Analysis
-
max time kernel
156s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
24-11-2022 04:16
General
-
Target
2014_11_rechnung_1_1_000309399002_4884_9849_00483_00222_0039459856_29392_000000002008.exe
-
Size
168KB
-
MD5
03bbe5696e292a27becc2197f1024a16
-
SHA1
59802f9b918bed69eaf113f1ab24698bd46392d0
-
SHA256
6452bb100340136bacfe46a6c14d211f409144fe0919768fde8feb52536583a5
-
SHA512
36b8b3f166e87aa9c34401159dc16d0f757d1750a66bfe580e754677c59666c000a8c92484dec025ab8ec379096e24271435f25fb9e507a36d31bfc70f1bd270
-
SSDEEP
3072:2dLyZlwEyKcoO29Y5eCPN2bViTphJP12EFs+NLVgu2TVAOWX:oLaw7F3CY5e+CVi/yEXlVh2hk
Score
6/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 25 IoCs
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3344 -s 8482⤵
- Program crash
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2014_11_rechnung_1_1_000309399002_4884_9849_00483_00222_0039459856_29392_000000002008.exe"C:\Users\Admin\AppData\Local\Temp\2014_11_rechnung_1_1_000309399002_4884_9849_00483_00222_0039459856_29392_000000002008.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2014_11_rechnung_1_1_000309399002_4884_9849_00483_00222_0039459856_29392_000000002008.exeC:\Users\Admin\AppData\Local\Temp\2014_11_rechnung_1_1_000309399002_4884_9849_00483_00222_0039459856_29392_000000002008.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS2452~1.BAT"4⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 408 -p 3344 -ip 33441⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\ms2452192.batFilesize
201B
MD56737233d60cf386c54a490beef576a41
SHA12f99f452bc90829150d171c4352602501e93e6d6
SHA256f83bb9cd6a110b855a195bf348ccb0c76cfaafd9992801b6c6ceaf059bcacfe4
SHA512a356344a271d1604834b6ae36742d1292499b76ac204e27849cfd92787a198eeb682a3d008fdcabd6b08c15fb9288357eeaca680768f9f185aaf1a25b753502e
-
memory/1596-138-0x0000000000000000-mapping.dmp
-
memory/1596-149-0x00000000373E0000-0x00000000373F0000-memory.dmpFilesize
64KB
-
memory/1596-151-0x00000000007B0000-0x00000000007C4000-memory.dmpFilesize
80KB
-
memory/2320-154-0x000001C2D5D00000-0x000001C2D5D17000-memory.dmpFilesize
92KB
-
memory/2320-146-0x00007FFA96230000-0x00007FFA96240000-memory.dmpFilesize
64KB
-
memory/2352-152-0x0000026CF5340000-0x0000026CF5357000-memory.dmpFilesize
92KB
-
memory/2352-141-0x00007FFA96230000-0x00007FFA96240000-memory.dmpFilesize
64KB
-
memory/2420-142-0x00007FFA96230000-0x00007FFA96240000-memory.dmpFilesize
64KB
-
memory/2420-155-0x000001A93E6C0000-0x000001A93E6D7000-memory.dmpFilesize
92KB
-
memory/2824-153-0x00000000012F0000-0x0000000001307000-memory.dmpFilesize
92KB
-
memory/2824-139-0x00007FFA96230000-0x00007FFA96240000-memory.dmpFilesize
64KB
-
memory/2824-161-0x00000000012F0000-0x0000000001307000-memory.dmpFilesize
92KB
-
memory/3140-143-0x00007FFA96230000-0x00007FFA96240000-memory.dmpFilesize
64KB
-
memory/3140-156-0x000001BC553C0000-0x000001BC553D7000-memory.dmpFilesize
92KB
-
memory/3444-145-0x00007FFA96230000-0x00007FFA96240000-memory.dmpFilesize
64KB
-
memory/3444-158-0x000001C182840000-0x000001C182857000-memory.dmpFilesize
92KB
-
memory/3564-157-0x00000250AFA90000-0x00000250AFAA7000-memory.dmpFilesize
92KB
-
memory/3564-144-0x00007FFA96230000-0x00007FFA96240000-memory.dmpFilesize
64KB
-
memory/3660-137-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3660-136-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3660-134-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3660-140-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3660-133-0x0000000000000000-mapping.dmp
-
memory/3876-148-0x00007FFA96230000-0x00007FFA96240000-memory.dmpFilesize
64KB
-
memory/3876-160-0x0000025401F30000-0x0000025401F47000-memory.dmpFilesize
92KB
-
memory/4784-147-0x00007FFA96230000-0x00007FFA96240000-memory.dmpFilesize
64KB
-
memory/4784-159-0x0000017764740000-0x0000017764757000-memory.dmpFilesize
92KB
-
memory/5104-132-0x0000000002360000-0x0000000002364000-memory.dmpFilesize
16KB