Overview

overview

7

Static

static

2014_11inf...44.exe

windows7-x64

7

2014_11inf...44.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    243s
  • max time network
    337s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    24-11-2022 12:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2014_11informationen_finanzgruppe_000070002.000038622.771714407-0044.exe

  • Size

    277KB

  • MD5

    6f4d475eb0cb95a0bf8ab9825403253d

  • SHA1

    b2f4bf05e102823c97b2a6a4b00c4183073d93a4

  • SHA256

    cae0331cddf01777e3b1c275240b988c675527a4e9f72f91ffe4c0e8d68f73e4

  • SHA512

    384ccff8f308e901bde57c65f76aa0f501019cb709b47c041fa1c234d81f77da08980b7c757b22a83ebafe720a3aa7d676528a988d2a3b35cb80f5a91f51382e

  • SSDEEP

    6144:diaYUpwXV9RIKWn/TUVs8oL48N8lqFzc+tRJShtS:jzXrN8UbtPShI

Score
7/10
persistence

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1228
    • C:\Users\Admin\AppData\Local\Temp\2014_11informationen_finanzgruppe_000070002.000038622.771714407-0044.exe
      "C:\Users\Admin\AppData\Local\Temp\2014_11informationen_finanzgruppe_000070002.000038622.771714407-0044.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1640
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS6374~1.BAT"
        3⤵
        • Deletes itself
        PID:268
  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
      PID:1192
    • C:\Windows\system32\taskhost.exe
      "taskhost.exe"
      1⤵
        PID:1124
      • C:\Windows\system32\conhost.exe
        \??\C:\Windows\system32\conhost.exe "708725119177871769-1147132788-17670117041827569752102856477-186287368861643224"
        1⤵
          PID:584

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\ms6374069.bat
          Filesize

          201B

          MD5

          889ed06ab2691e3eb0cd6439f14730c9

          SHA1

          3ccc56555e327d29d637aa55692586e061b1b48c

          SHA256

          4c803fc15cc4ef8dfc9f20d0cb93fa07afbf1becf56751a11955cd20d70ca851

          SHA512

          7417a8ba275b8de74e8322fe793c5acbbe678672caea8b080c4554304ec1ea2a3ee14fc27ac9cf4ae5c768b8922de1d774eddc57f57ef796b745c225c88d2e4d

          Download Submit

        • memory/268-59-0x0000000000000000-mapping.dmp

          Download

        • memory/584-87-0x00000000000D0000-0x00000000000E7000-memory.dmp

          Filesize

          92KB

          Download

        • memory/584-84-0x00000000375B0000-0x00000000375C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/584-85-0x00000000375B0000-0x00000000375C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/584-86-0x00000000000F0000-0x0000000000107000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1124-91-0x0000000001E20000-0x0000000001E37000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1124-88-0x0000000001E40000-0x0000000001E57000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1124-80-0x00000000375B0000-0x00000000375C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1124-83-0x00000000375B0000-0x00000000375C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1192-81-0x00000000375B0000-0x00000000375C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1192-89-0x0000000000120000-0x0000000000137000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1228-90-0x00000000029D0000-0x00000000029E7000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1228-60-0x00000000029D0000-0x00000000029E7000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1228-62-0x00000000375B0000-0x00000000375C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1640-63-0x0000000001170000-0x00000000011BC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/1640-54-0x0000000075D51000-0x0000000075D53000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1640-55-0x0000000000080000-0x000000000008E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/1640-56-0x0000000001170000-0x00000000011BC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/1640-70-0x00000000000A0000-0x00000000000B4000-memory.dmp

          Filesize

          80KB

          Download