Overview

overview

7

Static

static

de_0000239...98.exe

windows7-x64

7

de_0000239...98.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    150s
  • max time network
    158s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    24-11-2022 04:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe

  • Size

    204KB

  • MD5

    d482374e81b35c6b2bba6ee71315e382

  • SHA1

    c20efcbc5aa311b5ffb7fc18c97fccad043c22dc

  • SHA256

    cd3666f7ddcc5c720f86402b0b6fb2c81fe21827b0a4eecbba1961b896b7590d

  • SHA512

    cca3c24eac21967a98673ef921899373dc931b05318f0111fefdcadc84db193828dde56e9c47eb4a24877fb1c005fba8b04aa9a21b47751b79d72dfbc90bbf84

  • SSDEEP

    3072:2TNLneeBJ6hERwOPPB+vziPhtMCpPQKSXmLSScrE7SNZmZUNHs4j:+LnehdQgWDMCtb5LSSc/2Z4j

Score
7/10
persistence

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1196
    • C:\Users\Admin\AppData\Local\Temp\de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe
      "C:\Users\Admin\AppData\Local\Temp\de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1780
      • C:\Users\Admin\AppData\Local\Temp\de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe
        C:\Users\Admin\AppData\Local\Temp\de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2040
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS7994~1.BAT"
          4⤵
          • Deletes itself
          PID:1500
  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
      PID:1164
    • C:\Windows\system32\taskhost.exe
      "taskhost.exe"
      1⤵
        PID:1120
      • C:\Windows\system32\conhost.exe
        \??\C:\Windows\system32\conhost.exe "525894199-8784050752104368582354203914-2135414366-482009578-1575706309406367765"
        1⤵
          PID:852

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\ms7994488.bat
          Filesize

          201B

          MD5

          b1d02fa53b7dfd73520f668c88a92fe1

          SHA1

          5766bfcf0cfa6e17eb7b7a285b88309181e2106d

          SHA256

          cdb89071de5cb1a2810003e3c758db6c03d2181a2074348d2f3b34dbb5d77de8

          SHA512

          4a954929fa6d50560de024eefb23d70bd5009c7207702325dcf0b90b6f4b7f388fff8256cc1a5438c3b99a9ce7d7328f270cfe76785235f5bfee411ef8f869f3

          Download Submit

        • memory/852-90-0x00000000000D0000-0x00000000000E7000-memory.dmp

          Filesize

          92KB

          Download

        • memory/852-89-0x0000000037BE0000-0x0000000037BF0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1120-88-0x0000000037BE0000-0x0000000037BF0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1120-92-0x0000000001B40000-0x0000000001B57000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1164-93-0x00000000001A0000-0x00000000001B7000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1164-86-0x0000000037BE0000-0x0000000037BF0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1196-91-0x0000000001DD0000-0x0000000001DE7000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1196-94-0x0000000001DD0000-0x0000000001DE7000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1196-72-0x0000000001DD0000-0x0000000001DE7000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1196-75-0x0000000037BE0000-0x0000000037BF0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1500-71-0x0000000000000000-mapping.dmp

          Download

        • memory/1500-80-0x00000000000F0000-0x0000000000104000-memory.dmp

          Filesize

          80KB

          Download

        • memory/1780-65-0x0000000000E20000-0x0000000000E24000-memory.dmp

          Filesize

          16KB

          Download

        • memory/1780-54-0x00000000762F1000-0x00000000762F3000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2040-64-0x00000000004010C0-mapping.dmp

          Download

        • memory/2040-74-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2040-67-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2040-62-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2040-63-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2040-60-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2040-58-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2040-56-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2040-55-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download