Overview

overview

7

Static

static

Informatio...05.exe

windows7-x64

7

Informatio...05.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    24-11-2022 04:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Informationen_Kontobewegung_dezember_2014_de_20_8139_237_90109238_000129_000028_05.exe

  • Size

    204KB

  • MD5

    0fe1a6e23bb2accf9f57ba54b6002a2a

  • SHA1

    e6b336b3e3b1d9043260b46bf5858a78ae114fd6

  • SHA256

    58b48dc4fcff7d684c0a718a4475dc0b4b5ececa90b3d1e1092fccaf11399eb9

  • SHA512

    c5ccc5c4eb739440a1a439a08e3725c0646e3653410b16b6c548b99c3fa3c8bb8fb074d180a158dddfc89ec102a373ed12f347446d2e401bc021beebb013850d

  • SSDEEP

    3072:91FYqL5nh457wGZtUhxtGNC53yWMI++4V51iwhdlmBs1Z+cdn0t8+4I+VM:xYMw7wG3UTtfyU++Y51RldCh8+V+e

Score
7/10
persistence

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1160
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:1284
      • C:\Users\Admin\AppData\Local\Temp\Informationen_Kontobewegung_dezember_2014_de_20_8139_237_90109238_000129_000028_05.exe
        "C:\Users\Admin\AppData\Local\Temp\Informationen_Kontobewegung_dezember_2014_de_20_8139_237_90109238_000129_000028_05.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1940
        • C:\Users\Admin\AppData\Local\Temp\Informationen_Kontobewegung_dezember_2014_de_20_8139_237_90109238_000129_000028_05.exe
          C:\Users\Admin\AppData\Local\Temp\Informationen_Kontobewegung_dezember_2014_de_20_8139_237_90109238_000129_000028_05.exe
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1120
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS7994~1.BAT"
            4⤵
            • Deletes itself
            PID:1712
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1232
      • C:\Windows\system32\conhost.exe
        \??\C:\Windows\system32\conhost.exe "-52173057-845779721-1272490186544011411-637379126766886-698075115-885082895"
        1⤵
          PID:1200

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\ms7994488.bat
          Filesize

          201B

          MD5

          bef1b5a7ef349902d0a341dcf2a12b2f

          SHA1

          082627c5c23b580cc2b4e4b688d31ee567b289ca

          SHA256

          1254da712fc21356bd464caa834c8e857909bf03a97bb931705373823046037e

          SHA512

          02808653bfa9620072497f5ed502b9b1be0eef9cdb0c9cac2d8038b244c14a3c543b5e5977fd2a0e3397b5b10ddd4cef8e5edbc9bc49d77d251905376acf0172

          Download Submit
        • memory/1120-62-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/1120-60-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/1120-56-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/1120-63-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/1120-64-0x00000000004010C0-mapping.dmp
          Download
        • memory/1120-55-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/1120-67-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/1120-71-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/1120-58-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/1160-88-0x0000000000450000-0x0000000000467000-memory.dmp
          Filesize

          92KB

          Download
        • memory/1160-85-0x0000000036D50000-0x0000000036D60000-memory.dmp
          Filesize

          64KB

          Download
        • memory/1232-86-0x0000000036D50000-0x0000000036D60000-memory.dmp
          Filesize

          64KB

          Download
        • memory/1232-89-0x0000000001D40000-0x0000000001D57000-memory.dmp
          Filesize

          92KB

          Download
        • memory/1284-73-0x0000000002950000-0x0000000002967000-memory.dmp
          Filesize

          92KB

          Download
        • memory/1284-75-0x0000000036D50000-0x0000000036D60000-memory.dmp
          Filesize

          64KB

          Download
        • memory/1284-87-0x0000000002950000-0x0000000002967000-memory.dmp
          Filesize

          92KB

          Download
        • memory/1284-90-0x0000000002950000-0x0000000002967000-memory.dmp
          Filesize

          92KB

          Download
        • memory/1712-80-0x0000000000260000-0x0000000000274000-memory.dmp
          Filesize

          80KB

          Download
        • memory/1712-72-0x0000000000000000-mapping.dmp
          Download
        • memory/1940-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1940-65-0x00000000001D0000-0x00000000001D4000-memory.dmp
          Filesize

          16KB

          Download