58f6462c0225f4ec37209add8486ef9bdcdc1d1e766096af73b3c7797ebeadb1

Analysis

max time kernel
42s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19-10-2022 02:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Sandra-Wohl-Bewerbung-Arbeitszeugnis.exe
Size

99KB
MD5

2411437b7a8c5e897e974b5a33e67428
SHA1

00906dca6d4134495a95283cc2c5ac458f2891fd
SHA256

58f6462c0225f4ec37209add8486ef9bdcdc1d1e766096af73b3c7797ebeadb1
SHA512

de8a3052a58d6b66d2c4840cc829478d82b69d754f4d25101573593357a2af406d290f7749d4f74ebc9e4529b74a7f910f327efcb4f3a1dd27d73a66cce109e0
SSDEEP

1536:/7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfPwNOpJ0HWIhOl:z7DhdC6kzWypvaQ0FxyNTBfP6OpH

Score

1^/10

Malware Config

Signatures

Kills process with taskkill 1 IoCs

evasion

pid	Process
2044	taskkill.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1020	Sandra-Wohl-Bewerbung-Arbeitszeugnis.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2044	taskkill.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 832 wrote to memory of 1948	832	Sandra-Wohl-Bewerbung-Arbeitszeugnis.exe	28
PID 832 wrote to memory of 1948	832	Sandra-Wohl-Bewerbung-Arbeitszeugnis.exe	28
PID 832 wrote to memory of 1948	832	Sandra-Wohl-Bewerbung-Arbeitszeugnis.exe	28
PID 832 wrote to memory of 1948	832	Sandra-Wohl-Bewerbung-Arbeitszeugnis.exe	28
PID 1948 wrote to memory of 1020	1948	cmd.exe	29
PID 1948 wrote to memory of 1020	1948	cmd.exe	29
PID 1948 wrote to memory of 1020	1948	cmd.exe	29
PID 1948 wrote to memory of 1020	1948	cmd.exe	29
PID 1020 wrote to memory of 932	1020	Sandra-Wohl-Bewerbung-Arbeitszeugnis.exe	31
PID 1020 wrote to memory of 932	1020	Sandra-Wohl-Bewerbung-Arbeitszeugnis.exe	31
PID 1020 wrote to memory of 932	1020	Sandra-Wohl-Bewerbung-Arbeitszeugnis.exe	31
PID 1020 wrote to memory of 932	1020	Sandra-Wohl-Bewerbung-Arbeitszeugnis.exe	31
PID 932 wrote to memory of 2044	932	cmd.exe	32
PID 932 wrote to memory of 2044	932	cmd.exe	32
PID 932 wrote to memory of 2044	932	cmd.exe	32
PID 932 wrote to memory of 1824	932	cmd.exe	34
PID 932 wrote to memory of 1824	932	cmd.exe	34
PID 932 wrote to memory of 1824	932	cmd.exe	34
PID 932 wrote to memory of 1764	932	cmd.exe	36
PID 932 wrote to memory of 1764	932	cmd.exe	36
PID 932 wrote to memory of 1764	932	cmd.exe	36
PID 932 wrote to memory of 1872	932	cmd.exe	37
PID 932 wrote to memory of 1872	932	cmd.exe	37
PID 932 wrote to memory of 1872	932	cmd.exe	37
PID 932 wrote to memory of 1760	932	cmd.exe	40
PID 932 wrote to memory of 1760	932	cmd.exe	40
PID 932 wrote to memory of 1760	932	cmd.exe	40
PID 932 wrote to memory of 1108	932	cmd.exe	42
PID 932 wrote to memory of 1108	932	cmd.exe	42
PID 932 wrote to memory of 1108	932	cmd.exe	42
PID 932 wrote to memory of 1276	932	cmd.exe	43
PID 932 wrote to memory of 1276	932	cmd.exe	43
PID 932 wrote to memory of 1276	932	cmd.exe	43
PID 932 wrote to memory of 1272	932	cmd.exe	45
PID 932 wrote to memory of 1272	932	cmd.exe	45
PID 932 wrote to memory of 1272	932	cmd.exe	45

C:\Users\Admin\AppData\Local\Temp\Sandra-Wohl-Bewerbung-Arbeitszeugnis.exe
"C:\Users\Admin\AppData\Local\Temp\Sandra-Wohl-Bewerbung-Arbeitszeugnis.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:832
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\291.tmp\292.tmp\293.bat C:\Users\Admin\AppData\Local\Temp\Sandra-Wohl-Bewerbung-Arbeitszeugnis.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Users\Admin\AppData\Local\Temp\Sandra-Wohl-Bewerbung-Arbeitszeugnis.exe
    "C:\Users\Admin\AppData\Local\Temp\Sandra-Wohl-Bewerbung-Arbeitszeugnis.exe" MY_FLAG
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of WriteProcessMemory
    PID:1020
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\32D.tmp\32E.tmp\32F.bat C:\Users\Admin\AppData\Local\Temp\Sandra-Wohl-Bewerbung-Arbeitszeugnis.exe MY_FLAG"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:932
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM explorer.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /k "C:\configuration\5201.bat"
        5⤵
        
        PID:1824
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /k "C:\configuration\and.bat"
        5⤵
        
        PID:1764
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /k "C:\configuration\and.bat"
        5⤵
        
        PID:1872
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /k "C:\configuration\and.bat"
        5⤵
        
        PID:1760
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /k "C:\configuration\and.bat"
        5⤵
        
        PID:1108
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /k "C:\configuration\and.bat"
        5⤵
        
        PID:1276
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /k "C:\configuration\and.bat"
        5⤵
        
        PID:1272

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\291.tmp\292.tmp\293.bat

Filesize
1KB

MD5
26e31166f37bc5ced3f4bcac118c69a8

SHA1
b81d68da35779e2531c13bdcdfd6564d72999223

SHA256
ddcbf8a6cdbf5dc2aa1280b20e014c4b3412ddac9b979cacf331a559585c3dc2

SHA512
4aa9e8fb0b9d0c5698f4abd060c0f3b253bf5a23d3456e675ee2a05a0ebe1c47ac5960ca1ce913a28dfc6859370e0305ff86f20645d2188271c7c347e90ef836

Download Submit
C:\Users\Admin\AppData\Local\Temp\32D.tmp\32E.tmp\32F.bat

Filesize
1KB

MD5
26e31166f37bc5ced3f4bcac118c69a8

SHA1
b81d68da35779e2531c13bdcdfd6564d72999223

SHA256
ddcbf8a6cdbf5dc2aa1280b20e014c4b3412ddac9b979cacf331a559585c3dc2

SHA512
4aa9e8fb0b9d0c5698f4abd060c0f3b253bf5a23d3456e675ee2a05a0ebe1c47ac5960ca1ce913a28dfc6859370e0305ff86f20645d2188271c7c347e90ef836

Download Submit
memory/832-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/932-59-0x0000000000000000-mapping.dmp

Download
memory/1020-57-0x0000000000000000-mapping.dmp

Download
memory/1108-66-0x0000000000000000-mapping.dmp

Download
memory/1272-68-0x0000000000000000-mapping.dmp

Download
memory/1276-67-0x0000000000000000-mapping.dmp

Download
memory/1760-65-0x0000000000000000-mapping.dmp

Download
memory/1764-63-0x0000000000000000-mapping.dmp

Download
memory/1824-62-0x0000000000000000-mapping.dmp

Download
memory/1872-64-0x0000000000000000-mapping.dmp

Download
memory/1948-55-0x0000000000000000-mapping.dmp

Download
memory/2044-61-0x0000000000000000-mapping.dmp

Download