Overview

overview

7

Static

static

2014_11rec...df.exe

windows7-x64

7

2014_11rec...df.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    138s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    24-11-2022 14:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe

  • Size

    140KB

  • MD5

    d715f00295f03c8977aad12dcc5270d0

  • SHA1

    7fc24f13b570aec9cabf3ed3b594719689509cb7

  • SHA256

    d376872a3f47cc3245c2843d4e23e177be0bc25ea123980195ffbb670857981f

  • SHA512

    4ca85f28e822904428300dfbfa5f23cecf780c4e5f76d1aaf9b399827a2110db6bdc0a206421e4d384fde29c5f604c88e2663f96db1d2e5fdcc666254e8caffb

  • SSDEEP

    3072:5DorJLbaT+jx3grZQ7tCJR+OqCfZy0znAMMkC64MC:6rJg0x3grC8+OqiZywI6LC

Score
7/10
persistence

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1236
    • C:\Users\Admin\AppData\Local\Temp\2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1516
      • C:\Users\Admin\AppData\Local\Temp\2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe
        C:\Users\Admin\AppData\Local\Temp\2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1624
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS9068~1.BAT"
          4⤵
          • Deletes itself
          PID:1696
  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
      PID:1180
    • C:\Windows\system32\taskhost.exe
      "taskhost.exe"
      1⤵
        PID:1116
      • C:\Windows\system32\conhost.exe
        \??\C:\Windows\system32\conhost.exe "678644822-1262474562-239984912-915723717262957009-321603401-1339486260-833573209"
        1⤵
          PID:576

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\ms9068152.bat
          Filesize

          201B

          MD5

          649ccd4e746e1e7f2459e42bf84dbc68

          SHA1

          08b185c6f2a9771e19e39c158adaababba8b5517

          SHA256

          3a77680c62c234afa641d086926cee1955badf04f95a269d6670b9331e93807c

          SHA512

          7ce1f4e54b2a64d1e366e87d6ca50f37a015e95ffc18643375ed3d1f03cbe12e45aeb3590078b683fd29543e54b89ef8644e0a667670228a43628de5ad14165d

          Download Submit

        • memory/576-91-0x00000000001D0000-0x00000000001E7000-memory.dmp

          Filesize

          92KB

          Download

        • memory/576-90-0x0000000036E10000-0x0000000036E20000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1116-94-0x0000000001CA0000-0x0000000001CB7000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1116-89-0x0000000036E10000-0x0000000036E20000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1180-87-0x0000000036E10000-0x0000000036E20000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1180-92-0x0000000001BA0000-0x0000000001BB7000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1236-75-0x0000000036E10000-0x0000000036E20000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1236-93-0x0000000002A70000-0x0000000002A87000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1236-72-0x0000000002A70000-0x0000000002A87000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1516-54-0x0000000075111000-0x0000000075113000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1516-65-0x0000000000250000-0x0000000000254000-memory.dmp

          Filesize

          16KB

          Download

        • memory/1624-63-0x0000000000400000-0x0000000000413000-memory.dmp

          Filesize

          76KB

          Download

        • memory/1624-74-0x0000000000400000-0x0000000000413000-memory.dmp

          Filesize

          76KB

          Download

        • memory/1624-80-0x00000000002E0000-0x00000000002F4000-memory.dmp

          Filesize

          80KB

          Download

        • memory/1624-64-0x00000000004010C0-mapping.dmp

          Download

        • memory/1624-62-0x0000000000400000-0x0000000000413000-memory.dmp

          Filesize

          76KB

          Download

        • memory/1624-60-0x0000000000400000-0x0000000000413000-memory.dmp

          Filesize

          76KB

          Download

        • memory/1624-58-0x0000000000400000-0x0000000000413000-memory.dmp

          Filesize

          76KB

          Download

        • memory/1624-56-0x0000000000400000-0x0000000000413000-memory.dmp

          Filesize

          76KB

          Download

        • memory/1624-67-0x0000000000400000-0x0000000000413000-memory.dmp

          Filesize

          76KB

          Download

        • memory/1624-55-0x0000000000400000-0x0000000000413000-memory.dmp

          Filesize

          76KB

          Download

        • memory/1696-88-0x00000000000B0000-0x00000000000C4000-memory.dmp

          Filesize

          80KB

          Download

        • memory/1696-71-0x0000000000000000-mapping.dmp

          Download