Overview

overview

7

Static

static

rechnung_1...05.exe

windows7-x64

7

rechnung_1...05.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    146s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    24-11-2022 05:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe

  • Size

    171KB

  • MD5

    a804f34778af2e79285fc1322f1b412e

  • SHA1

    072450802be854e19fdf8e84b153e64acf37e61d

  • SHA256

    787a3ec22002c515ea6093e691c4578d3872cd0e24db671122d65b19e491036b

  • SHA512

    306748ac10dcc89af61d4b52f753ba44f4741a2b7b597de8bbce867cd1055640288b8e9f7cd77ebbb2f80c3bacdf3b01097c7eeb95f19285dc807e5fbc46aa9e

  • SSDEEP

    3072:igpd+HKWTnOwsDBY4XAHNycjNtTUhx0faUU8EoyDElkCd:igpMHKWTDun+DU6rqYlv

Score
7/10
persistence

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1116
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:1268
      • C:\Users\Admin\AppData\Local\Temp\rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
        "C:\Users\Admin\AppData\Local\Temp\rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:836
        • C:\Users\Admin\AppData\Local\Temp\rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
          "C:\Users\Admin\AppData\Local\Temp\rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:860
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS3818~1.BAT"
            4⤵
            • Deletes itself
            PID:1284
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1180
      • C:\Windows\system32\conhost.exe
        \??\C:\Windows\system32\conhost.exe "45461866511896193842016677942-874799103954584709-2129152894-586029591135738814"
        1⤵
          PID:1828

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\ms3818398.bat
          Filesize

          201B

          MD5

          6f009d6cc68b6ba0541c57862bdfecb9

          SHA1

          85cdd96c5123aeb9a23db1c62dffb4d921962516

          SHA256

          2482a2c19ba0e50b5e1b6813146c99da257826463bf9f8f14e057f6aa4620785

          SHA512

          1939c23a48db5cc6b2bbd60c35fca4bde0bf6b76aad9d1ff2fdf017a72a6d6c8c4c8a81400070092afb8403ac6ceedc852168e8918a5a2fffe367a28a86d335e

          Download Submit

        • memory/836-90-0x0000000000230000-0x000000000023E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/836-54-0x0000000075071000-0x0000000075073000-memory.dmp

          Filesize

          8KB

          Download

        • memory/860-74-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download

        • memory/860-56-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download

        • memory/860-62-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download

        • memory/860-64-0x00000000004010C0-mapping.dmp

          Download

        • memory/860-63-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download

        • memory/860-66-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download

        • memory/860-55-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download

        • memory/860-60-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download

        • memory/860-58-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1116-81-0x0000000036E40000-0x0000000036E50000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1116-91-0x0000000000210000-0x0000000000227000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1180-86-0x0000000036E40000-0x0000000036E50000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1180-93-0x0000000001AF0000-0x0000000001B07000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1268-75-0x0000000036E40000-0x0000000036E50000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1268-71-0x00000000029D0000-0x00000000029E7000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1268-92-0x00000000029D0000-0x00000000029E7000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1284-83-0x0000000000180000-0x0000000000194000-memory.dmp

          Filesize

          80KB

          Download

        • memory/1284-88-0x0000000036FF0000-0x0000000037000000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1284-70-0x0000000000000000-mapping.dmp

          Download

        • memory/1284-94-0x0000000000180000-0x0000000000194000-memory.dmp

          Filesize

          80KB

          Download

        • memory/1828-89-0x0000000036E40000-0x0000000036E50000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1828-95-0x0000000000060000-0x0000000000077000-memory.dmp

          Filesize

          92KB

          Download