1c51e32f33f1bdc0886e8bcf09dd245a9b236f32e91e203e5e2e714f0e29ec92

Analysis

max time kernel
146s
max time network
149s
platform
windows10-1703_x64
resource
win10-20240404-uk
resource tags

arch:x64arch:x86image:win10-20240404-uklocale:uk-uaos:windows10-1703-x64systemwindows
submitted
30/05/2024, 04:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RFQ_280001720000451000000.exe
Size

150.0MB
MD5

6345f982b9301b0bfe9d3cd69cd18e7f
SHA1

535127ee80cef8d5e726aaa48a8bd98762c3f03a
SHA256

1c51e32f33f1bdc0886e8bcf09dd245a9b236f32e91e203e5e2e714f0e29ec92
SHA512

06eccf9a37bb305042a88f5c2883fb7123ad81d03fb7b637886d5507febda308df8f6cd15074eb1c24ef06aced540d7bda8166efb986eeb291bafeb0843ffacb
SSDEEP

384:Oi0i9Z2NkIffV1LFnaO8vxK9JtFNthf7yPOjG+Zx5A7ZoG0Pz7:12JHjgO8EJtFNzTy+Xq7t0Pf

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4636 set thread context of 920	4636	RFQ_280001720000451000000.exe	79

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4636	RFQ_280001720000451000000.exe
4636	RFQ_280001720000451000000.exe
4636	RFQ_280001720000451000000.exe
4636	RFQ_280001720000451000000.exe
4636	RFQ_280001720000451000000.exe
4636	RFQ_280001720000451000000.exe
4636	RFQ_280001720000451000000.exe
4636	RFQ_280001720000451000000.exe
4636	RFQ_280001720000451000000.exe
4636	RFQ_280001720000451000000.exe
4636	RFQ_280001720000451000000.exe
4636	RFQ_280001720000451000000.exe
4636	RFQ_280001720000451000000.exe
4636	RFQ_280001720000451000000.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4636	RFQ_280001720000451000000.exe
Token: SeDebugPrivilege	4636	RFQ_280001720000451000000.exe
Token: SeDebugPrivilege	920	MSBuild.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4636 wrote to memory of 2972	4636	RFQ_280001720000451000000.exe	72
PID 4636 wrote to memory of 2972	4636	RFQ_280001720000451000000.exe	72
PID 4636 wrote to memory of 2288	4636	RFQ_280001720000451000000.exe	73
PID 4636 wrote to memory of 2288	4636	RFQ_280001720000451000000.exe	73
PID 4636 wrote to memory of 1580	4636	RFQ_280001720000451000000.exe	74
PID 4636 wrote to memory of 1580	4636	RFQ_280001720000451000000.exe	74
PID 4636 wrote to memory of 656	4636	RFQ_280001720000451000000.exe	75
PID 4636 wrote to memory of 656	4636	RFQ_280001720000451000000.exe	75
PID 4636 wrote to memory of 5088	4636	RFQ_280001720000451000000.exe	76
PID 4636 wrote to memory of 5088	4636	RFQ_280001720000451000000.exe	76
PID 4636 wrote to memory of 4716	4636	RFQ_280001720000451000000.exe	77
PID 4636 wrote to memory of 4716	4636	RFQ_280001720000451000000.exe	77
PID 4636 wrote to memory of 4476	4636	RFQ_280001720000451000000.exe	78
PID 4636 wrote to memory of 4476	4636	RFQ_280001720000451000000.exe	78
PID 4636 wrote to memory of 920	4636	RFQ_280001720000451000000.exe	79
PID 4636 wrote to memory of 920	4636	RFQ_280001720000451000000.exe	79
PID 4636 wrote to memory of 920	4636	RFQ_280001720000451000000.exe	79
PID 4636 wrote to memory of 920	4636	RFQ_280001720000451000000.exe	79
PID 4636 wrote to memory of 920	4636	RFQ_280001720000451000000.exe	79
PID 4636 wrote to memory of 920	4636	RFQ_280001720000451000000.exe	79
PID 4636 wrote to memory of 920	4636	RFQ_280001720000451000000.exe	79

C:\Users\Admin\AppData\Local\Temp\RFQ_280001720000451000000.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ_280001720000451000000.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4636
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2972
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2288
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
  2⤵
  PID:1580
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
  2⤵
  PID:656
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
  2⤵
  PID:5088
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
  2⤵
  PID:4716
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
  2⤵
  PID:4476
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:920

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/920-4902-0x00007FFB951A0000-0x00007FFB95B8C000-memory.dmp

