Overview

overview

7

Static

static

2014_11rec...74.exe

windows7-x64

7

2014_11rec...74.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    42s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    24-11-2022 17:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.exe

  • Size

    278KB

  • MD5

    47cab2df770bfb3b5e4e741229d029fd

  • SHA1

    7484bee01b8e41999c69e56aea0f5f9eda25279e

  • SHA256

    5c8c2e8e87cd3cdf48883cc6e702b29e9db16e80972c7c4c8d7049d6a3475e2f

  • SHA512

    51df63231c430c17e84dd40034e212182db17325fd49c391eef2f35c62344130f761138bdb4cb2d8ab4628a99158f03a1d77241d33accc98bd1c94be277501df

  • SSDEEP

    6144:3bw0Oxjh1imhqrI4geQo6A7CQe+04FwKg2zM8bT7/:3fkhqR6Abr

Score
7/10
persistence

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1124
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1244
      • C:\Users\Admin\AppData\Local\Temp\2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.exe
        "C:\Users\Admin\AppData\Local\Temp\2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1388
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS6747~1.BAT"
          3⤵
          • Deletes itself
          PID:996
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1184
      • C:\Windows\system32\conhost.exe
        \??\C:\Windows\system32\conhost.exe "-8507891141412526556111359436-605434253-1397646828-1780463213-5057499271296773842"
        1⤵
          PID:1516

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\ms6747145.bat
          Filesize

          201B

          MD5

          a1ce5ea6fb8844f6afa9f53fdb249137

          SHA1

          30b9262bef1ccf644c90d17feef8f400459c6ccd

          SHA256

          e487bd688cba034e3cd096c837f77726a5472014ff629c599c38efbdf2b28840

          SHA512

          7c6dd71cbdd1ab4e4ac88a65f31cdc3ddf6b152aadc8639de39870b48dfa1fafc2f59bccf075f713637876a053de4689a9a22e87ee6c40004f2ba278f39c59af

          Download Submit

        • memory/996-69-0x0000000000280000-0x0000000000294000-memory.dmp

          Filesize

          80KB

          Download

        • memory/996-57-0x0000000000000000-mapping.dmp

          Download

        • memory/1124-74-0x0000000001C50000-0x0000000001C67000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1124-68-0x0000000037740000-0x0000000037750000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1184-71-0x0000000037740000-0x0000000037750000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1184-75-0x0000000000130000-0x0000000000147000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1244-62-0x0000000037740000-0x0000000037750000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1244-73-0x0000000002A90000-0x0000000002AA7000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1244-58-0x0000000002A90000-0x0000000002AA7000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1388-60-0x0000000000090000-0x000000000009E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/1388-61-0x0000000000DB0000-0x0000000000DFE000-memory.dmp

          Filesize

          312KB

          Download

        • memory/1388-54-0x0000000075E11000-0x0000000075E13000-memory.dmp

          Filesize

          8KB

          Download