6c52af67375cff10635d85e1125a18ce827b7450ed5cf1e0d60300fbe57217e9

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2024 20:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RFQ-2203IQ22.exe
Size

363KB
MD5

497c61e3c3b524f3f5e21133e25e9fed
SHA1

3ae28a52da98599f857c6086bd650ddb7a08884b
SHA256

e8a006ff04f0284cdd1008d687dc62231e78886c017904c462c0b18d9b938a8a
SHA512

4fccfe219f77d9cb9da4c017fb28e33ba9fad4f7e7202525ef7a0d36e39b2c51b70d5d61e4ff011abee75f39cb1910cd5580274aa796991c8366ee3cb196ab3a
SSDEEP

6144:TGi7FnvhydhcoKQB9IkZFPVOcVKmPo1irNYMr08C2YuDPwHEzzRof28Jt:1w95FdOEoKQ8C2YuDPwMzefRf

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4712	dbhvn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RFQ-2203IQ22.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dbhvn.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2588 wrote to memory of 4712	2588	RFQ-2203IQ22.exe	83
PID 2588 wrote to memory of 4712	2588	RFQ-2203IQ22.exe	83
PID 2588 wrote to memory of 4712	2588	RFQ-2203IQ22.exe	83
PID 4712 wrote to memory of 3440	4712	dbhvn.exe	84
PID 4712 wrote to memory of 3440	4712	dbhvn.exe	84
PID 4712 wrote to memory of 3440	4712	dbhvn.exe	84

C:\Users\Admin\AppData\Local\Temp\RFQ-2203IQ22.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ-2203IQ22.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Users\Admin\AppData\Local\Temp\dbhvn.exe
  C:\Users\Admin\AppData\Local\Temp\dbhvn.exe C:\Users\Admin\AppData\Local\Temp\ysooupq
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4712
- - C:\Users\Admin\AppData\Local\Temp\dbhvn.exe
    C:\Users\Admin\AppData\Local\Temp\dbhvn.exe C:\Users\Admin\AppData\Local\Temp\ysooupq
    3⤵
    PID:3440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dbhvn.exe

Filesize
107KB

MD5
2c3eb1912198569cf1680077ac995221

SHA1
c69948d7e3d380b1b8d29df7501eadc0fea857ec

SHA256
e1b09d71f05cf589e41f3701142b3fd917508e3b5f43eaa810bcaeab74f18165

SHA512
9553c96268cffb7638ff1e2df116ddb039654fc221328a6fa5673d1b502cfaca6d1762a6e3a537d530eec6c66004058520de6592aa6492e80f7faef7f73e49bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\jveithbc8i

Filesize
210KB

MD5
3f12428b5a1afbdca2f1512a0157a8f6

SHA1
d99e0c7965a9150acee3159a8c8dacc75e300372

SHA256
a7e502ba7d504d5cd361f0dc2a01c30b346b72b00c55f023df8ab52b703f6193

SHA512
192cf6d404de31f70ebe5c52ad9c2645c0d65e345ef86c514ed0552089f0ec69233b44a22f51330302c4e320b308b86d65359497abfd98ca083d8c8fe8c0ad52

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysooupq

Filesize
4KB

MD5
ea559a32d5fcc3abb041266808447cff

SHA1
34388899e6f7e333a765f7b87434a4aa7d9787f7

SHA256
22da97a15483334c545403689f61dfb09b46563a8e3b9c91f577a9b4d97e8563

SHA512
4b92ba0d39498d2ab9f4e8b98364674c60d857018837d5466dcc64658748f09f75b344a2e7b0dfc791077f291fcd0879626cd450ca168f1c8b033cc3e286ac41

Download Submit
memory/4712-7-0x00000000007D0000-0x00000000007D2000-memory.dmp

Filesize
8KB

Download