Overview

overview

7

Static

static

rechnung_v...30.exe

windows7-x64

7

rechnung_v...30.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2022 04:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe

  • Size

    176KB

  • MD5

    13997ebf7af8d37dda6697ac03f76cc3

  • SHA1

    9be2bcd498406bdfb05f860ad726273c4a7b4f3a

  • SHA256

    11ecf58db103eb2ded5b942f303d48b5d77e336b8edfe335fa7b81264d1f50ef

  • SHA512

    2894ef41ec784fb39ec663ff8ca5fa8c0ebbd875f95f6e2b843c8bca59d63cc7c43f64df43898290cef31c4b32478819f437fcc4656606d0f7cd4721c735ffee

  • SSDEEP

    3072:rGwR1qmB1TQgHtMF5a6I4Ya5Tlrjmvl3XymSPTyAAwoc9+IkMd+zr3/1C:7KLa6I4x3mdnCNAwo42M

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2360
    • C:\Windows\system32\taskhostw.exe
      taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
      1⤵
        PID:2508
      • C:\Windows\System32\RuntimeBroker.exe
        C:\Windows\System32\RuntimeBroker.exe -Embedding
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3624
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
          PID:3724
        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
          1⤵
            PID:3492
          • C:\Windows\System32\RuntimeBroker.exe
            C:\Windows\System32\RuntimeBroker.exe -Embedding
            1⤵
              PID:3964
            • C:\Windows\system32\DllHost.exe
              C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
              1⤵
                PID:3392
                • C:\Windows\system32\WerFault.exe
                  C:\Windows\system32\WerFault.exe -u -p 3392 -s 960
                  2⤵
                  • Program crash
                  PID:2168
              • C:\Windows\System32\RuntimeBroker.exe
                C:\Windows\System32\RuntimeBroker.exe -Embedding
                1⤵
                  PID:4856
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                  1⤵
                    PID:3196
                  • C:\Windows\Explorer.EXE
                    C:\Windows\Explorer.EXE
                    1⤵
                    • Adds Run key to start application
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious behavior: GetForegroundWindowSpam
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1996
                    • C:\Users\Admin\AppData\Local\Temp\rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
                      "C:\Users\Admin\AppData\Local\Temp\rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe"
                      2⤵
                      • Suspicious use of SetThreadContext
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of SetWindowsHookEx
                      • Suspicious use of WriteProcessMemory
                      PID:4648
                      • C:\Users\Admin\AppData\Local\Temp\rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
                        C:\Users\Admin\AppData\Local\Temp\rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
                        3⤵
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:5044
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS9801~1.BAT"
                          4⤵
                            PID:5004
                            • C:\Windows\System32\Conhost.exe
                              \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              5⤵
                                PID:4996
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                        1⤵
                          PID:2384
                        • C:\Windows\system32\WerFault.exe
                          C:\Windows\system32\WerFault.exe -pss -s 408 -p 3392 -ip 3392
                          1⤵
                            PID:212

                          Network

                          MITRE ATT&CK Enterprise v6

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Roaming\ms9801425.bat
                            Filesize

                            201B

                            MD5

                            549483cfb0e043015352901a6160e81e

                            SHA1

                            97fcdf819774a123f2d0782d7df7861f18d5bc4d

                            SHA256

                            3d464257129d9c8c3ed06a035a4d660e913833e93cf05fa87e9d2313dfbd590e

                            SHA512

                            3dd798f7a8a58c3390894fd30dd00f090dfdaf9b002501d86b04d35ef210641af70f1597666bd9f568cc576c4a64f3bec47b23ce7e90fc4d5bea67ede8235674

                            Download Submit

                          • memory/1996-152-0x0000000000780000-0x0000000000797000-memory.dmp

                            Filesize

                            92KB

                            Download

                          • memory/1996-164-0x0000000000780000-0x0000000000797000-memory.dmp

                            Filesize

                            92KB

                            Download

                          • memory/1996-140-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/2360-151-0x0000021A404E0000-0x0000021A404F7000-memory.dmp

                            Filesize

                            92KB

                            Download

                          • memory/2360-142-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/2384-143-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/2384-153-0x000001D1C67D0000-0x000001D1C67E7000-memory.dmp

                            Filesize

                            92KB

                            Download

                          • memory/2508-144-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/2508-154-0x0000021AD4910000-0x0000021AD4927000-memory.dmp

                            Filesize

                            92KB

                            Download

                          • memory/3196-145-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/3196-157-0x0000016A2CC00000-0x0000016A2CC17000-memory.dmp

                            Filesize

                            92KB

                            Download

                          • memory/3492-146-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/3492-158-0x0000023A34BD0000-0x0000023A34BE7000-memory.dmp

                            Filesize

                            92KB

                            Download

                          • memory/3624-147-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/3624-159-0x00000234CE130000-0x00000234CE147000-memory.dmp

                            Filesize

                            92KB

                            Download

                          • memory/3964-148-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/3964-160-0x0000029D3AF50000-0x0000029D3AF67000-memory.dmp

                            Filesize

                            92KB

                            Download

                          • memory/4648-137-0x0000000000400000-0x0000000000520000-memory.dmp

                            Filesize

                            1.1MB

                            Download

                          • memory/4648-133-0x0000000000B10000-0x0000000000B14000-memory.dmp

                            Filesize

                            16KB

                            Download

                          • memory/4648-132-0x0000000000400000-0x0000000000520000-memory.dmp

                            Filesize

                            1.1MB

                            Download

                          • memory/4856-161-0x0000027516F40000-0x0000027516F57000-memory.dmp

                            Filesize

                            92KB

                            Download

                          • memory/4856-149-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/4996-150-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/4996-162-0x000002BD1B070000-0x000002BD1B087000-memory.dmp

                            Filesize

                            92KB

                            Download

                          • memory/5004-139-0x0000000000000000-mapping.dmp

                            Download

                          • memory/5004-156-0x0000000037150000-0x0000000037160000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/5004-163-0x0000000000DD0000-0x0000000000DE4000-memory.dmp

                            Filesize

                            80KB

                            Download

                          • memory/5044-138-0x0000000000400000-0x0000000000412000-memory.dmp

                            Filesize

                            72KB

                            Download

                          • memory/5044-134-0x0000000000000000-mapping.dmp

                            Download

                          • memory/5044-135-0x0000000000400000-0x0000000000412000-memory.dmp

                            Filesize

                            72KB

                            Download

                          • memory/5044-141-0x0000000000400000-0x0000000000412000-memory.dmp

                            Filesize

                            72KB

                            Download