Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 09:21
Static task
static1
Behavioral task
behavioral1
Sample
RFQ for WIKA_pdf.exe
Resource
win7-20241023-en
General
-
Target
RFQ for WIKA_pdf.exe
-
Size
643KB
-
MD5
0292cf3982c9b1a9fab696af01ba5b16
-
SHA1
cc9d0d3e5b2ab552a627b2c506c7bdc0706e100e
-
SHA256
f32af695424c19ad7ba48fc23dee2d20cbf4263103e35309199890eeadc017d8
-
SHA512
1e4364b00ae0f3dde146a4724f175ea47af1ecafd34c57cbf8140d2aaa4e50a40a6b9693d7a8b7163d291c2f6b51fa1a84f1c85e98d700accbc4281631fd917c
-
SSDEEP
12288:BnMDf3lusde5obg6dhvfUXZ2Kd1xiPueC+LC6D:mDf35YkHDqkPueC+26
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Blocklisted process makes network request 5 IoCs
Processes:
msiexec.exeflow pid Process 25 2452 msiexec.exe 28 2452 msiexec.exe 33 2452 msiexec.exe 40 2452 msiexec.exe 42 2452 msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
msiexec.exepid Process 2452 msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exemsiexec.exepid Process 2160 powershell.exe 2452 msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 1912 2452 WerFault.exe 94 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
powershell.exemsiexec.exeRFQ for WIKA_pdf.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RFQ for WIKA_pdf.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
powershell.exepid Process 2160 powershell.exe 2160 powershell.exe 2160 powershell.exe 2160 powershell.exe 2160 powershell.exe 2160 powershell.exe 2160 powershell.exe 2160 powershell.exe 2160 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid Process 2160 powershell.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
Processes:
powershell.exedescription pid Process Token: SeDebugPrivilege 2160 powershell.exe Token: SeIncreaseQuotaPrivilege 2160 powershell.exe Token: SeSecurityPrivilege 2160 powershell.exe Token: SeTakeOwnershipPrivilege 2160 powershell.exe Token: SeLoadDriverPrivilege 2160 powershell.exe Token: SeSystemProfilePrivilege 2160 powershell.exe Token: SeSystemtimePrivilege 2160 powershell.exe Token: SeProfSingleProcessPrivilege 2160 powershell.exe Token: SeIncBasePriorityPrivilege 2160 powershell.exe Token: SeCreatePagefilePrivilege 2160 powershell.exe Token: SeBackupPrivilege 2160 powershell.exe Token: SeRestorePrivilege 2160 powershell.exe Token: SeShutdownPrivilege 2160 powershell.exe Token: SeDebugPrivilege 2160 powershell.exe Token: SeSystemEnvironmentPrivilege 2160 powershell.exe Token: SeRemoteShutdownPrivilege 2160 powershell.exe Token: SeUndockPrivilege 2160 powershell.exe Token: SeManageVolumePrivilege 2160 powershell.exe Token: 33 2160 powershell.exe Token: 34 2160 powershell.exe Token: 35 2160 powershell.exe Token: 36 2160 powershell.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
RFQ for WIKA_pdf.exepowershell.exedescription pid Process procid_target PID 1332 wrote to memory of 2160 1332 RFQ for WIKA_pdf.exe 83 PID 1332 wrote to memory of 2160 1332 RFQ for WIKA_pdf.exe 83 PID 1332 wrote to memory of 2160 1332 RFQ for WIKA_pdf.exe 83 PID 2160 wrote to memory of 2452 2160 powershell.exe 94 PID 2160 wrote to memory of 2452 2160 powershell.exe 94 PID 2160 wrote to memory of 2452 2160 powershell.exe 94 PID 2160 wrote to memory of 2452 2160 powershell.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ for WIKA_pdf.exe"C:\Users\Admin\AppData\Local\Temp\RFQ for WIKA_pdf.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden "$enumeration=Get-Content -raw 'C:\Users\Admin\AppData\Local\Sonneteeress42\Nonusurpingly208\Reprsentantselskaberne.Bit';$Noret=$enumeration.SubString(7806,3);.$Noret($enumeration) "2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"3⤵
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:2452 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 19084⤵
- Program crash
PID:1912
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2452 -ip 24521⤵PID:4172
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
304KB
MD501db84665be66accf1673afb7e81764f
SHA1f80531210226e583855f4b1e1aa6b12e89099f5e
SHA25692a29022f3d2eb69ced1ec286803c586f54522b27e29121e91f83154edb221ea
SHA512938917f4985a20db26b96fc8a4c8934c1e7e868f598af33e9de487a2f34ae5cdb68b4081bd44fe131e1c1869d2c67e582373671b79f04e11596af215e28a229a
-
Filesize
72KB
MD5c22f6459bacbd4b317e870ddf6b60b93
SHA116ca1c55f08777130da5a79d90ce8bea04bdd3f2
SHA256e7d9c5ad331c6eb2767780e722456543927c5ab736d2432ff2cb59f75d5b93ef
SHA51247db78b9ed110e76e091264084ab2f59c4c553b511a6eea11eb83754c4e5ecdcf8cceeda3861bcc1a3322b20149e8c88f105535cf05a230504f8df370928de1b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82