Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
01-11-2024 13:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ENERCOV RFQ PO 20225181.exe
Resource
win7-20240903-en
windows7-x64
4 signatures
150 seconds
General
-
Target
ENERCOV RFQ PO 20225181.exe
-
Size
922KB
-
MD5
63de9b7b92d23bea31282cf8d971b6fd
-
SHA1
f1050e174595781e86dfdf0d50339b626de2697a
-
SHA256
23fd85e7d0e1f372bd11f594fc1a64ac020f4a8c5adce87a70f5e9f81a66da44
-
SHA512
ce1acf54ddd2c99c490c015bb8bb00d5ca14d0c08e0edc999b3d9fa18d829702d0e26616efd20d6f7acbe5fbf7fac81d1a7d365308a1d5ab05d59bd58a69dca8
-
SSDEEP
12288:/OfVhpe6ijKZF67p9sLLHJFqfuw7jQNEGsWySoF1+wZQFJvK4qL9FWb/:/OfV3ijKZapWHSuwg/TpmSJvn
Score
3/10
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
ENERCOV RFQ PO 20225181.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ENERCOV RFQ PO 20225181.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
ENERCOV RFQ PO 20225181.exepid Process 2956 ENERCOV RFQ PO 20225181.exe 2956 ENERCOV RFQ PO 20225181.exe 2956 ENERCOV RFQ PO 20225181.exe 2956 ENERCOV RFQ PO 20225181.exe 2956 ENERCOV RFQ PO 20225181.exe 2956 ENERCOV RFQ PO 20225181.exe 2956 ENERCOV RFQ PO 20225181.exe 2956 ENERCOV RFQ PO 20225181.exe 2956 ENERCOV RFQ PO 20225181.exe 2956 ENERCOV RFQ PO 20225181.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ENERCOV RFQ PO 20225181.exedescription pid Process Token: SeDebugPrivilege 2956 ENERCOV RFQ PO 20225181.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
ENERCOV RFQ PO 20225181.exedescription pid Process procid_target PID 2956 wrote to memory of 2548 2956 ENERCOV RFQ PO 20225181.exe 31 PID 2956 wrote to memory of 2548 2956 ENERCOV RFQ PO 20225181.exe 31 PID 2956 wrote to memory of 2548 2956 ENERCOV RFQ PO 20225181.exe 31 PID 2956 wrote to memory of 2548 2956 ENERCOV RFQ PO 20225181.exe 31 PID 2956 wrote to memory of 2212 2956 ENERCOV RFQ PO 20225181.exe 32 PID 2956 wrote to memory of 2212 2956 ENERCOV RFQ PO 20225181.exe 32 PID 2956 wrote to memory of 2212 2956 ENERCOV RFQ PO 20225181.exe 32 PID 2956 wrote to memory of 2212 2956 ENERCOV RFQ PO 20225181.exe 32 PID 2956 wrote to memory of 2880 2956 ENERCOV RFQ PO 20225181.exe 33 PID 2956 wrote to memory of 2880 2956 ENERCOV RFQ PO 20225181.exe 33 PID 2956 wrote to memory of 2880 2956 ENERCOV RFQ PO 20225181.exe 33 PID 2956 wrote to memory of 2880 2956 ENERCOV RFQ PO 20225181.exe 33 PID 2956 wrote to memory of 2704 2956 ENERCOV RFQ PO 20225181.exe 34 PID 2956 wrote to memory of 2704 2956 ENERCOV RFQ PO 20225181.exe 34 PID 2956 wrote to memory of 2704 2956 ENERCOV RFQ PO 20225181.exe 34 PID 2956 wrote to memory of 2704 2956 ENERCOV RFQ PO 20225181.exe 34 PID 2956 wrote to memory of 2384 2956 ENERCOV RFQ PO 20225181.exe 35 PID 2956 wrote to memory of 2384 2956 ENERCOV RFQ PO 20225181.exe 35 PID 2956 wrote to memory of 2384 2956 ENERCOV RFQ PO 20225181.exe 35 PID 2956 wrote to memory of 2384 2956 ENERCOV RFQ PO 20225181.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\ENERCOV RFQ PO 20225181.exe"C:\Users\Admin\AppData\Local\Temp\ENERCOV RFQ PO 20225181.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Users\Admin\AppData\Local\Temp\ENERCOV RFQ PO 20225181.exe"C:\Users\Admin\AppData\Local\Temp\ENERCOV RFQ PO 20225181.exe"2⤵PID:2548
-
-
C:\Users\Admin\AppData\Local\Temp\ENERCOV RFQ PO 20225181.exe"C:\Users\Admin\AppData\Local\Temp\ENERCOV RFQ PO 20225181.exe"2⤵PID:2212
-
-
C:\Users\Admin\AppData\Local\Temp\ENERCOV RFQ PO 20225181.exe"C:\Users\Admin\AppData\Local\Temp\ENERCOV RFQ PO 20225181.exe"2⤵PID:2880
-
-
C:\Users\Admin\AppData\Local\Temp\ENERCOV RFQ PO 20225181.exe"C:\Users\Admin\AppData\Local\Temp\ENERCOV RFQ PO 20225181.exe"2⤵PID:2704
-
-
C:\Users\Admin\AppData\Local\Temp\ENERCOV RFQ PO 20225181.exe"C:\Users\Admin\AppData\Local\Temp\ENERCOV RFQ PO 20225181.exe"2⤵PID:2384
-