Analysis
-
max time kernel
145s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
24-11-2022 12:55
General
-
Target
2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.exe
-
Size
278KB
-
MD5
2804797e817cd57397c22538ab71a9b5
-
SHA1
88b499209f9a610aaa566644193e16bef4ee24c3
-
SHA256
84d5a9bdbe6311cbd8924e1597d4647025f10c720b03c3f5e37040bcbd983fe5
-
SHA512
7fa1500fc443c06ed8845ba51ab14fabbbbad710fd61e6be6957b7e0e7b35c701ac50d28797b457ae4cb8c83781e3c8346473dcd4c2b15a006fb2b22fa19b6e1
-
SSDEEP
6144:TRmQh7YWbNaxXv06kPvLoa32jc3qmpdtPpX:FmQs2Ll6mz
Malware Config
Signatures
-
Deletes itself 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.exe"C:\Users\Admin\AppData\Local\Temp\2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS9068~1.BAT"3⤵
- Deletes itself
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1567688405-1846789715110896643171781617720228162791033017743-934054801687600302"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\ms9068152.batFilesize
201B
MD5649ccd4e746e1e7f2459e42bf84dbc68
SHA108b185c6f2a9771e19e39c158adaababba8b5517
SHA2563a77680c62c234afa641d086926cee1955badf04f95a269d6670b9331e93807c
SHA5127ce1f4e54b2a64d1e366e87d6ca50f37a015e95ffc18643375ed3d1f03cbe12e45aeb3590078b683fd29543e54b89ef8644e0a667670228a43628de5ad14165d
-
memory/1124-68-0x0000000036F20000-0x0000000036F30000-memory.dmpFilesize
64KB
-
memory/1124-77-0x0000000001CA0000-0x0000000001CB7000-memory.dmpFilesize
92KB
-
memory/1168-78-0x0000000000290000-0x00000000002A7000-memory.dmpFilesize
92KB
-
memory/1168-70-0x0000000036F20000-0x0000000036F30000-memory.dmpFilesize
64KB
-
memory/1232-56-0x0000000001DE0000-0x0000000001DF7000-memory.dmpFilesize
92KB
-
memory/1232-81-0x0000000001DE0000-0x0000000001DF7000-memory.dmpFilesize
92KB
-
memory/1232-59-0x0000000036F20000-0x0000000036F30000-memory.dmpFilesize
64KB
-
memory/1684-79-0x0000000036F20000-0x0000000036F30000-memory.dmpFilesize
64KB
-
memory/1684-83-0x00000000000D0000-0x00000000000E7000-memory.dmpFilesize
92KB
-
memory/1968-75-0x00000000370D0000-0x00000000370E0000-memory.dmpFilesize
64KB
-
memory/1968-82-0x0000000000160000-0x0000000000174000-memory.dmpFilesize
80KB
-
memory/1968-80-0x00000000000F0000-0x0000000000104000-memory.dmpFilesize
80KB
-
memory/1968-55-0x0000000000000000-mapping.dmp
-
memory/1976-65-0x0000000000110000-0x0000000000124000-memory.dmpFilesize
80KB
-
memory/1976-60-0x0000000000FD0000-0x000000000101B000-memory.dmpFilesize
300KB
-
memory/1976-54-0x00000000754E1000-0x00000000754E3000-memory.dmpFilesize
8KB
-
memory/1976-58-0x00000000000F0000-0x00000000000FE000-memory.dmpFilesize
56KB