Overview

overview

7

Static

static

2014_11rec...74.exe

windows7-x64

7

2014_11rec...74.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    140s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    24-11-2022 21:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.exe

  • Size

    306KB

  • MD5

    756fae3b80bf129ce578006534c1413f

  • SHA1

    00ec3c18110067acd9014a27c366160f2ea18ab3

  • SHA256

    69b81b054100dc55fa61aa0edb9acdecccb84ab84fa37177b33e5d9814067633

  • SHA512

    10274e2d15f6c7990acee9dd6b8e4d3b30c5dc810321198257671862f125baecede3cb5193468f8361d3289fb4623cb3ab6a9f0caceb780eaa6e0e4ef4d1626e

  • SSDEEP

    6144:Ci37LbbWiaYUpwXV9RIKWn/TUVs8oL48N8lqFzc+tRJShtvUdJk:CO/izXrN8UbtPShoJk

Score
7/10
persistence

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1384
    • C:\Users\Admin\AppData\Local\Temp\2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.exe
      "C:\Users\Admin\AppData\Local\Temp\2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1988
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS6374~1.BAT"
        3⤵
        • Deletes itself
        PID:2044
  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
      PID:1316
    • C:\Windows\system32\taskhost.exe
      "taskhost.exe"
      1⤵
        PID:1216
      • C:\Windows\system32\conhost.exe
        \??\C:\Windows\system32\conhost.exe "-1446658263-1339523300-753965598-227977199164476895119719313621729516100977601142"
        1⤵
          PID:2020

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\ms6374069.bat
          Filesize

          201B

          MD5

          889ed06ab2691e3eb0cd6439f14730c9

          SHA1

          3ccc56555e327d29d637aa55692586e061b1b48c

          SHA256

          4c803fc15cc4ef8dfc9f20d0cb93fa07afbf1becf56751a11955cd20d70ca851

          SHA512

          7417a8ba275b8de74e8322fe793c5acbbe678672caea8b080c4554304ec1ea2a3ee14fc27ac9cf4ae5c768b8922de1d774eddc57f57ef796b745c225c88d2e4d

          Download Submit

        • memory/1216-65-0x00000000376C0000-0x00000000376D0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1216-78-0x0000000000420000-0x0000000000437000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1316-79-0x0000000001C40000-0x0000000001C57000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1316-68-0x00000000376C0000-0x00000000376D0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1384-77-0x0000000002200000-0x0000000002217000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1384-60-0x00000000376C0000-0x00000000376D0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1384-58-0x0000000002200000-0x0000000002217000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1988-75-0x0000000000140000-0x000000000014E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/1988-66-0x0000000000180000-0x0000000000194000-memory.dmp

          Filesize

          80KB

          Download

        • memory/1988-76-0x0000000000230000-0x0000000000284000-memory.dmp

          Filesize

          336KB

          Download

        • memory/1988-54-0x0000000075911000-0x0000000075913000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2020-73-0x00000000376C0000-0x00000000376D0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2020-80-0x00000000000D0000-0x00000000000E7000-memory.dmp

          Filesize

          92KB

          Download

        • memory/2044-57-0x0000000000000000-mapping.dmp

          Download

        • memory/2044-81-0x0000000037870000-0x0000000037880000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2044-82-0x0000000000150000-0x0000000000164000-memory.dmp

          Filesize

          80KB

          Download