Overview

overview

7

Static

static

1_1_kunden...02.exe

windows7-x64

7

1_1_kunden...02.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    151s
  • max time network
    160s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    24/11/2022, 04:31

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    1_1_kundencenter_mobilfunk_2014_11_de_0209_0000328362_2761287_12_78_009_2876237820002.exe

  • Size

    172KB

  • MD5

    f09f0f31bd7bcd99f2fad85984f83263

  • SHA1

    dc0321ac518eea42dc0a49e92ff09de1b69f5a19

  • SHA256

    6617531d14be15ea155760a492fcbcde3b859aaaab645e6fbec9f1497514f9d9

  • SHA512

    0640364b34269424da3919b36d5729a4c7bdc00f0b0bc555f63cbb699fc8bf4252c29d9962792582e44125ce580b7b73ce1ea1f29ce83b4bbf561cf5bf15b8d5

  • SSDEEP

    3072:oRPCwIGjhojU9HiU8jZU4BU0dlvaoNY/ZZx5hju2fOe15Qn/Ojn:oRzPjUUeNUalaEGZx3ye1iS

Score
7/10
persistence

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1360
    • C:\Users\Admin\AppData\Local\Temp\1_1_kundencenter_mobilfunk_2014_11_de_0209_0000328362_2761287_12_78_009_2876237820002.exe
      "C:\Users\Admin\AppData\Local\Temp\1_1_kundencenter_mobilfunk_2014_11_de_0209_0000328362_2761287_12_78_009_2876237820002.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:784
      • C:\Users\Admin\AppData\Local\Temp\1_1_kundencenter_mobilfunk_2014_11_de_0209_0000328362_2761287_12_78_009_2876237820002.exe
        C:\Users\Admin\AppData\Local\Temp\1_1_kundencenter_mobilfunk_2014_11_de_0209_0000328362_2761287_12_78_009_2876237820002.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2028
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS2476~1.BAT"
          4⤵
          • Deletes itself
          PID:936
  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
      PID:1312
    • C:\Windows\system32\taskhost.exe
      "taskhost.exe"
      1⤵
        PID:1232
      • C:\Windows\system32\conhost.exe
        \??\C:\Windows\system32\conhost.exe "-1886122406-464550938-1526366883731401244-1882839776-1779563711-310213314-1272719216"
        1⤵
          PID:1732

        Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Roaming\ms2476501.bat
                Filesize

                201B

                MD5

                411d7968d1a9327fb09f727f9f777fb8

                SHA1

                b73e33872463f285d5561f75b0614ec483e84cf1

                SHA256

                c0fed64d5f7582e5283399b642aa6eb9e56e60ad85cf369c87a410e33b552b13

                SHA512

                0702f9ff461ad81bc91194c8143eff20865888827daec0933200d68540aa96ed82928ffd6af22b0a227f4c227bf241e620f67c10575a7e1b1242342d3d9197a9

                Download Submit

              • memory/784-65-0x00000000002D0000-0x00000000002D4000-memory.dmp

                Filesize

                16KB

                Download

              • memory/784-54-0x0000000075FC1000-0x0000000075FC3000-memory.dmp

                Filesize

                8KB

                Download

              • memory/936-80-0x00000000000F0000-0x0000000000104000-memory.dmp

                Filesize

                80KB

                Download

              • memory/1232-89-0x0000000001BC0000-0x0000000001BD7000-memory.dmp

                Filesize

                92KB

                Download

              • memory/1232-84-0x0000000036E90000-0x0000000036EA0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1312-85-0x0000000036E90000-0x0000000036EA0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1312-91-0x0000000001AC0000-0x0000000001AD7000-memory.dmp

                Filesize

                92KB

                Download

              • memory/1360-90-0x00000000026E0000-0x00000000026F7000-memory.dmp

                Filesize

                92KB

                Download

              • memory/1360-73-0x00000000026E0000-0x00000000026F7000-memory.dmp

                Filesize

                92KB

                Download

              • memory/1360-75-0x0000000036E90000-0x0000000036EA0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1732-86-0x0000000036E90000-0x0000000036EA0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1732-88-0x00000000000D0000-0x00000000000E7000-memory.dmp

                Filesize

                92KB

                Download

              • memory/2028-72-0x0000000000400000-0x0000000000412000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2028-60-0x0000000000400000-0x0000000000412000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2028-58-0x0000000000400000-0x0000000000412000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2028-62-0x0000000000400000-0x0000000000412000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2028-56-0x0000000000400000-0x0000000000412000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2028-55-0x0000000000400000-0x0000000000412000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2028-63-0x0000000000400000-0x0000000000412000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2028-67-0x0000000000400000-0x0000000000412000-memory.dmp

                Filesize

                72KB

                Download