Overview

overview

7

Static

static

rechnung_1...05.exe

windows7-x64

7

rechnung_1...05.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    171s
  • max time network
    204s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    24/11/2022, 04:42

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe

  • Size

    176KB

  • MD5

    66532729cafdf2c5421c4c43f7dee5e9

  • SHA1

    571f5e0d5c046e91e195e205dfc89682bdd5f836

  • SHA256

    5792bd3689fa6423672dc0974cfe1697f58f1cd63b5efa32d5d3a4f0b5e1c8a8

  • SHA512

    79b9440e050bb42c27d6f4425b14b803c1448a3d3eba9c96be3c1a8b0a60eb925883d9ce0e02053d9420c43af08c7ecd77c86f7bde3b2e4080e09daab96d5b61

  • SSDEEP

    3072:vQnHNmI+cMkJReOmz1C+cSQStd3jUQdW6OTHeOO16ogZrssN6wc+ga0Mhze:vwHB3tJWBC+Cqz14TE6dZr5PQ

Score
7/10
persistence

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1252
    • C:\Users\Admin\AppData\Local\Temp\rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
      "C:\Users\Admin\AppData\Local\Temp\rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:872
      • C:\Users\Admin\AppData\Local\Temp\rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
        C:\Users\Admin\AppData\Local\Temp\rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1740
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS3818~1.BAT"
          4⤵
          • Deletes itself
          PID:624
  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
      PID:1192
    • C:\Windows\system32\taskhost.exe
      "taskhost.exe"
      1⤵
        PID:1132

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Roaming\ms3818398.bat
              Filesize

              201B

              MD5

              6f009d6cc68b6ba0541c57862bdfecb9

              SHA1

              85cdd96c5123aeb9a23db1c62dffb4d921962516

              SHA256

              2482a2c19ba0e50b5e1b6813146c99da257826463bf9f8f14e057f6aa4620785

              SHA512

              1939c23a48db5cc6b2bbd60c35fca4bde0bf6b76aad9d1ff2fdf017a72a6d6c8c4c8a81400070092afb8403ac6ceedc852168e8918a5a2fffe367a28a86d335e

              Download Submit

            • memory/872-54-0x00000000759C1000-0x00000000759C3000-memory.dmp

              Filesize

              8KB

              Download

            • memory/872-65-0x0000000000380000-0x0000000000384000-memory.dmp

              Filesize

              16KB

              Download

            • memory/1132-85-0x0000000001C80000-0x0000000001C97000-memory.dmp

              Filesize

              92KB

              Download

            • memory/1132-82-0x00000000371E0000-0x00000000371F0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1192-87-0x0000000001AE0000-0x0000000001AF7000-memory.dmp

              Filesize

              92KB

              Download

            • memory/1192-84-0x00000000371E0000-0x00000000371F0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1252-86-0x0000000002250000-0x0000000002267000-memory.dmp

              Filesize

              92KB

              Download

            • memory/1252-76-0x00000000371E0000-0x00000000371F0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1252-73-0x0000000002250000-0x0000000002267000-memory.dmp

              Filesize

              92KB

              Download

            • memory/1740-62-0x0000000000400000-0x0000000000412000-memory.dmp

              Filesize

              72KB

              Download

            • memory/1740-70-0x0000000000400000-0x0000000000412000-memory.dmp

              Filesize

              72KB

              Download

            • memory/1740-75-0x0000000000400000-0x0000000000412000-memory.dmp

              Filesize

              72KB

              Download

            • memory/1740-67-0x0000000000400000-0x0000000000412000-memory.dmp

              Filesize

              72KB

              Download

            • memory/1740-63-0x0000000000400000-0x0000000000412000-memory.dmp

              Filesize

              72KB

              Download

            • memory/1740-60-0x0000000000400000-0x0000000000412000-memory.dmp

              Filesize

              72KB

              Download

            • memory/1740-58-0x0000000000400000-0x0000000000412000-memory.dmp

              Filesize

              72KB

              Download

            • memory/1740-56-0x0000000000400000-0x0000000000412000-memory.dmp

              Filesize

              72KB

              Download

            • memory/1740-55-0x0000000000400000-0x0000000000412000-memory.dmp

              Filesize

              72KB

              Download