Overview

overview

7

Static

static

de_0000239...98.exe

windows7-x64

7

de_0000239...98.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    24-11-2022 04:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe

  • Size

    164KB

  • MD5

    d84e5bbf8c16e91fec275230fa6de7a6

  • SHA1

    e4855f1d90ad6f0755988bf5f090dee9f3ca403e

  • SHA256

    674f447b67fa6481c04d7d4c7dc47ecc0d3956c0c7b9006c845efebbc8fb318f

  • SHA512

    4c3418c993eb0e0bf27106e672d2e2ba60ad0f1cb6c8ec1f85b6c5c6459e061c755ffd05cb887e0d6eecd48212ef55832f2189f0afe7be2e72ca67f30d0c534b

  • SSDEEP

    3072:ZJ/YG2oBFOU2IG7N1f0ufvLFz5+pWwW14Ih2M7XygCQJz9Jf+yY:ZJ/GoD/2VN1fpfTv+Iv14IhrzyFQt

Score
7/10
persistence

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1372
    • C:\Users\Admin\AppData\Local\Temp\de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe
      "C:\Users\Admin\AppData\Local\Temp\de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1748
      • C:\Users\Admin\AppData\Local\Temp\de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe
        C:\Users\Admin\AppData\Local\Temp\de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1896
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS8537~1.BAT"
          4⤵
          • Deletes itself
          PID:268
  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
      PID:1308
    • C:\Windows\system32\taskhost.exe
      "taskhost.exe"
      1⤵
        PID:1220
      • C:\Windows\system32\conhost.exe
        \??\C:\Windows\system32\conhost.exe "1571142422104090930-2120642074-11038775433869254981974615941-1330608406-1523196807"
        1⤵
          PID:1280

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\ms8537768.bat
          Filesize

          201B

          MD5

          9b00ea31d43b64fe28d1662c57e769ee

          SHA1

          01e74223dc979c478ea5116d1b3ed54c80f39282

          SHA256

          ece1868884296fe670cff49a71810ca0ac8898d0d7ebadc524599a100eadbee5

          SHA512

          d50c1295cb4359235074972bf4568069f0fc9db6e9ff6f673736c7be5ac76eeb83eb33bd8724a4e9f0aee46c5087374aaf53244d9f236b1e337502bd9511efb7

          Download Submit
        • memory/268-92-0x0000000037A00000-0x0000000037A10000-memory.dmp
          Filesize

          64KB

          Download
        • memory/268-82-0x00000000001B0000-0x00000000001C4000-memory.dmp
          Filesize

          80KB

          Download
        • memory/268-93-0x0000000000210000-0x0000000000224000-memory.dmp
          Filesize

          80KB

          Download
        • memory/268-71-0x0000000000000000-mapping.dmp
          Download
        • memory/1220-85-0x0000000037850000-0x0000000037860000-memory.dmp
          Filesize

          64KB

          Download
        • memory/1220-95-0x0000000000210000-0x0000000000227000-memory.dmp
          Filesize

          92KB

          Download
        • memory/1280-94-0x00000000001F0000-0x0000000000207000-memory.dmp
          Filesize

          92KB

          Download
        • memory/1308-89-0x0000000037850000-0x0000000037860000-memory.dmp
          Filesize

          64KB

          Download
        • memory/1308-96-0x00000000001B0000-0x00000000001C7000-memory.dmp
          Filesize

          92KB

          Download
        • memory/1372-72-0x0000000002230000-0x0000000002247000-memory.dmp
          Filesize

          92KB

          Download
        • memory/1372-76-0x0000000002230000-0x0000000002247000-memory.dmp
          Filesize

          92KB

          Download
        • memory/1372-74-0x0000000037850000-0x0000000037860000-memory.dmp
          Filesize

          64KB

          Download
        • memory/1372-97-0x0000000002230000-0x0000000002247000-memory.dmp
          Filesize

          92KB

          Download
        • memory/1748-65-0x0000000000370000-0x0000000000374000-memory.dmp
          Filesize

          16KB

          Download
        • memory/1748-54-0x0000000076691000-0x0000000076693000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1896-63-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/1896-75-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/1896-67-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/1896-64-0x00000000004010C0-mapping.dmp
          Download
        • memory/1896-62-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/1896-60-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/1896-58-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/1896-56-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/1896-55-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download