da62bcbaf979d67943395094d8cd54a2f02041a0edd3822ce83c46f4ca52b2f7

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/09/2024, 11:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

RFQ#F44E0741.exe
Size

437KB
MD5

4710d6f5d3b9c2d612f2589f997fa70b
SHA1

1c84793eaae4f1534483280337c8a4974e34d78c
SHA256

dba9ab278a6ff48c2119f65e8824b32e1df9d6a9e586828ca3641d34abe3e938
SHA512

b272a67d0fc9e593a14468562050873e0ff2e29bd4402644a2992286992dfb5dc8c427e23b4a7791ef5d96e4c526cd2e6d89e4acd82b0f30d36dfb6287a9bce7
SSDEEP

6144:8QbGb6t7QSvKpgxBypeR+FrMgQ1bioNKLu/NYnBQd4LkDUB/UC+L:zb46yu2m+mgQ/3KsbDUBsC+

Score

7^/10

discovery persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1228	RFQ#F44E0741.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\djdjdkk = "C:\\Windows\\system32\\pcalua.exe -a C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\shshsjsj"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RFQ#F44E0741.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	RFQ#F44E0741.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
1228	RFQ#F44E0741.exe
1228	RFQ#F44E0741.exe
1228	RFQ#F44E0741.exe
1228	RFQ#F44E0741.exe
1228	RFQ#F44E0741.exe
1228	RFQ#F44E0741.exe
1228	RFQ#F44E0741.exe
1228	RFQ#F44E0741.exe
1228	RFQ#F44E0741.exe
1228	RFQ#F44E0741.exe
1228	RFQ#F44E0741.exe
1228	RFQ#F44E0741.exe
1228	RFQ#F44E0741.exe
1228	RFQ#F44E0741.exe
1228	RFQ#F44E0741.exe
1228	RFQ#F44E0741.exe
1228	RFQ#F44E0741.exe
1228	RFQ#F44E0741.exe
1228	RFQ#F44E0741.exe
1228	RFQ#F44E0741.exe
1228	RFQ#F44E0741.exe
1228	RFQ#F44E0741.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1228	RFQ#F44E0741.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4500	OpenWith.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 4436	1228	RFQ#F44E0741.exe	89
PID 1228 wrote to memory of 4436	1228	RFQ#F44E0741.exe	89
PID 1228 wrote to memory of 4436	1228	RFQ#F44E0741.exe	89
PID 4436 wrote to memory of 1388	4436	cmd.exe	91
PID 4436 wrote to memory of 1388	4436	cmd.exe	91
PID 4436 wrote to memory of 1388	4436	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\RFQ#F44E0741.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ#F44E0741.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v djdjdkk /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\shshsjsj"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4436
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v djdjdkk /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\shshsjsj"
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:1388

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b438b2b2-a27d-417f-8ec9-625540b311a1\g.dll

Filesize
94KB

MD5
14ff402962ad21b78ae0b4c43cd1f194

SHA1
f8a510eb26666e875a5bdd1cadad40602763ad72

SHA256
fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

SHA512
daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

Download Submit
memory/1228-37-0x0000000004E60000-0x0000000004E7F000-memory.dmp

Filesize
124KB

Download
memory/1228-31-0x0000000004E60000-0x0000000004E7F000-memory.dmp

Filesize
124KB

Download
memory/1228-29-0x0000000004E60000-0x0000000004E7F000-memory.dmp

Filesize
124KB

Download
memory/1228-1-0x0000000000630000-0x00000000006A4000-memory.dmp

Filesize
464KB

Download
memory/1228-65-0x0000000004E60000-0x0000000004E7F000-memory.dmp

Filesize
124KB

Download
memory/1228-73-0x0000000004E60000-0x0000000004E7F000-memory.dmp

Filesize
124KB

Download
memory/1228-71-0x0000000004E60000-0x0000000004E7F000-memory.dmp

Filesize
124KB

Download
memory/1228-67-0x0000000004E60000-0x0000000004E7F000-memory.dmp

Filesize
124KB

Download
memory/1228-63-0x0000000004E60000-0x0000000004E7F000-memory.dmp

Filesize
124KB

Download
memory/1228-61-0x0000000004E60000-0x0000000004E7F000-memory.dmp

Filesize
124KB

Download
memory/1228-59-0x0000000004E60000-0x0000000004E7F000-memory.dmp

Filesize
124KB

Download
memory/1228-57-0x0000000004E60000-0x0000000004E7F000-memory.dmp

Filesize
124KB

Download
memory/1228-55-0x0000000004E60000-0x0000000004E7F000-memory.dmp

Filesize
124KB

Download
memory/1228-53-0x0000000004E60000-0x0000000004E7F000-memory.dmp

Filesize
124KB

Download
memory/1228-49-0x0000000004E60000-0x0000000004E7F000-memory.dmp

Filesize
124KB

Download
memory/1228-48-0x0000000004E60000-0x0000000004E7F000-memory.dmp

Filesize
124KB

Download
memory/1228-45-0x0000000004E60000-0x0000000004E7F000-memory.dmp

Filesize
124KB

Download
memory/1228-42-0x0000000004E60000-0x0000000004E7F000-memory.dmp

Filesize
124KB

Download
memory/1228-39-0x0000000004E60000-0x0000000004E7F000-memory.dmp

Filesize
124KB

Download
memory/1228-0-0x000000007444E000-0x000000007444F000-memory.dmp

Filesize
4KB

Download
memory/1228-2-0x0000000074440000-0x0000000074BF0000-memory.dmp

Filesize
7.7MB

Download
memory/1228-33-0x0000000004E60000-0x0000000004E7F000-memory.dmp

Filesize
124KB

Download
memory/1228-3-0x0000000004E60000-0x0000000004E84000-memory.dmp

Filesize
144KB

Download
memory/1228-27-0x0000000004E60000-0x0000000004E7F000-memory.dmp

Filesize
124KB

Download
memory/1228-26-0x0000000004E60000-0x0000000004E7F000-memory.dmp

Filesize
124KB

Download
memory/1228-23-0x0000000004E60000-0x0000000004E7F000-memory.dmp

Filesize
124KB

Download
memory/1228-11-0x0000000072E50000-0x0000000072ED9000-memory.dmp

Filesize
548KB

Download
memory/1228-51-0x0000000004E60000-0x0000000004E7F000-memory.dmp

Filesize
124KB

Download
memory/1228-21-0x0000000004E60000-0x0000000004E7F000-memory.dmp

Filesize
124KB

Download
memory/1228-19-0x0000000004E60000-0x0000000004E7F000-memory.dmp

Filesize
124KB

Download
memory/1228-17-0x0000000004E60000-0x0000000004E7F000-memory.dmp

Filesize
124KB

Download
memory/1228-15-0x0000000004E60000-0x0000000004E7F000-memory.dmp

Filesize
124KB

Download
memory/1228-13-0x0000000004E60000-0x0000000004E7F000-memory.dmp

Filesize
124KB

Download
memory/1228-12-0x0000000004E60000-0x0000000004E7F000-memory.dmp

Filesize
124KB

Download
memory/1228-102-0x000000007444E000-0x000000007444F000-memory.dmp

Filesize
4KB

Download
memory/1228-103-0x0000000074440000-0x0000000074BF0000-memory.dmp

Filesize
7.7MB

Download
memory/1228-104-0x0000000005E60000-0x0000000006404000-memory.dmp

Filesize
5.6MB

Download
memory/1228-105-0x0000000005990000-0x0000000005A22000-memory.dmp

Filesize
584KB

Download
memory/1228-106-0x0000000074440000-0x0000000074BF0000-memory.dmp

Filesize
7.7MB

Download
memory/1228-107-0x0000000006E10000-0x0000000006E54000-memory.dmp

Filesize
272KB

Download
memory/1228-109-0x0000000074440000-0x0000000074BF0000-memory.dmp

Filesize
7.7MB

Download
memory/1228-113-0x0000000074440000-0x0000000074BF0000-memory.dmp

Filesize
7.7MB

Download