Overview

overview

7

Static

static

2014_11_tr...01.exe

windows7-x64

7

2014_11_tr...01.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    152s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2022 04:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe

  • Size

    172KB

  • MD5

    c06b551f110824f92f7dd6e1e286338b

  • SHA1

    b1451aabe43b20ddfe11ba08cda0716a47cf9fe6

  • SHA256

    0fdc5af087744ec47f94d6d98b05c2f018a5b16bb097a7826f096bc6f7ffd92f

  • SHA512

    4ae0cee0c75e61be40d33635b658d3ea0e074b7f4246a037da60ee6075906583b532236e41e1a3910684b9d8b71fecbcdadc1f9249bacf94b7726818cfbdc576

  • SSDEEP

    3072:Lw0CwITzueTD9d0h06Up164tnYx82gGtjdkruyjn:LwYuzue/9+hpK8i4IGtj4

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2364
    • C:\Windows\System32\RuntimeBroker.exe
      C:\Windows\System32\RuntimeBroker.exe -Embedding
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3452
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
        PID:3384
      • C:\Windows\system32\DllHost.exe
        C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
        1⤵
          PID:3296
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -u -p 3296 -s 356
            2⤵
            • Program crash
            PID:804
        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
            PID:3536
          • C:\Windows\System32\RuntimeBroker.exe
            C:\Windows\System32\RuntimeBroker.exe -Embedding
            1⤵
              PID:4708
            • C:\Windows\System32\RuntimeBroker.exe
              C:\Windows\System32\RuntimeBroker.exe -Embedding
              1⤵
                PID:3736
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                1⤵
                  PID:3128
                • C:\Windows\Explorer.EXE
                  C:\Windows\Explorer.EXE
                  1⤵
                  • Adds Run key to start application
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2864
                  • C:\Users\Admin\AppData\Local\Temp\2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe
                    "C:\Users\Admin\AppData\Local\Temp\2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe"
                    2⤵
                    • Suspicious use of SetThreadContext
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of SetWindowsHookEx
                    • Suspicious use of WriteProcessMemory
                    PID:1640
                    • C:\Users\Admin\AppData\Local\Temp\2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe
                      C:\Users\Admin\AppData\Local\Temp\2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe
                      3⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3160
                      • C:\Windows\SysWOW64\cmd.exe
                        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\ms115219.bat"
                        4⤵
                          PID:4956
                  • C:\Windows\system32\taskhostw.exe
                    taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                    1⤵
                      PID:2516
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                      1⤵
                        PID:2404
                      • C:\Windows\system32\WerFault.exe
                        C:\Windows\system32\WerFault.exe -pss -s 424 -p 3296 -ip 3296
                        1⤵
                          PID:1648

                        Network

                        MITRE ATT&CK Enterprise v6

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Roaming\ms115219.bat
                          Filesize

                          201B

                          MD5

                          6493f183376f143656179b6b3aa5bcfe

                          SHA1

                          5bcb753bfb17572b7f8d354c43e263375f92c3d9

                          SHA256

                          4e92f94d632ac4221a3729acc15cc7f7377c3600b3bb38d94f47fbda02ddf80c

                          SHA512

                          4813b9a86d59dc0ad3812ea73190e5fbb65462ab9715fceb83efd0b17da3d8dfea62c40712f3eeb974c2b04eeb9ec3a2338542bace16e88223cb7e0b9d5f8e40

                          Download Submit

                        • memory/1640-132-0x0000000001430000-0x0000000001434000-memory.dmp

                          Filesize

                          16KB

                          Download

                        • memory/2364-141-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/2364-153-0x000001E4B2250000-0x000001E4B2267000-memory.dmp

                          Filesize

                          92KB

                          Download

                        • memory/2404-142-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/2404-154-0x000001F2E0B50000-0x000001F2E0B67000-memory.dmp

                          Filesize

                          92KB

                          Download

                        • memory/2516-155-0x000001DD74520000-0x000001DD74537000-memory.dmp

                          Filesize

                          92KB

                          Download

                        • memory/2516-143-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/2864-140-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/2864-161-0x00000000004D0000-0x00000000004E7000-memory.dmp

                          Filesize

                          92KB

                          Download

                        • memory/2864-152-0x00000000004D0000-0x00000000004E7000-memory.dmp

                          Filesize

                          92KB

                          Download

                        • memory/3128-156-0x000001F2D58F0000-0x000001F2D5907000-memory.dmp

                          Filesize

                          92KB

                          Download

                        • memory/3128-144-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/3160-139-0x0000000000400000-0x0000000000412000-memory.dmp

                          Filesize

                          72KB

                          Download

                        • memory/3160-136-0x0000000000400000-0x0000000000412000-memory.dmp

                          Filesize

                          72KB

                          Download

                        • memory/3160-133-0x0000000000000000-mapping.dmp

                          Download

                        • memory/3160-134-0x0000000000400000-0x0000000000412000-memory.dmp

                          Filesize

                          72KB

                          Download

                        • memory/3160-137-0x0000000000400000-0x0000000000412000-memory.dmp

                          Filesize

                          72KB

                          Download

                        • memory/3384-157-0x000002BD52C80000-0x000002BD52C97000-memory.dmp

                          Filesize

                          92KB

                          Download

                        • memory/3384-146-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/3452-145-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/3452-158-0x0000029FC3BD0000-0x0000029FC3BE7000-memory.dmp

                          Filesize

                          92KB

                          Download

                        • memory/3736-147-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/3736-159-0x00000294A2940000-0x00000294A2957000-memory.dmp

                          Filesize

                          92KB

                          Download

                        • memory/4708-148-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/4708-160-0x000001DBD7FC0000-0x000001DBD7FD7000-memory.dmp

                          Filesize

                          92KB

                          Download

                        • memory/4956-138-0x0000000000000000-mapping.dmp

                          Download

                        • memory/4956-151-0x0000000000700000-0x0000000000714000-memory.dmp

                          Filesize

                          80KB

                          Download

                        • memory/4956-149-0x0000000037340000-0x0000000037350000-memory.dmp

                          Filesize

                          64KB

                          Download