Overview

overview

7

Static

static

de_0000239...98.exe

windows7-x64

7

de_0000239...98.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    148s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2022 04:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe

  • Size

    212KB

  • MD5

    f196726cb3ad205c35e6774f2dfc506d

  • SHA1

    3509d67230073720cd38cc5e430a6166263388c6

  • SHA256

    f3ec41acbd141572f40d6f62a2838325980d255ea17490767851bfa250e645e7

  • SHA512

    2e90a2c7ac3475ae70b41a616861ed8193ac21d95a4ad61c505d9f206645b47dc35e7ac6968bc107e1cc32a115cc2e5d2217ef06af7e8501a7989a8603e930b5

  • SSDEEP

    3072:52V3AKem3MIsNLH51FJNv4ObPCdYZcV/x6xc3AmBsB6ExmOJ85Ja:AV3Alm7sNLZLJNwCl8x93AdUEJ3

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\system32\taskhostw.exe
    taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
    1⤵
      PID:2424
    • C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      1⤵
        PID:3248
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 3248 -s 668
          2⤵
          • Program crash
          PID:1652
      • C:\Windows\System32\RuntimeBroker.exe
        C:\Windows\System32\RuntimeBroker.exe -Embedding
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3412
      • C:\Windows\System32\RuntimeBroker.exe
        C:\Windows\System32\RuntimeBroker.exe -Embedding
        1⤵
          PID:3840
        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
            PID:3500
          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
            1⤵
              PID:3348
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
              1⤵
                PID:768
              • C:\Windows\System32\RuntimeBroker.exe
                C:\Windows\System32\RuntimeBroker.exe -Embedding
                1⤵
                  PID:4896
                • C:\Windows\Explorer.EXE
                  C:\Windows\Explorer.EXE
                  1⤵
                  • Adds Run key to start application
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3048
                  • C:\Users\Admin\AppData\Local\Temp\de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe
                    "C:\Users\Admin\AppData\Local\Temp\de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe"
                    2⤵
                    • Suspicious use of SetThreadContext
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of SetWindowsHookEx
                    • Suspicious use of WriteProcessMemory
                    PID:428
                    • C:\Users\Admin\AppData\Local\Temp\de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe
                      C:\Users\Admin\AppData\Local\Temp\de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe
                      3⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:5068
                      • C:\Windows\SysWOW64\cmd.exe
                        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS7157~1.BAT"
                        4⤵
                          PID:4364
                          • C:\Windows\System32\Conhost.exe
                            \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            5⤵
                              PID:5104
                    • C:\Windows\system32\sihost.exe
                      sihost.exe
                      1⤵
                        PID:2324
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                        1⤵
                          PID:2308
                        • C:\Windows\system32\WerFault.exe
                          C:\Windows\system32\WerFault.exe -pss -s 428 -p 3248 -ip 3248
                          1⤵
                            PID:2608

                          Network

                          MITRE ATT&CK Matrix ATT&CK v6

                          Initial Access

                          Execution

                          Persistence

                          Registry Run Keys / Startup Folder

                          1
                          T1060

                          Privilege Escalation

                          Defense Evasion

                          Modify Registry

                          1
                          T1112

                          Credential Access

                          Discovery

                          Lateral Movement

                          Collection

                          Exfiltration

                          Command and Control

                          Impact

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Roaming\ms7157572.bat
                            Filesize

                            201B

                            MD5

                            3d1f983c38c84d09607a361a52953963

                            SHA1

                            740f548b8f8129c8e7859454a4b88b3bbd9c5a45

                            SHA256

                            fe8c77c16bc361b34fe2a6964305ee7448851742604b114efda2197399c7fba6

                            SHA512

                            9970da3abb98c413d3ffe5cee6551c3cdba9607dfd86d385d075c72a9ae0f4784cbbbe6fdae6c3cf3fd8120a81335bdf28f9ed59b8bb18708961a267cde88d06

                            Download Submit
                          • memory/428-132-0x0000000002320000-0x0000000002324000-memory.dmp
                            Filesize

