1c51e32f33f1bdc0886e8bcf09dd245a9b236f32e91e203e5e2e714f0e29ec92

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-uk
resource tags

arch:x64arch:x86image:win10v2004-20240508-uklocale:uk-uaos:windows10-2004-x64systemwindows
submitted
30/05/2024, 04:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RFQ_280001720000451000000.exe
Size

150.0MB
MD5

6345f982b9301b0bfe9d3cd69cd18e7f
SHA1

535127ee80cef8d5e726aaa48a8bd98762c3f03a
SHA256

1c51e32f33f1bdc0886e8bcf09dd245a9b236f32e91e203e5e2e714f0e29ec92
SHA512

06eccf9a37bb305042a88f5c2883fb7123ad81d03fb7b637886d5507febda308df8f6cd15074eb1c24ef06aced540d7bda8166efb986eeb291bafeb0843ffacb
SSDEEP

384:Oi0i9Z2NkIffV1LFnaO8vxK9JtFNthf7yPOjG+Zx5A7ZoG0Pz7:12JHjgO8EJtFNzTy+Xq7t0Pf

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4780 set thread context of 4796	4780	RFQ_280001720000451000000.exe	105

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4780	RFQ_280001720000451000000.exe
4780	RFQ_280001720000451000000.exe
4780	RFQ_280001720000451000000.exe
4780	RFQ_280001720000451000000.exe
4780	RFQ_280001720000451000000.exe
4780	RFQ_280001720000451000000.exe
4780	RFQ_280001720000451000000.exe
4780	RFQ_280001720000451000000.exe
4780	RFQ_280001720000451000000.exe
4780	RFQ_280001720000451000000.exe
4780	RFQ_280001720000451000000.exe
4780	RFQ_280001720000451000000.exe
4780	RFQ_280001720000451000000.exe
4780	RFQ_280001720000451000000.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4780	RFQ_280001720000451000000.exe
Token: SeDebugPrivilege	4780	RFQ_280001720000451000000.exe
Token: SeDebugPrivilege	4796	MSBuild.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4780 wrote to memory of 2276	4780	RFQ_280001720000451000000.exe	98
PID 4780 wrote to memory of 2276	4780	RFQ_280001720000451000000.exe	98
PID 4780 wrote to memory of 1480	4780	RFQ_280001720000451000000.exe	99
PID 4780 wrote to memory of 1480	4780	RFQ_280001720000451000000.exe	99
PID 4780 wrote to memory of 1936	4780	RFQ_280001720000451000000.exe	100
PID 4780 wrote to memory of 1936	4780	RFQ_280001720000451000000.exe	100
PID 4780 wrote to memory of 2576	4780	RFQ_280001720000451000000.exe	101
PID 4780 wrote to memory of 2576	4780	RFQ_280001720000451000000.exe	101
PID 4780 wrote to memory of 1448	4780	RFQ_280001720000451000000.exe	102
PID 4780 wrote to memory of 1448	4780	RFQ_280001720000451000000.exe	102
PID 4780 wrote to memory of 64	4780	RFQ_280001720000451000000.exe	103
PID 4780 wrote to memory of 64	4780	RFQ_280001720000451000000.exe	103
PID 4780 wrote to memory of 2364	4780	RFQ_280001720000451000000.exe	104
PID 4780 wrote to memory of 2364	4780	RFQ_280001720000451000000.exe	104
PID 4780 wrote to memory of 4796	4780	RFQ_280001720000451000000.exe	105
PID 4780 wrote to memory of 4796	4780	RFQ_280001720000451000000.exe	105
PID 4780 wrote to memory of 4796	4780	RFQ_280001720000451000000.exe	105
PID 4780 wrote to memory of 4796	4780	RFQ_280001720000451000000.exe	105
PID 4780 wrote to memory of 4796	4780	RFQ_280001720000451000000.exe	105
PID 4780 wrote to memory of 4796	4780	RFQ_280001720000451000000.exe	105
PID 4780 wrote to memory of 4796	4780	RFQ_280001720000451000000.exe	105

C:\Users\Admin\AppData\Local\Temp\RFQ_280001720000451000000.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ_280001720000451000000.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4780
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2276
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
  2⤵
  PID:1480
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
  2⤵
  PID:1936
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2576
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
  2⤵
  PID:1448
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
  2⤵
  PID:64
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2364
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4796

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4780-1-0x00007FFB51FE3000-0x00007FFB51FE5000-memory.dmp

