Overview

overview

7

Static

static

2014_11rec...df.exe

windows7-x64

7

2014_11rec...df.exe

windows10-2004-x64

Analysis

  • max time kernel
    143s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    24-11-2022 14:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe

  • Size

    140KB

  • MD5

    112b33bfeb2514bf11b0595c55173b32

  • SHA1

    bde96a6d72babb9d5dea78d98dfa434ab2108624

  • SHA256

    585f86ba3173d7a8560a2e82d6adcc8e3e3772bbaefb3239547b43a6685f21c1

  • SHA512

    eb9a80e201d751740d0992459e1fcd61f3973113ab62c4d0b930dabcb165095492dc7d70ddfe8267c707d1b73df3a0df772c755b2477839a1f754e17be51401b

  • SSDEEP

    3072:sJjzdejzg3KOSD+dN6so3Llk5aAGGUvXaIurWuK6o5yw5pP9m+OnlNEWd/SGv4MC:URejz+KOW+dNmLeaAGdZuK/z5T5pP9mI

Score
7/10
persistence

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1188
    • C:\Users\Admin\AppData\Local\Temp\2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1292
      • C:\Users\Admin\AppData\Local\Temp\2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe
        C:\Users\Admin\AppData\Local\Temp\2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:964
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS2925~1.BAT"
          4⤵
          • Deletes itself
          PID:1092
  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
      PID:1156
    • C:\Windows\system32\taskhost.exe
      "taskhost.exe"
      1⤵
        PID:1104
      • C:\Windows\system32\conhost.exe
        \??\C:\Windows\system32\conhost.exe "1831818130-1283168371-1831030738119302411279436381-362963907626218511-282828471"
        1⤵
          PID:1568

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\ms2925246.bat
          Filesize

          201B

          MD5

          0d4feb60a8a707dcfc70b6fbc1468487

          SHA1

          8e9623fc7d3b1741ef94b9a7bac6befcac42ec4b

          SHA256

          0b8263bb39e6350e8fb8366785dc966c50cde720f8823f395e90d35b467741b1

          SHA512

          81fa96d421711ad39560ee40aec40ff48576464e2a801b9deb3468e3b50c19499984f02dbcc4de1fe6918bae55bfd7fd5031fa2c06de29a52a386d27deab5734

          Download Submit

        • memory/964-74-0x0000000000400000-0x0000000000413000-memory.dmp

          Filesize

          76KB

          Download

        • memory/964-80-0x0000000000270000-0x0000000000284000-memory.dmp

          Filesize

          80KB

          Download

        • memory/964-58-0x0000000000400000-0x0000000000413000-memory.dmp

          Filesize

          76KB

          Download

        • memory/964-60-0x0000000000400000-0x0000000000413000-memory.dmp

          Filesize

          76KB

          Download

        • memory/964-62-0x0000000000400000-0x0000000000413000-memory.dmp

          Filesize

          76KB

          Download

        • memory/964-64-0x00000000004010C0-mapping.dmp

          Download

        • memory/964-63-0x0000000000400000-0x0000000000413000-memory.dmp

          Filesize

          76KB

          Download

        • memory/964-67-0x0000000000400000-0x0000000000413000-memory.dmp

          Filesize

          76KB

          Download

        • memory/964-55-0x0000000000400000-0x0000000000413000-memory.dmp

          Filesize

          76KB

          Download

        • memory/964-56-0x0000000000400000-0x0000000000413000-memory.dmp

          Filesize

          76KB

          Download

        • memory/1092-71-0x0000000000000000-mapping.dmp

          Download

        • memory/1104-91-0x0000000001BA0000-0x0000000001BB7000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1104-86-0x00000000372E0000-0x00000000372F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1156-93-0x0000000000120000-0x0000000000137000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1156-87-0x00000000372E0000-0x00000000372F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1188-75-0x00000000372E0000-0x00000000372F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1188-95-0x000007FE76160000-0x000007FE7616A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1188-92-0x00000000021E0000-0x00000000021F7000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1188-94-0x000007FEF5EC0000-0x000007FEF6003000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1188-72-0x00000000021E0000-0x00000000021F7000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1292-65-0x00000000003E0000-0x00000000003E4000-memory.dmp

          Filesize

          16KB

          Download

        • memory/1292-54-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1568-89-0x00000000372E0000-0x00000000372F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1568-90-0x00000000000D0000-0x00000000000E7000-memory.dmp

          Filesize

          92KB

          Download