Overview

overview

7

Static

static

de_0000239...98.exe

windows7-x64

7

de_0000239...98.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    219s
  • max time network
    311s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    24-11-2022 04:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe

  • Size

    144KB

  • MD5

    738dd7cf1133cc2813a10813859e6e61

  • SHA1

    dcfca6a60b767a64058e3d653a43789c1461e997

  • SHA256

    74e86d70cb60b9ca846a892d99570500ddf7f5d376f70cd0c3346edd29680d57

  • SHA512

    64edf119f1ee78f63deb5b41fe978cf57a05e09ce9f9597c12e29d21e718bdd8bdc717d5049c38cdb607e4d9db33a69df4c0f2aa06c3839043685d1be7b71389

  • SSDEEP

    3072:UD6NN25bPpA3chmH/qB8WJwy/mMeUbusnZCwzPAzswF1De7iyc:JfMTpR4/JWJJ/K3sn4Q4BaOv

Score
7/10
persistence

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1124
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1192
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:1220
        • C:\Users\Admin\AppData\Local\Temp\de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe
          "C:\Users\Admin\AppData\Local\Temp\de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe"
          2⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1644
          • C:\Users\Admin\AppData\Local\Temp\de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe
            C:\Users\Admin\AppData\Local\Temp\de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:572
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS4245~1.BAT"
              4⤵
              • Deletes itself
              PID:268
      • C:\Windows\system32\conhost.exe
        \??\C:\Windows\system32\conhost.exe "-206466952910009182051443862606-2019900898-274438460117664689620138439251583515217"
        1⤵
          PID:1824

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\ms4245398.bat
          Filesize

          201B

          MD5

          e778c7bc477b9c3b408964115bcfcee9

          SHA1

          3871f8b20a5c7e748561410e6439d97ee384c3a0

          SHA256

          05876e6468fbdf405a66c6087571f5422aa80ec91036ef846d7a53934bf683b0

          SHA512

          b3f73b22d2194b6dd0aa34a303d87416666d3bccfe76db48b95f4f62674be28c26fcb793872e5773677f302338ae8cb37c1213cc4274fb38320daa4dd8bf648f

          Download Submit
        • memory/268-71-0x0000000000000000-mapping.dmp
          Download
        • memory/268-89-0x0000000000500000-0x0000000000514000-memory.dmp
          Filesize

          80KB

          Download
        • memory/268-87-0x0000000037850000-0x0000000037860000-memory.dmp
          Filesize

          64KB

          Download
        • memory/268-81-0x0000000000500000-0x0000000000514000-memory.dmp
          Filesize

          80KB

          Download
        • memory/572-63-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/572-56-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/572-64-0x00000000004010C0-mapping.dmp
          Download
        • memory/572-55-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/572-67-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/572-62-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/572-58-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/572-74-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/572-60-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/1124-85-0x00000000376A0000-0x00000000376B0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/1124-91-0x0000000001BC0000-0x0000000001BD7000-memory.dmp
          Filesize

          92KB

          Download
        • memory/1192-86-0x00000000376A0000-0x00000000376B0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/1192-93-0x0000000001B60000-0x0000000001B77000-memory.dmp
          Filesize

          92KB

          Download
        • memory/1220-75-0x00000000376A0000-0x00000000376B0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/1220-72-0x00000000025E0000-0x00000000025F7000-memory.dmp
          Filesize

          92KB

          Download
        • memory/1220-92-0x00000000025E0000-0x00000000025F7000-memory.dmp
          Filesize

          92KB

          Download
        • memory/1644-54-0x00000000767C1000-0x00000000767C3000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1644-65-0x0000000000240000-0x0000000000244000-memory.dmp
          Filesize

          16KB

          Download
        • memory/1824-88-0x00000000376A0000-0x00000000376B0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/1824-90-0x0000000000090000-0x00000000000A7000-memory.dmp
          Filesize

          92KB

          Download