Overview

overview

7

Static

static

de_0000239...98.exe

windows7-x64

7

de_0000239...98.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    150s
  • max time network
    192s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    24-11-2022 04:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe

  • Size

    164KB

  • MD5

    e28d0c6fd513c1e54b9d94b8f88ccbf4

  • SHA1

    c2a716460f2a187f068e7b832d128179a6f471a8

  • SHA256

    a82767b36e38a43131ae34bd0e6b650398f8769b14c7e46343675287c7c2b422

  • SHA512

    8dbbebed2c3bfe915a798d70815e0f4cd0a9b9035c98f8dc9e60d05f6efb9f1852ec2b7db47e503396c3206207c7289c1fb20a94a4dbfe267e9886e78ada60be

  • SSDEEP

    3072:xJ/YG2oBFuE6q+I9jN/mdUMNqypfu6M5HPMW+dpkGj8qOD9Jf+yY:xJ/GoDVZOmMNRA6M2wqOD

Score
7/10
persistence

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1120
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:1244
      • C:\Users\Admin\AppData\Local\Temp\de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe
        "C:\Users\Admin\AppData\Local\Temp\de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1632
        • C:\Users\Admin\AppData\Local\Temp\de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe
          C:\Users\Admin\AppData\Local\Temp\de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1648
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS9522~1.BAT"
            4⤵
            • Deletes itself
            PID:1068
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1200

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\ms9522115.bat
        Filesize

        201B

        MD5

        13565054bc6397b9f40e8d6b116f9ab0

        SHA1

        1a9abdb6006924f05cf214abc6ce72f0eb3fa2cc

        SHA256

        bac29c9e61b01a9ba7da5ba41e7128b938a06f687ef362f30f9faff6e8512ffe

        SHA512

        f60acba83b548a7da801f14d1871ff6b982d8ca436b770dfc50e94871fed2657603a87ea692e4dc58ecbe53fc321018d9328eeb796591db00459846b45efb0da

        Download Submit

      • memory/1068-71-0x0000000000000000-mapping.dmp

        Download

      • memory/1120-85-0x0000000000220000-0x0000000000237000-memory.dmp

        Filesize

        92KB

        Download

      • memory/1120-82-0x0000000037010000-0x0000000037020000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1200-86-0x0000000001BA0000-0x0000000001BB7000-memory.dmp

        Filesize

        92KB

        Download

      • memory/1200-84-0x0000000037010000-0x0000000037020000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1244-72-0x0000000002130000-0x0000000002147000-memory.dmp

        Filesize

        92KB

        Download

      • memory/1244-83-0x0000000002130000-0x0000000002147000-memory.dmp

        Filesize

        92KB

        Download

      • memory/1244-75-0x0000000037010000-0x0000000037020000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1632-54-0x00000000757B1000-0x00000000757B3000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1632-65-0x0000000000270000-0x0000000000274000-memory.dmp

        Filesize

        16KB

        Download

      • memory/1648-56-0x0000000000400000-0x0000000000412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1648-67-0x0000000000400000-0x0000000000412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1648-74-0x0000000000400000-0x0000000000412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1648-62-0x0000000000400000-0x0000000000412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1648-55-0x0000000000400000-0x0000000000412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1648-58-0x0000000000400000-0x0000000000412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1648-63-0x0000000000400000-0x0000000000412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1648-64-0x00000000004010C0-mapping.dmp

        Download

      • memory/1648-60-0x0000000000400000-0x0000000000412000-memory.dmp

        Filesize

        72KB

        Download