Overview

overview

7

Static

static

2014_11fin...df.exe

windows7-x64

7

2014_11fin...df.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    32s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    24-11-2022 14:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2014_11finanzgruppe_volksbanken_00002000001.3738830001.556267288-0001.pdf.exe

  • Size

    140KB

  • MD5

    112b33bfeb2514bf11b0595c55173b32

  • SHA1

    bde96a6d72babb9d5dea78d98dfa434ab2108624

  • SHA256

    585f86ba3173d7a8560a2e82d6adcc8e3e3772bbaefb3239547b43a6685f21c1

  • SHA512

    eb9a80e201d751740d0992459e1fcd61f3973113ab62c4d0b930dabcb165095492dc7d70ddfe8267c707d1b73df3a0df772c755b2477839a1f754e17be51401b

  • SSDEEP

    3072:sJjzdejzg3KOSD+dN6so3Llk5aAGGUvXaIurWuK6o5yw5pP9m+OnlNEWd/SGv4MC:URejz+KOW+dNmLeaAGdZuK/z5T5pP9mI

Score
7/10
persistence

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
      PID:1188
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1216
      • C:\Users\Admin\AppData\Local\Temp\2014_11finanzgruppe_volksbanken_00002000001.3738830001.556267288-0001.pdf.exe
        "C:\Users\Admin\AppData\Local\Temp\2014_11finanzgruppe_volksbanken_00002000001.3738830001.556267288-0001.pdf.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:900
        • C:\Users\Admin\AppData\Local\Temp\2014_11finanzgruppe_volksbanken_00002000001.3738830001.556267288-0001.pdf.exe
          C:\Users\Admin\AppData\Local\Temp\2014_11finanzgruppe_volksbanken_00002000001.3738830001.556267288-0001.pdf.exe
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1988
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS3962~1.BAT"
            4⤵
            • Deletes itself
            PID:1964
    • C:\Windows\system32\taskhost.exe
      "taskhost.exe"
      1⤵
        PID:1116
      • C:\Windows\system32\conhost.exe
        \??\C:\Windows\system32\conhost.exe "-1530761495-1370233097760690755-15652543681102122117961177608-1081656282830991522"
        1⤵
          PID:1840

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\ms3962763.bat
          Filesize

          201B

          MD5

          ef7d42a0211ebdb99f659604c1080c7b

          SHA1

          8a2733f8b8485bc819aba0bc0f2dec742648b6d8

          SHA256

          0d22df68cd2032121504027ea073aeb71b93c0676ba586693f71f8cf8f8164be

          SHA512

          cedecd0feee09e93789552025c132f3bf8f94ed1df19bb8544bb9925a658799df5834a353f2216a343374237565a06f3622bf098bce56ce38c4e6891769a8151

          Download Submit

        • memory/900-54-0x0000000075571000-0x0000000075573000-memory.dmp

          Filesize

          8KB

          Download

        • memory/900-66-0x0000000000250000-0x0000000000254000-memory.dmp

          Filesize

          16KB

          Download

        • memory/1116-95-0x00000000002B0000-0x00000000002C7000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1116-81-0x0000000036D80000-0x0000000036D90000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1188-97-0x0000000000120000-0x0000000000137000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1188-84-0x0000000036D80000-0x0000000036D90000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1216-73-0x0000000001DD0000-0x0000000001DE7000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1216-96-0x0000000001DD0000-0x0000000001DE7000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1216-75-0x0000000036D80000-0x0000000036D90000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1840-91-0x0000000036D80000-0x0000000036D90000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1840-93-0x00000000000F0000-0x0000000000107000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1840-94-0x00000000000D0000-0x00000000000E7000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1840-92-0x0000000036D80000-0x0000000036D90000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1964-72-0x0000000000000000-mapping.dmp

          Download

        • memory/1964-80-0x00000000000F0000-0x0000000000104000-memory.dmp

          Filesize

          80KB

          Download

        • memory/1988-64-0x00000000004010C0-mapping.dmp

          Download

        • memory/1988-62-0x0000000000400000-0x0000000000413000-memory.dmp

          Filesize

          76KB

          Download

        • memory/1988-60-0x0000000000400000-0x0000000000413000-memory.dmp

          Filesize

          76KB

          Download

        • memory/1988-63-0x0000000000400000-0x0000000000413000-memory.dmp

          Filesize

          76KB

          Download

        • memory/1988-67-0x0000000000400000-0x0000000000413000-memory.dmp

          Filesize

          76KB

          Download

        • memory/1988-71-0x0000000000400000-0x0000000000413000-memory.dmp

          Filesize

          76KB

          Download

        • memory/1988-58-0x0000000000400000-0x0000000000413000-memory.dmp

          Filesize

          76KB

          Download

        • memory/1988-56-0x0000000000400000-0x0000000000413000-memory.dmp

          Filesize

          76KB

          Download

        • memory/1988-55-0x0000000000400000-0x0000000000413000-memory.dmp

          Filesize

          76KB

          Download