Overview

overview

7

Static

static

2014_11inf...44.exe

windows7-x64

7

2014_11inf...44.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    37s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    24-11-2022 12:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2014_11informationen_finanzgruppe_000070002.000038622.771714407-0044.exe

  • Size

    279KB

  • MD5

    abd77fef06032bb87aef714807bb2412

  • SHA1

    6d30182805ad1f067a59e393d056d2510877efcf

  • SHA256

    4540c3df2c3e1d87dac8dfc1c23b69a2c4aafd286ab9368cf7a1f335287ebeea

  • SHA512

    1f9fa4cf96a9133c8ab85696049da3bdb96733c6abd831865f3d7a15732709c86ab1e22db18550140a494a68b7eac9d52f2904bd33373420f9f7b283a79a3d89

  • SSDEEP

    6144:OnosW1EBUJk5RUJIQ6CtCyuP5/M/2goLlUZCXF+z7V:Ommm6fEO1LxCR

Score
7/10
persistence

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2014_11informationen_finanzgruppe_000070002.000038622.771714407-0044.exe
    "C:\Users\Admin\AppData\Local\Temp\2014_11informationen_finanzgruppe_000070002.000038622.771714407-0044.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1780
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS7994~1.BAT"
      2⤵
      • Deletes itself
      PID:2040
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1196
  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
      PID:1164
    • C:\Windows\system32\taskhost.exe
      "taskhost.exe"
      1⤵
        PID:1120
      • C:\Windows\system32\conhost.exe
        \??\C:\Windows\system32\conhost.exe "525894199-8784050752104368582354203914-2135414366-482009578-1575706309406367765"
        1⤵
          PID:1436

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\ms7994488.bat
          Filesize

          201B

          MD5

          4eb16d94e78f5b51b9ae890d51771c33

          SHA1

          ef38462252e1ae9474af816c4ddff7d19e4a7117

          SHA256

          34598f4fd127864cce395fe46f45da1b176445b56c25596904227f5aee821e3b

          SHA512

          b31c9fa9e8755577698681356785f6e4a040ad8eb573d25da38c3f25dfc3d3b6b4b00db88e1c259189083589c212ca0c421a69982f1193c9c54210711b6e9b1d

          Download Submit
        • memory/1120-68-0x0000000037BE0000-0x0000000037BF0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/1120-74-0x0000000001B40000-0x0000000001B57000-memory.dmp
          Filesize

          92KB

          Download
        • memory/1164-69-0x0000000037BE0000-0x0000000037BF0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/1164-75-0x00000000001A0000-0x00000000001B7000-memory.dmp
          Filesize

          92KB

          Download
        • memory/1196-56-0x0000000001DD0000-0x0000000001DE7000-memory.dmp
          Filesize

          92KB

          Download
        • memory/1196-58-0x0000000037BE0000-0x0000000037BF0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/1196-73-0x0000000001DD0000-0x0000000001DE7000-memory.dmp
          Filesize

          92KB

          Download
        • memory/1780-54-0x00000000762F1000-0x00000000762F3000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1780-67-0x0000000000DA0000-0x0000000000DED000-memory.dmp
          Filesize

          308KB

          Download
        • memory/1780-65-0x0000000000130000-0x000000000013E000-memory.dmp
          Filesize

          56KB

          Download
        • memory/1780-64-0x00000000001E0000-0x00000000001F4000-memory.dmp
          Filesize

          80KB

          Download
        • memory/2040-55-0x0000000000000000-mapping.dmp
          Download