Analysis
-
max time kernel
219s -
max time network
311s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 04:06
Static task
static1
Behavioral task
behavioral1
Sample
de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe
Resource
win10v2004-20221111-en
General
-
Target
de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe
-
Size
144KB
-
MD5
738dd7cf1133cc2813a10813859e6e61
-
SHA1
dcfca6a60b767a64058e3d653a43789c1461e997
-
SHA256
74e86d70cb60b9ca846a892d99570500ddf7f5d376f70cd0c3346edd29680d57
-
SHA512
64edf119f1ee78f63deb5b41fe978cf57a05e09ce9f9597c12e29d21e718bdd8bdc717d5049c38cdb607e4d9db33a69df4c0f2aa06c3839043685d1be7b71389
-
SSDEEP
3072:UD6NN25bPpA3chmH/qB8WJwy/mMeUbusnZCwzPAzswF1De7iyc:JfMTpR4/JWJJ/K3sn4Q4BaOv
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 268 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\engtvbbi.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\engtvbbi.exe\"" Explorer.EXE -
Suspicious use of SetThreadContext 1 IoCs
Processes:
de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exedescription pid process target process PID 1644 set thread context of 572 1644 de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exede_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exeExplorer.EXEpid process 1644 de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe 572 de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe 572 de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1220 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 572 de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe Token: SeDebugPrivilege 1220 Explorer.EXE Token: SeShutdownPrivilege 1220 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1220 Explorer.EXE 1220 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1220 Explorer.EXE 1220 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exepid process 1644 de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe 1644 de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 1220 Explorer.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exede_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exeExplorer.EXEdescription pid process target process PID 1644 wrote to memory of 572 1644 de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe PID 1644 wrote to memory of 572 1644 de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe PID 1644 wrote to memory of 572 1644 de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe PID 1644 wrote to memory of 572 1644 de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe PID 1644 wrote to memory of 572 1644 de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe PID 1644 wrote to memory of 572 1644 de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe PID 1644 wrote to memory of 572 1644 de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe PID 1644 wrote to memory of 572 1644 de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe PID 1644 wrote to memory of 572 1644 de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe PID 1644 wrote to memory of 572 1644 de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe PID 572 wrote to memory of 268 572 de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe cmd.exe PID 572 wrote to memory of 268 572 de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe cmd.exe PID 572 wrote to memory of 268 572 de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe cmd.exe PID 572 wrote to memory of 268 572 de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe cmd.exe PID 572 wrote to memory of 1220 572 de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe Explorer.EXE PID 1220 wrote to memory of 1124 1220 Explorer.EXE taskhost.exe PID 1220 wrote to memory of 1192 1220 Explorer.EXE Dwm.exe PID 1220 wrote to memory of 268 1220 Explorer.EXE cmd.exe PID 1220 wrote to memory of 1824 1220 Explorer.EXE conhost.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1124
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1192
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Users\Admin\AppData\Local\Temp\de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe"C:\Users\Admin\AppData\Local\Temp\de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Users\Admin\AppData\Local\Temp\de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exeC:\Users\Admin\AppData\Local\Temp\de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS4245~1.BAT"4⤵
- Deletes itself
PID:268
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-206466952910009182051443862606-2019900898-274438460117664689620138439251583515217"1⤵PID:1824
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
201B
MD5e778c7bc477b9c3b408964115bcfcee9
SHA13871f8b20a5c7e748561410e6439d97ee384c3a0
SHA25605876e6468fbdf405a66c6087571f5422aa80ec91036ef846d7a53934bf683b0
SHA512b3f73b22d2194b6dd0aa34a303d87416666d3bccfe76db48b95f4f62674be28c26fcb793872e5773677f302338ae8cb37c1213cc4274fb38320daa4dd8bf648f