Analysis

  • max time kernel
    2s
  • max time network
    7s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2022 04:17

General

  • Target

    rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe

  • Size

    168KB

  • MD5

    f914047ba6e8f5bbc2eb67c2bf8336ee

  • SHA1

    a90281ee27ac6d692fbc245e0ea688f3f9c860a2

  • SHA256

    03baf1186fd318f5ed6ee848201f5f998c873cecaa2ec3313d6d60e17d78f4dd

  • SHA512

    46c448718d92e834f410de23485d30848db8246ffd9d79fc5fe9575d7aa1a55cb646803dadeace3a4c891bbc9ba8cb2f46bc26285f6efc5c3a1030ab28502a1a

  • SSDEEP

    3072:mdLyZlwEyKcoO29Y5eCPN2bViTphJP12EFs+NLVgu2TVAOWX:4Law7F3CY5e+CVi/yEXlVh2hk

Score
6/10

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    1⤵
      PID:3288
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
      1⤵
        PID:3096
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1040
        • C:\Users\Admin\AppData\Local\Temp\rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe
          "C:\Users\Admin\AppData\Local\Temp\rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe"
          2⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2016
          • C:\Users\Admin\AppData\Local\Temp\rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe
            C:\Users\Admin\AppData\Local\Temp\rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2468
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS8300~1.BAT"
              4⤵
                PID:5032
        • C:\Windows\system32\taskhostw.exe
          taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
          1⤵
            PID:2680
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
            1⤵
              PID:2536
            • C:\Windows\system32\sihost.exe
              sihost.exe
              1⤵
                PID:2452

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • memory/1040-138-0x00007FF9A63F0000-0x00007FF9A6400000-memory.dmp

                Filesize

                64KB

              • memory/2016-135-0x0000000000B00000-0x0000000000B04000-memory.dmp

                Filesize

                16KB

              • memory/2468-132-0x0000000000000000-mapping.dmp

              • memory/2468-133-0x0000000000400000-0x0000000000412000-memory.dmp

                Filesize

                72KB

              • memory/2468-136-0x0000000000400000-0x0000000000412000-memory.dmp

                Filesize

                72KB

              • memory/5032-137-0x0000000000000000-mapping.dmp