Analysis
-
max time kernel
138s -
max time network
53s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 13:30
Static task
static1
Behavioral task
behavioral1
Sample
2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.exe
Resource
win10v2004-20221111-en
General
-
Target
2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.exe
-
Size
277KB
-
MD5
07f800cbb4053497d25bc4211bdd1c39
-
SHA1
134f73a6c5e9c494b0261a62955f866364ddeda5
-
SHA256
b3744982a1529ee0e2a3f0df355304b7ccbaff83b7e8ffffd505b61d2d234107
-
SHA512
f5fcc7124c3fa5486b6381db5442181794d461cf868876f0e2059b4701cda57c92a20b25e86b4db8798727eb45fda5e5458e269fa874e6ab51842d51bf33bdaf
-
SSDEEP
6144:xscYiaYUpwXV9RIKWn/TUVs8oL48N8lqFzc+tRJShtQ:2cgzXrN8UbtPShO
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1528 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\usrbdvpp.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\usrbdvpp.exe\"" Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.exeExplorer.EXEpid process 1460 2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.exe 1460 2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.exe 1200 Explorer.EXE 1200 Explorer.EXE 1200 Explorer.EXE 1200 Explorer.EXE 1200 Explorer.EXE 1200 Explorer.EXE 1200 Explorer.EXE 1200 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1200 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1460 2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.exe Token: SeDebugPrivilege 1200 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1200 Explorer.EXE 1200 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1200 Explorer.EXE 1200 Explorer.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.exeExplorer.EXEdescription pid process target process PID 1460 wrote to memory of 1528 1460 2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.exe cmd.exe PID 1460 wrote to memory of 1528 1460 2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.exe cmd.exe PID 1460 wrote to memory of 1528 1460 2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.exe cmd.exe PID 1460 wrote to memory of 1528 1460 2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.exe cmd.exe PID 1460 wrote to memory of 1200 1460 2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.exe Explorer.EXE PID 1200 wrote to memory of 1112 1200 Explorer.EXE taskhost.exe PID 1200 wrote to memory of 1172 1200 Explorer.EXE Dwm.exe PID 1200 wrote to memory of 1460 1200 Explorer.EXE 2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.exe"C:\Users\Admin\AppData\Local\Temp\2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS9522~1.BAT"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\ms9522115.batFilesize
201B
MD51adafb9d6913f23e89fe1e11dbb9e3e2
SHA15b10f89f67c24e1d17c98cca364d3841be9eebe5
SHA2561421fd608d085dfaeb5b7b54cb1dee6d93871b47d4ee50b2e1de18e45ed33e9d
SHA5125948de99bd3022aaa7b81c733ce4bfe5168251dcc528e6126bccc8b0ef8b0be4522a58c1fe9ba27a1ffc352fa2180162ff9a9d2b9999306ee5e8da4b169cafc1
-
memory/1112-64-0x00000000373F0000-0x0000000037400000-memory.dmpFilesize
64KB
-
memory/1112-70-0x0000000001CB0000-0x0000000001CC7000-memory.dmpFilesize
92KB
-
memory/1172-68-0x00000000373F0000-0x0000000037400000-memory.dmpFilesize
64KB
-
memory/1172-71-0x0000000001BA0000-0x0000000001BB7000-memory.dmpFilesize
92KB
-
memory/1200-56-0x00000000021E0000-0x00000000021F7000-memory.dmpFilesize
92KB
-
memory/1200-60-0x00000000373F0000-0x0000000037400000-memory.dmpFilesize
64KB
-
memory/1200-69-0x00000000021E0000-0x00000000021F7000-memory.dmpFilesize
92KB
-
memory/1460-54-0x0000000075FE1000-0x0000000075FE3000-memory.dmpFilesize
8KB
-
memory/1460-58-0x0000000000150000-0x000000000015E000-memory.dmpFilesize
56KB
-
memory/1460-59-0x0000000000240000-0x000000000028C000-memory.dmpFilesize
304KB
-
memory/1528-55-0x0000000000000000-mapping.dmp