Analysis
-
max time kernel
37s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 12:21
Static task
static1
Behavioral task
behavioral1
Sample
2014_11informationen_finanzgruppe_000070002.000038622.771714407-0044.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
2014_11informationen_finanzgruppe_000070002.000038622.771714407-0044.exe
Resource
win10v2004-20220812-en
General
-
Target
2014_11informationen_finanzgruppe_000070002.000038622.771714407-0044.exe
-
Size
279KB
-
MD5
abd77fef06032bb87aef714807bb2412
-
SHA1
6d30182805ad1f067a59e393d056d2510877efcf
-
SHA256
4540c3df2c3e1d87dac8dfc1c23b69a2c4aafd286ab9368cf7a1f335287ebeea
-
SHA512
1f9fa4cf96a9133c8ab85696049da3bdb96733c6abd831865f3d7a15732709c86ab1e22db18550140a494a68b7eac9d52f2904bd33373420f9f7b283a79a3d89
-
SSDEEP
6144:OnosW1EBUJk5RUJIQ6CtCyuP5/M/2goLlUZCXF+z7V:Ommm6fEO1LxCR
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2040 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ypbkryye.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\ypbkryye.exe\"" Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
2014_11informationen_finanzgruppe_000070002.000038622.771714407-0044.exeExplorer.EXEpid process 1780 2014_11informationen_finanzgruppe_000070002.000038622.771714407-0044.exe 1780 2014_11informationen_finanzgruppe_000070002.000038622.771714407-0044.exe 1196 Explorer.EXE 1196 Explorer.EXE 1196 Explorer.EXE 1196 Explorer.EXE 1196 Explorer.EXE 1196 Explorer.EXE 1196 Explorer.EXE 1196 Explorer.EXE 1196 Explorer.EXE 1196 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2014_11informationen_finanzgruppe_000070002.000038622.771714407-0044.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1780 2014_11informationen_finanzgruppe_000070002.000038622.771714407-0044.exe Token: SeDebugPrivilege 1196 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1196 Explorer.EXE 1196 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1196 Explorer.EXE 1196 Explorer.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
2014_11informationen_finanzgruppe_000070002.000038622.771714407-0044.exeExplorer.EXEdescription pid process target process PID 1780 wrote to memory of 2040 1780 2014_11informationen_finanzgruppe_000070002.000038622.771714407-0044.exe cmd.exe PID 1780 wrote to memory of 2040 1780 2014_11informationen_finanzgruppe_000070002.000038622.771714407-0044.exe cmd.exe PID 1780 wrote to memory of 2040 1780 2014_11informationen_finanzgruppe_000070002.000038622.771714407-0044.exe cmd.exe PID 1780 wrote to memory of 2040 1780 2014_11informationen_finanzgruppe_000070002.000038622.771714407-0044.exe cmd.exe PID 1780 wrote to memory of 1196 1780 2014_11informationen_finanzgruppe_000070002.000038622.771714407-0044.exe Explorer.EXE PID 1196 wrote to memory of 1120 1196 Explorer.EXE taskhost.exe PID 1196 wrote to memory of 1164 1196 Explorer.EXE Dwm.exe PID 1196 wrote to memory of 1780 1196 Explorer.EXE 2014_11informationen_finanzgruppe_000070002.000038622.771714407-0044.exe PID 1196 wrote to memory of 2040 1196 Explorer.EXE cmd.exe PID 1196 wrote to memory of 1436 1196 Explorer.EXE conhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2014_11informationen_finanzgruppe_000070002.000038622.771714407-0044.exe"C:\Users\Admin\AppData\Local\Temp\2014_11informationen_finanzgruppe_000070002.000038622.771714407-0044.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS7994~1.BAT"2⤵
- Deletes itself
PID:2040
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1196
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1164
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1120
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "525894199-8784050752104368582354203914-2135414366-482009578-1575706309406367765"1⤵PID:1436
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
201B
MD54eb16d94e78f5b51b9ae890d51771c33
SHA1ef38462252e1ae9474af816c4ddff7d19e4a7117
SHA25634598f4fd127864cce395fe46f45da1b176445b56c25596904227f5aee821e3b
SHA512b31c9fa9e8755577698681356785f6e4a040ad8eb573d25da38c3f25dfc3d3b6b4b00db88e1c259189083589c212ca0c421a69982f1193c9c54210711b6e9b1d