Overview

overview

7

Static

static

2014_11rec...74.exe

windows7-x64

7

2014_11rec...74.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    138s
  • max time network
    53s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    24-11-2022 13:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.exe

  • Size

    277KB

  • MD5

    07f800cbb4053497d25bc4211bdd1c39

  • SHA1

    134f73a6c5e9c494b0261a62955f866364ddeda5

  • SHA256

    b3744982a1529ee0e2a3f0df355304b7ccbaff83b7e8ffffd505b61d2d234107

  • SHA512

    f5fcc7124c3fa5486b6381db5442181794d461cf868876f0e2059b4701cda57c92a20b25e86b4db8798727eb45fda5e5458e269fa874e6ab51842d51bf33bdaf

  • SSDEEP

    6144:xscYiaYUpwXV9RIKWn/TUVs8oL48N8lqFzc+tRJShtQ:2cgzXrN8UbtPShO

Score
7/10
persistence

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1112
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1172
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:1200
        • C:\Users\Admin\AppData\Local\Temp\2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.exe
          "C:\Users\Admin\AppData\Local\Temp\2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.exe"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1460
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS9522~1.BAT"
            3⤵
            • Deletes itself
            PID:1528

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\ms9522115.bat
        Filesize

        201B

        MD5

        1adafb9d6913f23e89fe1e11dbb9e3e2

        SHA1

        5b10f89f67c24e1d17c98cca364d3841be9eebe5

        SHA256

        1421fd608d085dfaeb5b7b54cb1dee6d93871b47d4ee50b2e1de18e45ed33e9d

        SHA512

        5948de99bd3022aaa7b81c733ce4bfe5168251dcc528e6126bccc8b0ef8b0be4522a58c1fe9ba27a1ffc352fa2180162ff9a9d2b9999306ee5e8da4b169cafc1

        Download Submit
      • memory/1112-64-0x00000000373F0000-0x0000000037400000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1112-70-0x0000000001CB0000-0x0000000001CC7000-memory.dmp
        Filesize

        92KB

        Download
      • memory/1172-68-0x00000000373F0000-0x0000000037400000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1172-71-0x0000000001BA0000-0x0000000001BB7000-memory.dmp
        Filesize

        92KB

        Download
      • memory/1200-56-0x00000000021E0000-0x00000000021F7000-memory.dmp
        Filesize

        92KB

        Download
      • memory/1200-60-0x00000000373F0000-0x0000000037400000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1200-69-0x00000000021E0000-0x00000000021F7000-memory.dmp
        Filesize

        92KB

        Download
      • memory/1460-54-0x0000000075FE1000-0x0000000075FE3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1460-58-0x0000000000150000-0x000000000015E000-memory.dmp
        Filesize

        56KB

        Download
      • memory/1460-59-0x0000000000240000-0x000000000028C000-memory.dmp
        Filesize

        304KB

        Download
      • memory/1528-55-0x0000000000000000-mapping.dmp
        Download