Analysis
-
max time kernel
163s -
max time network
182s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 12:15
Static task
static1
Behavioral task
behavioral1
Sample
2014_11transaktions_pdf_000093378_2014_0000919_11_v_00028836_n_827100007.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
2014_11transaktions_pdf_000093378_2014_0000919_11_v_00028836_n_827100007.exe
Resource
win10v2004-20220812-en
General
-
Target
2014_11transaktions_pdf_000093378_2014_0000919_11_v_00028836_n_827100007.exe
-
Size
278KB
-
MD5
b650be9b84ff38f06f217ad982b8660d
-
SHA1
20c4b3e5dbe971309c3ec966e4e671d8c56580c5
-
SHA256
586ee2c334dff3ada56930d7de90999634893495ba8acd524273b955303b23fd
-
SHA512
d132fa2fc0cbbd1f03e9c83c06aef54ea5700ba648f6fa7a04b3bc235a65758d0168e72428820115e546cd6a785281253adf340444db22f79b4cffea45f31371
-
SSDEEP
6144:9iaYUpwXV9RIKWn/TUVs8oL48N8lqFzc+tRJSht4K:DzXrN8UbtPShiK
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1308 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\loibgjiv.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\loibgjiv.exe\"" Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
2014_11transaktions_pdf_000093378_2014_0000919_11_v_00028836_n_827100007.exeExplorer.EXEpid process 936 2014_11transaktions_pdf_000093378_2014_0000919_11_v_00028836_n_827100007.exe 936 2014_11transaktions_pdf_000093378_2014_0000919_11_v_00028836_n_827100007.exe 1264 Explorer.EXE 1264 Explorer.EXE 1264 Explorer.EXE 1264 Explorer.EXE 1264 Explorer.EXE 1264 Explorer.EXE 1264 Explorer.EXE 1264 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1264 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
2014_11transaktions_pdf_000093378_2014_0000919_11_v_00028836_n_827100007.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 936 2014_11transaktions_pdf_000093378_2014_0000919_11_v_00028836_n_827100007.exe Token: SeDebugPrivilege 1264 Explorer.EXE Token: SeShutdownPrivilege 1264 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1264 Explorer.EXE 1264 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1264 Explorer.EXE 1264 Explorer.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
2014_11transaktions_pdf_000093378_2014_0000919_11_v_00028836_n_827100007.exeExplorer.EXEdescription pid process target process PID 936 wrote to memory of 1308 936 2014_11transaktions_pdf_000093378_2014_0000919_11_v_00028836_n_827100007.exe cmd.exe PID 936 wrote to memory of 1308 936 2014_11transaktions_pdf_000093378_2014_0000919_11_v_00028836_n_827100007.exe cmd.exe PID 936 wrote to memory of 1308 936 2014_11transaktions_pdf_000093378_2014_0000919_11_v_00028836_n_827100007.exe cmd.exe PID 936 wrote to memory of 1308 936 2014_11transaktions_pdf_000093378_2014_0000919_11_v_00028836_n_827100007.exe cmd.exe PID 936 wrote to memory of 1264 936 2014_11transaktions_pdf_000093378_2014_0000919_11_v_00028836_n_827100007.exe Explorer.EXE PID 1264 wrote to memory of 1132 1264 Explorer.EXE taskhost.exe PID 1264 wrote to memory of 1216 1264 Explorer.EXE Dwm.exe PID 1264 wrote to memory of 1308 1264 Explorer.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Users\Admin\AppData\Local\Temp\2014_11transaktions_pdf_000093378_2014_0000919_11_v_00028836_n_827100007.exe"C:\Users\Admin\AppData\Local\Temp\2014_11transaktions_pdf_000093378_2014_0000919_11_v_00028836_n_827100007.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS3024~1.BAT"3⤵
- Deletes itself
PID:1308
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1216
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1132
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\ms3024091.batFilesize
201B
MD59c30c08ff702a4af3452b41f716bbf0a
SHA1a9f08a97937fb85072640263f058d7423c284a17
SHA2566e437ed21d2f9e34800cf199a0ebe3ea3645d515f536f6efc0b13c02afef160b
SHA512cc5a1427ad792b0ff9726146c096c0623cb25ba30a2a3b91fff52f303293e575dd93c6a1cd6b2cab35051d1da970653abeecbb5186cca8b8248b2883cd76066d
-
memory/936-58-0x0000000000070000-0x00000000000BC000-memory.dmpFilesize
304KB
-
memory/936-57-0x00000000000F0000-0x00000000000FE000-memory.dmpFilesize
56KB
-
memory/936-54-0x0000000076941000-0x0000000076943000-memory.dmpFilesize
8KB
-
memory/1132-70-0x0000000037970000-0x0000000037980000-memory.dmpFilesize
64KB
-
memory/1132-71-0x0000000000210000-0x0000000000227000-memory.dmpFilesize
92KB
-
memory/1216-72-0x00000000019C0000-0x00000000019D7000-memory.dmpFilesize
92KB
-
memory/1216-68-0x0000000037970000-0x0000000037980000-memory.dmpFilesize
64KB
-
memory/1264-62-0x0000000037970000-0x0000000037980000-memory.dmpFilesize
64KB
-
memory/1264-60-0x00000000026F0000-0x0000000002707000-memory.dmpFilesize
92KB
-
memory/1264-73-0x00000000026F0000-0x0000000002707000-memory.dmpFilesize
92KB
-
memory/1264-74-0x000007FEF6C90000-0x000007FEF6DD3000-memory.dmpFilesize
1.3MB
-
memory/1264-75-0x000007FF56840000-0x000007FF5684A000-memory.dmpFilesize
40KB
-
memory/1308-59-0x0000000000000000-mapping.dmp