Overview

overview

7

Static

static

rechnung_v...02.exe

windows7-x64

7

rechnung_v...02.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    146s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    24-11-2022 04:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe

  • Size

    188KB

  • MD5

    e3ace455382fa7708264257983339263

  • SHA1

    ab979cc544c46903d41fe773c568e2fa54a9bc44

  • SHA256

    f2d682b9bd2857603944471a9baf4a8d83a897d7be57dbf473c8f07fd8f5ed1a

  • SHA512

    be4a8e0770d30eb888a27490954b6109353673234f3b30b3c384d624ff79f3171a3ffff310883cb2f0930f0c64edb716171a78b3a166b44d855c08a0742c46ff

  • SSDEEP

    3072:gudusODvGZVHhS1drkr3k1hsz3F8ol/Lg7Qir8B/xjcbfMrRPyczWIqT9tYhOddx:k9+phSzOFUs/F08PLWIqT2M

Score
7/10
persistence

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1076
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:1212
      • C:\Users\Admin\AppData\Local\Temp\rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe
        "C:\Users\Admin\AppData\Local\Temp\rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1380
        • C:\Users\Admin\AppData\Local\Temp\rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe
          C:\Users\Admin\AppData\Local\Temp\rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:824
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS3907~1.BAT"
            4⤵
            • Deletes itself
            PID:920
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1144

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\ms3907252.bat
        Filesize

        201B

        MD5

        1a403b47535cb1ba8d2be155d6f11618

        SHA1

        33833476077beb8138a2e94e05d5e9e83c03d7a2

        SHA256

        a013cc510f0e9344a2cdeffe4aad36333f7265f936cf27e9a3c3f466073738de

        SHA512

        ea9cdc735bb55c1fb90bac184c13c5801c33665e82c21c58aa5169461b89b32d81c1214f63c9cd8c650964b2e31563eb21f4beee72b57aa451e682d724c6d375

        Download Submit
      • memory/824-62-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/824-74-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/824-58-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/824-60-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/824-67-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/824-63-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/824-64-0x00000000004010C0-mapping.dmp
        Download
      • memory/824-55-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/824-56-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/920-71-0x0000000000000000-mapping.dmp
        Download
      • memory/1076-81-0x0000000037070000-0x0000000037080000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1076-84-0x0000000001D20000-0x0000000001D37000-memory.dmp
        Filesize

        92KB

        Download
      • memory/1144-83-0x0000000037070000-0x0000000037080000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1144-86-0x00000000001A0000-0x00000000001B7000-memory.dmp
        Filesize

        92KB

        Download
      • memory/1212-75-0x0000000037070000-0x0000000037080000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1212-85-0x0000000002670000-0x0000000002687000-memory.dmp
        Filesize

        92KB

        Download
      • memory/1212-87-0x0000000002670000-0x0000000002687000-memory.dmp
        Filesize

        92KB

        Download
      • memory/1212-72-0x0000000002670000-0x0000000002687000-memory.dmp
        Filesize

        92KB

        Download
      • memory/1380-65-0x00000000003D0000-0x00000000003D4000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1380-54-0x00000000757A1000-0x00000000757A3000-memory.dmp
        Filesize

        8KB

        Download