Analysis
-
max time kernel
93s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:14
Static task
static1
Behavioral task
behavioral1
Sample
RFQ NO 850003391.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
RFQ NO 850003391.exe
Resource
win10v2004-20241007-en
General
-
Target
RFQ NO 850003391.exe
-
Size
1.1MB
-
MD5
9db868189b7213d769f81a31cc293351
-
SHA1
b5d1061b19287a433770890098b427d6dc865b38
-
SHA256
5a57caa772bff44e3f2dd127ff764b329c5658d88a33e92bd84fdf9fc1dcf971
-
SHA512
93d19cab3aeb8b8cd50a8ffa39ba19f40f695d0c9d631c5bca82e774d6fa79a92184b46821e53aac2a47f4b46580e3a8953249b18c46a7dede89a0e21bc0434a
-
SSDEEP
24576:pu6J33O0c+JY5UZ+XC0kGso6FafZ78TGAktDAo0ixJmQxwhmWY:Lu0c++OCvkGs9FafNxpko0ixJmY+Y
Malware Config
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
RFQ NO 850003391.exedescription pid Process procid_target PID 4040 set thread context of 1360 4040 RFQ NO 850003391.exe 86 -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target Process procid_target 1704 1360 WerFault.exe 86 1288 4040 WerFault.exe 82 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
RFQ NO 850003391.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RFQ NO 850003391.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
RFQ NO 850003391.exepid Process 4040 RFQ NO 850003391.exe 4040 RFQ NO 850003391.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
RFQ NO 850003391.exepid Process 4040 RFQ NO 850003391.exe 4040 RFQ NO 850003391.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
RFQ NO 850003391.exepid Process 4040 RFQ NO 850003391.exe 4040 RFQ NO 850003391.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
RFQ NO 850003391.exedescription pid Process procid_target PID 4040 wrote to memory of 1360 4040 RFQ NO 850003391.exe 86 PID 4040 wrote to memory of 1360 4040 RFQ NO 850003391.exe 86 PID 4040 wrote to memory of 1360 4040 RFQ NO 850003391.exe 86 PID 4040 wrote to memory of 1360 4040 RFQ NO 850003391.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ NO 850003391.exe"C:\Users\Admin\AppData\Local\Temp\RFQ NO 850003391.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\RFQ NO 850003391.exe"2⤵PID:1360
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 1923⤵
- Program crash
PID:1704
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 7202⤵
- Program crash
PID:1288
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 1360 -ip 13601⤵PID:3448
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4040 -ip 40401⤵PID:3656
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280KB
MD5585c4b17c083c1d06c5570746a2c1f25
SHA1866ffcaada026d18700c5f0ff36af06680b57049
SHA2565c03376ad22fded33a966910031039ffea025d2845a2e1e09d89f5aa1bccf11d
SHA51207d640ccf10e57fab4fea6cf28343e6c1ecbd5847c981d237e9df6fa488e3c809c7383acba90d4827847f41183b41bc1df7d4bd52b82b47d81f20781d3035b33