Filesize
9.9MB

Download
memory/920-4904-0x00007FFB951A0000-0x00007FFB95B8C000-memory.dmp

Filesize
9.9MB

Download
memory/920-4903-0x00000238EA7D0000-0x00000238EA8E6000-memory.dmp

Filesize
1.1MB

Download
memory/920-7195-0x00000238EA930000-0x00000238EA9CE000-memory.dmp

Filesize
632KB

Download
memory/920-7196-0x00007FFB951A0000-0x00007FFB95B8C000-memory.dmp

Filesize
9.9MB

Download
memory/4636-53-0x0000027F27960000-0x0000027F27C45000-memory.dmp

Filesize
2.9MB

Download
memory/4636-63-0x0000027F27960000-0x0000027F27C45000-memory.dmp

Filesize
2.9MB

Download
memory/4636-2-0x00007FFB951A0000-0x00007FFB95B8C000-memory.dmp

Filesize
9.9MB

Download
memory/4636-3-0x00007FFB951A3000-0x00007FFB951A4000-memory.dmp

Filesize
4KB

Download
memory/4636-4-0x00007FFB951A0000-0x00007FFB95B8C000-memory.dmp

Filesize
9.9MB

Download
memory/4636-5-0x0000027F27960000-0x0000027F27C4C000-memory.dmp

Filesize
2.9MB

Download
memory/4636-6-0x0000027F27960000-0x0000027F27C45000-memory.dmp

Filesize
2.9MB

Download
memory/4636-11-0x0000027F27960000-0x0000027F27C45000-memory.dmp

Filesize
2.9MB

Download
memory/4636-19-0x0000027F27960000-0x0000027F27C45000-memory.dmp

Filesize
2.9MB

Download
memory/4636-39-0x0000027F27960000-0x0000027F27C45000-memory.dmp

Filesize
2.9MB

Download
memory/4636-51-0x0000027F27960000-0x0000027F27C45000-memory.dmp

Filesize
2.9MB

Download
memory/4636-57-0x0000027F27960000-0x0000027F27C45000-memory.dmp

Filesize
2.9MB

Download
memory/4636-69-0x0000027F27960000-0x0000027F27C45000-memory.dmp

Filesize
2.9MB

Download
memory/4636-43-0x0000027F27960000-0x0000027F27C45000-memory.dmp

Filesize
2.9MB

Download
memory/4636-65-0x0000027F27960000-0x0000027F27C45000-memory.dmp

Filesize
2.9MB

Download
memory/4636-41-0x0000027F27960000-0x0000027F27C45000-memory.dmp

Filesize
2.9MB

Download
memory/4636-61-0x0000027F27960000-0x0000027F27C45000-memory.dmp

Filesize
2.9MB

Download
memory/4636-59-0x0000027F27960000-0x0000027F27C45000-memory.dmp

Filesize
2.9MB

Download
memory/4636-55-0x0000027F27960000-0x0000027F27C45000-memory.dmp

Filesize
2.9MB

Download
memory/4636-1-0x00007FFB951A3000-0x00007FFB951A4000-memory.dmp

Filesize
4KB

Download
memory/4636-49-0x0000027F27960000-0x0000027F27C45000-memory.dmp

Filesize
2.9MB

Download
memory/4636-47-0x0000027F27960000-0x0000027F27C45000-memory.dmp

Filesize
2.9MB

Download
memory/4636-0-0x0000027F0D2F0000-0x0000027F0D306000-memory.dmp

Filesize
88KB

Download
memory/4636-45-0x0000027F27960000-0x0000027F27C45000-memory.dmp

Filesize
2.9MB

Download
memory/4636-68-0x0000027F27960000-0x0000027F27C45000-memory.dmp

Filesize
2.9MB

Download
memory/4636-37-0x0000027F27960000-0x0000027F27C45000-memory.dmp

Filesize
2.9MB

Download
memory/4636-35-0x0000027F27960000-0x0000027F27C45000-memory.dmp

Filesize
2.9MB

Download
memory/4636-33-0x0000027F27960000-0x0000027F27C45000-memory.dmp

Filesize
2.9MB

Download
memory/4636-31-0x0000027F27960000-0x0000027F27C45000-memory.dmp

Filesize
2.9MB

Download
memory/4636-29-0x0000027F27960000-0x0000027F27C45000-memory.dmp

Filesize
2.9MB

Download
memory/4636-27-0x0000027F27960000-0x0000027F27C45000-memory.dmp

Filesize
2.9MB

Download
memory/4636-25-0x0000027F27960000-0x0000027F27C45000-memory.dmp

Filesize
2.9MB

Download
memory/4636-23-0x0000027F27960000-0x0000027F27C45000-memory.dmp

Filesize
2.9MB

Download
memory/4636-21-0x0000027F27960000-0x0000027F27C45000-memory.dmp

Filesize
2.9MB

Download
memory/4636-17-0x0000027F27960000-0x0000027F27C45000-memory.dmp

Filesize
2.9MB

Download
memory/4636-13-0x0000027F27960000-0x0000027F27C45000-memory.dmp

Filesize
2.9MB

Download
memory/4636-9-0x0000027F27960000-0x0000027F27C45000-memory.dmp

Filesize
2.9MB

Download
memory/4636-7-0x0000027F27960000-0x0000027F27C45000-memory.dmp

Filesize
2.9MB

Download
memory/4636-15-0x0000027F27960000-0x0000027F27C45000-memory.dmp

Filesize
2.9MB

Download
memory/4636-4892-0x00007FFB951A0000-0x00007FFB95B8C000-memory.dmp

Filesize
9.9MB

Download
memory/4636-4893-0x0000027F27CC0000-0x0000027F27DE8000-memory.dmp

Filesize
1.2MB

Download
memory/4636-4894-0x0000027F27DF0000-0x0000027F27E3C000-memory.dmp

Filesize
304KB

Download
memory/4636-4895-0x00007FFB951A0000-0x00007FFB95B8C000-memory.dmp

Filesize
9.9MB

Download
memory/4636-4896-0x0000027F27E40000-0x0000027F27E94000-memory.dmp

Filesize
336KB

Download
memory/4636-4901-0x00007FFB951A0000-0x00007FFB95B8C000-memory.dmp

Filesize
9.9MB

Download