Filesize
8KB

Download
memory/4780-0-0x00000263C8A90000-0x00000263C8AA6000-memory.dmp

Filesize
88KB

Download
memory/4780-2-0x00007FFB51FE0000-0x00007FFB52AA1000-memory.dmp

Filesize
10.8MB

Download
memory/4780-3-0x00000263E31F0000-0x00000263E34DC000-memory.dmp

Filesize
2.9MB

Download
memory/4780-5-0x00000263E31F0000-0x00000263E34D5000-memory.dmp

Filesize
2.9MB

Download
memory/4780-9-0x00000263E31F0000-0x00000263E34D5000-memory.dmp

Filesize
2.9MB

Download
memory/4780-27-0x00000263E31F0000-0x00000263E34D5000-memory.dmp

Filesize
2.9MB

Download
memory/4780-33-0x00000263E31F0000-0x00000263E34D5000-memory.dmp

Filesize
2.9MB

Download
memory/4780-49-0x00000263E31F0000-0x00000263E34D5000-memory.dmp

Filesize
2.9MB

Download
memory/4780-47-0x00000263E31F0000-0x00000263E34D5000-memory.dmp

Filesize
2.9MB

Download
memory/4780-45-0x00000263E31F0000-0x00000263E34D5000-memory.dmp

Filesize
2.9MB

Download
memory/4780-43-0x00000263E31F0000-0x00000263E34D5000-memory.dmp

Filesize
2.9MB

Download
memory/4780-41-0x00000263E31F0000-0x00000263E34D5000-memory.dmp

Filesize
2.9MB

Download
memory/4780-39-0x00000263E31F0000-0x00000263E34D5000-memory.dmp

Filesize
2.9MB

Download
memory/4780-37-0x00000263E31F0000-0x00000263E34D5000-memory.dmp

Filesize
2.9MB

Download
memory/4780-35-0x00000263E31F0000-0x00000263E34D5000-memory.dmp

Filesize
2.9MB

Download
memory/4780-31-0x00000263E31F0000-0x00000263E34D5000-memory.dmp

Filesize
2.9MB

Download
memory/4780-29-0x00000263E31F0000-0x00000263E34D5000-memory.dmp

Filesize
2.9MB

Download
memory/4780-25-0x00000263E31F0000-0x00000263E34D5000-memory.dmp

Filesize
2.9MB

Download
memory/4780-23-0x00000263E31F0000-0x00000263E34D5000-memory.dmp

Filesize
2.9MB

Download
memory/4780-21-0x00000263E31F0000-0x00000263E34D5000-memory.dmp

Filesize
2.9MB

Download
memory/4780-19-0x00000263E31F0000-0x00000263E34D5000-memory.dmp

Filesize
2.9MB

Download
memory/4780-17-0x00000263E31F0000-0x00000263E34D5000-memory.dmp

Filesize
2.9MB

Download
memory/4780-15-0x00000263E31F0000-0x00000263E34D5000-memory.dmp

Filesize
2.9MB

Download
memory/4780-13-0x00000263E31F0000-0x00000263E34D5000-memory.dmp

Filesize
2.9MB

Download
memory/4780-11-0x00000263E31F0000-0x00000263E34D5000-memory.dmp

Filesize
2.9MB

Download
memory/4780-7-0x00000263E31F0000-0x00000263E34D5000-memory.dmp

Filesize
2.9MB

Download
memory/4780-4-0x00000263E31F0000-0x00000263E34D5000-memory.dmp

Filesize
2.9MB

Download
memory/4780-51-0x00000263E31F0000-0x00000263E34D5000-memory.dmp

Filesize
2.9MB

Download
memory/4780-56-0x00000263E31F0000-0x00000263E34D5000-memory.dmp

Filesize
2.9MB

Download
memory/4780-67-0x00000263E31F0000-0x00000263E34D5000-memory.dmp

Filesize
2.9MB

Download
memory/4780-65-0x00000263E31F0000-0x00000263E34D5000-memory.dmp

Filesize
2.9MB

Download
memory/4780-61-0x00000263E31F0000-0x00000263E34D5000-memory.dmp

Filesize
2.9MB

Download
memory/4780-59-0x00000263E31F0000-0x00000263E34D5000-memory.dmp

Filesize
2.9MB

Download
memory/4780-57-0x00000263E31F0000-0x00000263E34D5000-memory.dmp

Filesize
2.9MB

Download
memory/4780-53-0x00000263E31F0000-0x00000263E34D5000-memory.dmp

Filesize
2.9MB

Download
memory/4780-63-0x00000263E31F0000-0x00000263E34D5000-memory.dmp

Filesize
2.9MB

Download
memory/4780-4890-0x00007FFB51FE3000-0x00007FFB51FE5000-memory.dmp

Filesize
8KB

Download
memory/4780-4891-0x00007FFB51FE0000-0x00007FFB52AA1000-memory.dmp

Filesize
10.8MB

Download
memory/4780-4892-0x00007FFB51FE0000-0x00007FFB52AA1000-memory.dmp

Filesize
10.8MB

Download
memory/4780-4893-0x00000263E3550000-0x00000263E3678000-memory.dmp

Filesize
1.2MB

Download
memory/4780-4894-0x00000263E2F40000-0x00000263E2F8C000-memory.dmp

Filesize
304KB

Download
memory/4780-4895-0x00007FFB51FE0000-0x00007FFB52AA1000-memory.dmp

Filesize
10.8MB

Download
memory/4780-4896-0x00000263E3680000-0x00000263E36D4000-memory.dmp

Filesize
336KB

Download
memory/4780-4901-0x00007FFB51FE0000-0x00007FFB52AA1000-memory.dmp

Filesize
10.8MB

Download
memory/4796-4902-0x00007FFB51FE0000-0x00007FFB52AA1000-memory.dmp

Filesize
10.8MB

Download
memory/4796-4903-0x00000210C7410000-0x00000210C7526000-memory.dmp

Filesize
1.1MB

Download
memory/4796-4904-0x00007FFB51FE0000-0x00007FFB52AA1000-memory.dmp

Filesize
10.8MB

Download
memory/4796-7195-0x00000210C7680000-0x00000210C771E000-memory.dmp

Filesize
632KB

Download
memory/4796-7196-0x00007FFB51FE0000-0x00007FFB52AA1000-memory.dmp

Filesize
10.8MB

Download