Overview

overview

7

Static

static

Informatio...05.exe

windows7-x64

7

Informatio...05.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    5s
  • max time network
    58s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2022 04:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Informationen_Kontobewegung_dezember_2014_de_20_8139_237_90109238_000129_000028_05.exe

  • Size

    156KB

  • MD5

    8e9111802bf368404c2a18222b3eb986

  • SHA1

    6a744fd5cab051d4f115a172e45d7bcb9c14c276

  • SHA256

    2c4ca41292c07252bb043dae7697a91c140ba9be82fac5cd62c9f9c802959e0d

  • SHA512

    67a24d236ccf08b55a0f83338f11022da506ae9c89920162e2e6ab7a79545839f3fe118adaf4d5602ce452f9192e81d380364519beb040767b9d11ed05322832

  • SSDEEP

    3072:N2VpC7emUS2JQM2bPcmdeXTQ+LuV0/9HQZl3a12+sq:kVpC6mUVJ3IpY9x1vh

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
      PID:3420
    • C:\Windows\System32\RuntimeBroker.exe
      C:\Windows\System32\RuntimeBroker.exe -Embedding
      1⤵
        PID:3740
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
          PID:3512
        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
          1⤵
            PID:3352
          • C:\Windows\system32\DllHost.exe
            C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
            1⤵
              PID:3252
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
              1⤵
                PID:764
              • C:\Windows\Explorer.EXE
                C:\Windows\Explorer.EXE
                1⤵
                • Adds Run key to start application
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2556
                • C:\Users\Admin\AppData\Local\Temp\Informationen_Kontobewegung_dezember_2014_de_20_8139_237_90109238_000129_000028_05.exe
                  "C:\Users\Admin\AppData\Local\Temp\Informationen_Kontobewegung_dezember_2014_de_20_8139_237_90109238_000129_000028_05.exe"
                  2⤵
                  • Suspicious use of SetThreadContext
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:2080
                  • C:\Users\Admin\AppData\Local\Temp\Informationen_Kontobewegung_dezember_2014_de_20_8139_237_90109238_000129_000028_05.exe
                    C:\Users\Admin\AppData\Local\Temp\Informationen_Kontobewegung_dezember_2014_de_20_8139_237_90109238_000129_000028_05.exe
                    3⤵
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3368
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\ms427862.bat"
                      4⤵
                        PID:372
                • C:\Windows\system32\taskhostw.exe
                  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                  1⤵
                    PID:2604
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                    1⤵
                      PID:2512
                    • C:\Windows\system32\sihost.exe
                      sihost.exe
                      1⤵
                        PID:2484
                      • C:\Windows\System32\Conhost.exe
                        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        1⤵
                          PID:4484

                        Network

                        MITRE ATT&CK Enterprise v6

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • memory/372-137-0x0000000000000000-mapping.dmp

                          Download

                        • memory/2080-135-0x00000000022F0000-0x00000000022F4000-memory.dmp

                          Filesize

                          16KB

                          Download

                        • memory/3368-132-0x0000000000000000-mapping.dmp

                          Download

                        • memory/3368-133-0x0000000000400000-0x0000000000412000-memory.dmp

                          Filesize

                          72KB

                          Download

                        • memory/3368-136-0x0000000000400000-0x0000000000412000-memory.dmp

                          Filesize

                          72KB

                          Download