Analysis
-
max time kernel
143s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 14:11
Static task
static1
Behavioral task
behavioral1
Sample
2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe
Resource
win10v2004-20221111-en
General
-
Target
2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe
-
Size
140KB
-
MD5
112b33bfeb2514bf11b0595c55173b32
-
SHA1
bde96a6d72babb9d5dea78d98dfa434ab2108624
-
SHA256
585f86ba3173d7a8560a2e82d6adcc8e3e3772bbaefb3239547b43a6685f21c1
-
SHA512
eb9a80e201d751740d0992459e1fcd61f3973113ab62c4d0b930dabcb165095492dc7d70ddfe8267c707d1b73df3a0df772c755b2477839a1f754e17be51401b
-
SSDEEP
3072:sJjzdejzg3KOSD+dN6so3Llk5aAGGUvXaIurWuK6o5yw5pP9m+OnlNEWd/SGv4MC:URejz+KOW+dNmLeaAGdZuK/z5T5pP9mI
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1092 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Explorer.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\uhbkhryw.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\uhbkhryw.exe\"" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run Explorer.EXE -
Suspicious use of SetThreadContext 1 IoCs
Processes:
2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exedescription pid process target process PID 1292 set thread context of 964 1292 2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe 2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
Processes:
2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exeExplorer.EXEpid process 1292 2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe 1292 2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe 1292 2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe 964 2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe 964 2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1188 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 964 2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe Token: SeDebugPrivilege 1188 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1188 Explorer.EXE 1188 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1188 Explorer.EXE 1188 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exepid process 1292 2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe 1292 2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exeExplorer.EXEdescription pid process target process PID 1292 wrote to memory of 964 1292 2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe 2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe PID 1292 wrote to memory of 964 1292 2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe 2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe PID 1292 wrote to memory of 964 1292 2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe 2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe PID 1292 wrote to memory of 964 1292 2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe 2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe PID 1292 wrote to memory of 964 1292 2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe 2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe PID 1292 wrote to memory of 964 1292 2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe 2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe PID 1292 wrote to memory of 964 1292 2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe 2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe PID 1292 wrote to memory of 964 1292 2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe 2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe PID 1292 wrote to memory of 964 1292 2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe 2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe PID 1292 wrote to memory of 964 1292 2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe 2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe PID 964 wrote to memory of 1092 964 2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe cmd.exe PID 964 wrote to memory of 1092 964 2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe cmd.exe PID 964 wrote to memory of 1092 964 2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe cmd.exe PID 964 wrote to memory of 1092 964 2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe cmd.exe PID 964 wrote to memory of 1188 964 2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe Explorer.EXE PID 1188 wrote to memory of 1104 1188 Explorer.EXE taskhost.exe PID 1188 wrote to memory of 1156 1188 Explorer.EXE Dwm.exe PID 1188 wrote to memory of 964 1188 Explorer.EXE 2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe PID 1188 wrote to memory of 1092 1188 Explorer.EXE cmd.exe PID 1188 wrote to memory of 1568 1188 Explorer.EXE conhost.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Users\Admin\AppData\Local\Temp\2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe"C:\Users\Admin\AppData\Local\Temp\2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Users\Admin\AppData\Local\Temp\2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exeC:\Users\Admin\AppData\Local\Temp\2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS2925~1.BAT"4⤵
- Deletes itself
PID:1092
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1156
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1104
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1831818130-1283168371-1831030738119302411279436381-362963907626218511-282828471"1⤵PID:1568
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
201B
MD50d4feb60a8a707dcfc70b6fbc1468487
SHA18e9623fc7d3b1741ef94b9a7bac6befcac42ec4b
SHA2560b8263bb39e6350e8fb8366785dc966c50cde720f8823f395e90d35b467741b1
SHA51281fa96d421711ad39560ee40aec40ff48576464e2a801b9deb3468e3b50c19499984f02dbcc4de1fe6918bae55bfd7fd5031fa2c06de29a52a386d27deab5734