dmp

Filesize
8KB

Download
memory/1372-2-0x00007FF840F10000-0x00007FF8419D1000-memory.dmp

Filesize
10.8MB

Download
memory/1372-3-0x00007FF840F13000-0x00007FF840F15000-memory.dmp

Filesize
8KB

Download
memory/1372-4-0x00007FF840F10000-0x00007FF8419D1000-memory.dmp

Filesize
10.8MB

Download
memory/1372-5-0x000001231A330000-0x000001231A61A000-memory.dmp

Filesize
2.9MB

Download
memory/1372-6-0x000001231A330000-0x000001231A615000-memory.dmp

Filesize
2.9MB

Download
memory/1372-17-0x000001231A330000-0x000001231A615000-memory.dmp

Filesize
2.9MB

Download
memory/1372-29-0x000001231A330000-0x000001231A615000-memory.dmp

Filesize
2.9MB

Download
memory/1372-35-0x000001231A330000-0x000001231A615000-memory.dmp

Filesize
2.9MB

Download
memory/1372-37-0x000001231A330000-0x000001231A615000-memory.dmp

Filesize
2.9MB

Download
memory/1372-33-0x000001231A330000-0x000001231A615000-memory.dmp

Filesize
2.9MB

Download
memory/1372-31-0x000001231A330000-0x000001231A615000-memory.dmp

Filesize
2.9MB

Download
memory/1372-27-0x000001231A330000-0x000001231A615000-memory.dmp

Filesize
2.9MB

Download
memory/1372-25-0x000001231A330000-0x000001231A615000-memory.dmp

Filesize
2.9MB

Download
memory/1372-23-0x000001231A330000-0x000001231A615000-memory.dmp

Filesize
2.9MB

Download
memory/1372-21-0x000001231A330000-0x000001231A615000-memory.dmp

Filesize
2.9MB

Download
memory/1372-19-0x000001231A330000-0x000001231A615000-memory.dmp

Filesize
2.9MB

Download
memory/1372-15-0x000001231A330000-0x000001231A615000-memory.dmp

Filesize
2.9MB

Download
memory/1372-13-0x000001231A330000-0x000001231A615000-memory.dmp

Filesize
2.9MB

Download
memory/1372-11-0x000001231A330000-0x000001231A615000-memory.dmp

Filesize
2.9MB

Download
memory/1372-9-0x000001231A330000-0x000001231A615000-memory.dmp

Filesize
2.9MB

Download
memory/1372-7-0x000001231A330000-0x000001231A615000-memory.dmp

Filesize
2.9MB

Download
memory/1372-43-0x000001231A330000-0x000001231A615000-memory.dmp

Filesize
2.9MB

Download
memory/1372-53-0x000001231A330000-0x000001231A615000-memory.dmp

Filesize
2.9MB

Download
memory/1372-63-0x000001231A330000-0x000001231A615000-memory.dmp

Filesize
2.9MB

Download
memory/1372-61-0x000001231A330000-0x000001231A615000-memory.dmp

Filesize
2.9MB

Download
memory/1372-59-0x000001231A330000-0x000001231A615000-memory.dmp

Filesize
2.9MB

Download
memory/1372-57-0x000001231A330000-0x000001231A615000-memory.dmp

Filesize
2.9MB

Download
memory/1372-51-0x000001231A330000-0x000001231A615000-memory.dmp

Filesize
2.9MB

Download
memory/1372-49-0x000001231A330000-0x000001231A615000-memory.dmp

Filesize
2.9MB

Download
memory/1372-47-0x000001231A330000-0x000001231A615000-memory.dmp

Filesize
2.9MB

Download
memory/1372-45-0x000001231A330000-0x000001231A615000-memory.dmp

Filesize
2.9MB

Download
memory/1372-41-0x000001231A330000-0x000001231A615000-memory.dmp

Filesize
2.9MB

Download
memory/1372-55-0x000001231A330000-0x000001231A615000-memory.dmp

Filesize
2.9MB

Download
memory/1372-39-0x000001231A330000-0x000001231A615000-memory.dmp

Filesize
2.9MB

Download
memory/1372-67-0x000001231A330000-0x000001231A615000-memory.dmp

Filesize
2.9MB

Download
memory/1372-69-0x000001231A330000-0x000001231A615000-memory.dmp

Filesize
2.9MB

Download
memory/1372-65-0x000001231A330000-0x000001231A615000-memory.dmp

Filesize
2.9MB

Download
memory/1372-4892-0x00007FF840F10000-0x00007FF8419D1000-memory.dmp

Filesize
10.8MB

Download
memory/1372-4893-0x000001231A6B0000-0x000001231A6B6000-memory.dmp

Filesize
24KB

Download
memory/1372-4894-0x000001231A6C0000-0x000001231A7E8000-memory.dmp

Filesize
1.2MB

Download
memory/1372-4895-0x000001231A7F0000-0x000001231A83C000-memory.dmp

Filesize
304KB

Download
memory/1372-4896-0x00007FF840F10000-0x00007FF8419D1000-memory.dmp

Filesize
10.8MB

Download
memory/1372-4897-0x000001231AA40000-0x000001231AA94000-memory.dmp

Filesize
336KB

Download
memory/1372-4903-0x00007FF840F10000-0x00007FF8419D1000-memory.dmp

Filesize
10.8MB

Download
memory/1876-4905-0x00000244B4280000-0x00000244B4396000-memory.dmp

Filesize
1.1MB

Download
memory/1876-4902-0x00007FF840F10000-0x00007FF8419D1000-memory.dmp

Filesize
10.8MB

Download
memory/1876-4904-0x00007FF840F10000-0x00007FF8419D1000-memory.dmp

Filesize
10.8MB

Download
memory/1876-7208-0x000002449BB00000-0x000002449BB9E000-memory.dmp

Filesize
632KB

Download
memory/1876-7209-0x00007FF840F10000-0x00007FF8419D1000-memory.dmp

Filesize
10.8MB

Download