Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
24-11-2022 04:08
General
-
Target
ihre_rechnung_11_2014_02_45_001_033_756_938923002_2210500407_3_0_5_22_29_9002_002001028.exe
-
Size
164KB
-
MD5
e28d0c6fd513c1e54b9d94b8f88ccbf4
-
SHA1
c2a716460f2a187f068e7b832d128179a6f471a8
-
SHA256
a82767b36e38a43131ae34bd0e6b650398f8769b14c7e46343675287c7c2b422
-
SHA512
8dbbebed2c3bfe915a798d70815e0f4cd0a9b9035c98f8dc9e60d05f6efb9f1852ec2b7db47e503396c3206207c7289c1fb20a94a4dbfe267e9886e78ada60be
-
SSDEEP
3072:xJ/YG2oBFuE6q+I9jN/mdUMNqypfu6M5HPMW+dpkGj8qOD9Jf+yY:xJ/GoDVZOmMNRA6M2wqOD
Score
6/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 26 IoCs
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ihre_rechnung_11_2014_02_45_001_033_756_938923002_2210500407_3_0_5_22_29_9002_002001028.exe"C:\Users\Admin\AppData\Local\Temp\ihre_rechnung_11_2014_02_45_001_033_756_938923002_2210500407_3_0_5_22_29_9002_002001028.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ihre_rechnung_11_2014_02_45_001_033_756_938923002_2210500407_3_0_5_22_29_9002_002001028.exeC:\Users\Admin\AppData\Local\Temp\ihre_rechnung_11_2014_02_45_001_033_756_938923002_2210500407_3_0_5_22_29_9002_002001028.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS9013~1.BAT"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3392 -s 9602⤵
- Program crash
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 432 -p 3392 -ip 33921⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\ms9013006.batFilesize
201B
MD5fa93d42753cc06b034f1fbcc34f42cc0
SHA142683525c2ab017cbe8ce64d3f67b6eb796363ed
SHA25658b9ca2b50fad9f01a4d84bb6cb57cbc5c208875718b42605903f8fb73fb0006
SHA51258b25867d8bb98e2250a5ae0603c19467d7e609082a3a03f63e1951d990af853ed496f9999684a3c91e8b28b547312132f877d2f5ce44176b2b27b6c430c98f5
-
memory/1996-163-0x0000000000E20000-0x0000000000E37000-memory.dmpFilesize
92KB
-
memory/1996-138-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmpFilesize
64KB
-
memory/1996-150-0x0000000000E20000-0x0000000000E37000-memory.dmpFilesize
92KB
-
memory/2360-140-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmpFilesize
64KB
-
memory/2360-162-0x0000021A404E0000-0x0000021A404F7000-memory.dmpFilesize
92KB
-
memory/2360-146-0x0000021A404E0000-0x0000021A404F7000-memory.dmpFilesize
92KB
-
memory/2384-151-0x000001D1C67D0000-0x000001D1C67E7000-memory.dmpFilesize
92KB
-
memory/2384-141-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmpFilesize
64KB
-
memory/2508-152-0x0000021AD4910000-0x0000021AD4927000-memory.dmpFilesize
92KB
-
memory/2508-142-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmpFilesize
64KB
-
memory/3196-143-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmpFilesize
64KB
-
memory/3196-153-0x0000016A2CC00000-0x0000016A2CC17000-memory.dmpFilesize
92KB
-
memory/3492-154-0x0000023A34BD0000-0x0000023A34BE7000-memory.dmpFilesize
92KB
-
memory/3492-144-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmpFilesize
64KB
-
memory/3624-155-0x00000234CE130000-0x00000234CE147000-memory.dmpFilesize
92KB
-
memory/3624-145-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmpFilesize
64KB
-
memory/3964-156-0x0000029D3AF50000-0x0000029D3AF67000-memory.dmpFilesize
92KB
-
memory/3964-147-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmpFilesize
64KB
-
memory/4348-137-0x0000000000000000-mapping.dmp
-
memory/4348-161-0x0000000000AA0000-0x0000000000AB4000-memory.dmpFilesize
80KB
-
memory/4348-159-0x0000000037150000-0x0000000037160000-memory.dmpFilesize
64KB
-
memory/4436-135-0x0000000003920000-0x0000000003924000-memory.dmpFilesize
16KB
-
memory/4856-148-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmpFilesize
64KB
-
memory/4856-157-0x0000027516F40000-0x0000027516F57000-memory.dmpFilesize
92KB
-
memory/4980-158-0x000001FF8F3D0000-0x000001FF8F3E7000-memory.dmpFilesize
92KB
-
memory/4980-149-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmpFilesize
64KB
-
memory/5056-139-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/5056-136-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/5056-132-0x0000000000000000-mapping.dmp
-
memory/5056-133-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB