Analysis
-
max time kernel
51s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 15:47
Static task
static1
Behavioral task
behavioral1
Sample
RFQ_DOC13062024.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
RFQ_DOC13062024.exe
Resource
win10v2004-20240508-en
General
-
Target
RFQ_DOC13062024.exe
-
Size
990KB
-
MD5
54e257b56a256a2f1b062d2cebda6b2d
-
SHA1
4c4d8ddc6afce07f623b256fb21638cbdbd16144
-
SHA256
4e984c829df56d7ec108cc19f3015e3c39ab0b0fdc9f11eaeeecb91d525db545
-
SHA512
6f8e30f1b11fee49461691fd1d74de2dfe1c6f64c369d59632cb9e862ba3c3d0abab329e3134f5adcc066ee26f00f96ce303e1f5cdc318969698a7ce99261fce
-
SSDEEP
24576:/4ezTAAfvu9z/4Jy7WjTfmzKnsWhegcKyJI:/4WAAfIgNjT+KnsWhegcXG
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Drops file in System32 directory 1 IoCs
Processes:
RFQ_DOC13062024.exedescription ioc process File opened for modification C:\Windows\SysWOW64\driftschefernes.ini RFQ_DOC13062024.exe -
Drops file in Program Files directory 2 IoCs
Processes:
RFQ_DOC13062024.exedescription ioc process File created C:\Program Files (x86)\Common Files\twig\Monetising.lnk RFQ_DOC13062024.exe File opened for modification C:\Program Files (x86)\inspiredly.snu RFQ_DOC13062024.exe -
Drops file in Windows directory 1 IoCs
Processes:
RFQ_DOC13062024.exedescription ioc process File opened for modification C:\Windows\Fonts\undispersing\frelserens.ini RFQ_DOC13062024.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1432 3116 WerFault.exe powershell.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
powershell.exepid process 3116 powershell.exe 3116 powershell.exe 3116 powershell.exe 3116 powershell.exe 3116 powershell.exe 3116 powershell.exe 3116 powershell.exe 3116 powershell.exe 3116 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 3116 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
RFQ_DOC13062024.exepowershell.exedescription pid process target process PID 4308 wrote to memory of 3116 4308 RFQ_DOC13062024.exe powershell.exe PID 4308 wrote to memory of 3116 4308 RFQ_DOC13062024.exe powershell.exe PID 4308 wrote to memory of 3116 4308 RFQ_DOC13062024.exe powershell.exe PID 3116 wrote to memory of 1008 3116 powershell.exe cmd.exe PID 3116 wrote to memory of 1008 3116 powershell.exe cmd.exe PID 3116 wrote to memory of 1008 3116 powershell.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ_DOC13062024.exe"C:\Users\Admin\AppData\Local\Temp\RFQ_DOC13062024.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Nondenunciation=Get-Content 'C:\Users\Admin\AppData\Local\skuespillerevnernes\Kilders219\Personalhistoriker\millionren.Non';$Tabinet=$Nondenunciation.SubString(50736,3);.$Tabinet($Nondenunciation)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" "/c set /A 1^^0"3⤵PID:1008
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 21163⤵
- Program crash
PID:1432
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 3116 -ip 31161⤵PID:112
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qr23wbxs.2ja.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\skuespillerevnernes\Kilders219\Personalhistoriker\millionren.NonFilesize
49KB
MD580157482bbee05d39cc6eb150df00ee5
SHA1541958b59d496ae8814c09336eda330993db754c
SHA2564c2726ecd1f509ea66be91622735c2b9885c232c3b3733390e46d2859b2aed0b
SHA51282f62f244fe0690c68b4eb983e1bd5ae421a5f10cf12d281a9dc167d9b99f60ea4dcac573f05626e5fc41ae50d18754029eae3f677806a83dfd7a801bda61c16
-
memory/3116-10-0x0000000073ED0000-0x0000000074680000-memory.dmpFilesize
7.7MB
-
memory/3116-25-0x0000000006500000-0x000000000654C000-memory.dmpFilesize
304KB
-
memory/3116-6-0x0000000073EDE000-0x0000000073EDF000-memory.dmpFilesize
4KB
-
memory/3116-11-0x0000000005590000-0x00000000055B2000-memory.dmpFilesize
136KB
-
memory/3116-12-0x0000000005D70000-0x0000000005DD6000-memory.dmpFilesize
408KB
-
memory/3116-13-0x0000000005DE0000-0x0000000005E46000-memory.dmpFilesize
408KB
-
memory/3116-8-0x0000000073ED0000-0x0000000074680000-memory.dmpFilesize
7.7MB
-
memory/3116-23-0x0000000005E50000-0x00000000061A4000-memory.dmpFilesize
3.3MB
-
memory/3116-24-0x0000000006450000-0x000000000646E000-memory.dmpFilesize
120KB
-
memory/3116-9-0x0000000005650000-0x0000000005C78000-memory.dmpFilesize
6.2MB
-
memory/3116-26-0x0000000007410000-0x00000000074A6000-memory.dmpFilesize
600KB
-
memory/3116-27-0x0000000006990000-0x00000000069AA000-memory.dmpFilesize
104KB
-
memory/3116-28-0x00000000069E0000-0x0000000006A02000-memory.dmpFilesize
136KB
-
memory/3116-29-0x0000000007A60000-0x0000000008004000-memory.dmpFilesize
5.6MB
-
memory/3116-7-0x0000000004EA0000-0x0000000004ED6000-memory.dmpFilesize
216KB
-
memory/3116-31-0x0000000008690000-0x0000000008D0A000-memory.dmpFilesize
6.5MB
-
memory/3116-33-0x0000000073ED0000-0x0000000074680000-memory.dmpFilesize
7.7MB