                            16KB

                            Download
                          • memory/768-158-0x0000016307D40000-0x0000016307D57000-memory.dmp
                            Filesize

                            92KB

                            Download
                          • memory/768-144-0x00007FFEB8610000-0x00007FFEB8620000-memory.dmp
                            Filesize

                            64KB

                            Download
                          • memory/2308-154-0x000001F9B6940000-0x000001F9B6957000-memory.dmp
                            Filesize

                            92KB

                            Download
                          • memory/2308-141-0x00007FFEB8610000-0x00007FFEB8620000-memory.dmp
                            Filesize

                            64KB

                            Download
                          • memory/2324-142-0x00007FFEB8610000-0x00007FFEB8620000-memory.dmp
                            Filesize

                            64KB

                            Download
                          • memory/2324-156-0x0000019AF4700000-0x0000019AF4717000-memory.dmp
                            Filesize

                            92KB

                            Download
                          • memory/2424-157-0x000002A4D16A0000-0x000002A4D16B7000-memory.dmp
                            Filesize

                            92KB

                            Download
                          • memory/2424-143-0x00007FFEB8610000-0x00007FFEB8620000-memory.dmp
                            Filesize

                            64KB

                            Download
                          • memory/3048-155-0x0000000000410000-0x0000000000427000-memory.dmp
                            Filesize

                            92KB

                            Download
                          • memory/3048-163-0x0000000000410000-0x0000000000427000-memory.dmp
                            Filesize

                            92KB

                            Download
                          • memory/3048-140-0x00007FFEB8610000-0x00007FFEB8620000-memory.dmp
                            Filesize

                            64KB

                            Download
                          • memory/3348-160-0x0000019732BE0000-0x0000019732BF7000-memory.dmp
                            Filesize

                            92KB

                            Download
                          • memory/3348-146-0x00007FFEB8610000-0x00007FFEB8620000-memory.dmp
                            Filesize

                            64KB

                            Download
                          • memory/3412-145-0x00007FFEB8610000-0x00007FFEB8620000-memory.dmp
                            Filesize

                            64KB

                            Download
                          • memory/3412-159-0x0000015951E40000-0x0000015951E57000-memory.dmp
                            Filesize

                            92KB

                            Download
                          • memory/3840-148-0x00007FFEB8610000-0x00007FFEB8620000-memory.dmp
                            Filesize

                            64KB

                            Download
                          • memory/3840-162-0x0000016A47180000-0x0000016A47197000-memory.dmp
                            Filesize

                            92KB

                            Download
                          • memory/4364-138-0x0000000000000000-mapping.dmp
                            Download
                          • memory/4364-150-0x0000000037BF0000-0x0000000037C00000-memory.dmp
                            Filesize

                            64KB

                            Download
                          • memory/4364-152-0x00000000004C0000-0x00000000004D4000-memory.dmp
                            Filesize

                            80KB

                            Download
                          • memory/4896-147-0x00007FFEB8610000-0x00007FFEB8620000-memory.dmp
                            Filesize

                            64KB

                            Download
                          • memory/4896-161-0x00000264AD570000-0x00000264AD587000-memory.dmp
                            Filesize

                            92KB

                            Download
                          • memory/5068-139-0x0000000000400000-0x0000000000412000-memory.dmp
                            Filesize

                            72KB

                            Download
                          • memory/5068-137-0x0000000000400000-0x0000000000412000-memory.dmp
                            Filesize

                            72KB

                            Download
                          • memory/5068-136-0x0000000000400000-0x0000000000412000-memory.dmp
                            Filesize

                            72KB

                            Download
                          • memory/5068-134-0x0000000000400000-0x0000000000412000-memory.dmp
                            Filesize

                            72KB

                            Download
                          • memory/5068-133-0x0000000000000000-mapping.dmp
                            Download
                          • memory/5104-153-0x000001A6F0600000-0x000001A6F0617000-memory.dmp
                            Filesize

                            92KB

                            Download
                          • memory/5104-149-0x00007FFEB8610000-0x00007FFEB8620000-memory.dmp
                            Filesize

                            64KB

                            Download