Overview

overview

7

Static

static

de_0000239...98.exe

windows7-x64

7

de_0000239...98.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    187s
  • max time network
    195s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    27-11-2022 14:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe

  • Size

    144KB

  • MD5

    5d24900b14b68b029005d07c1e56e537

  • SHA1

    0659a9a2c0e8182757bf0f77fbd74360315d528b

  • SHA256

    999cf93e01dfd4e6dd7258381e5a3cf93f0c516130b7a7ee0cbfa2ee6f3f7d60

  • SHA512

    89dc83192c8ae91a4e83ee02b5a60a9fca6faefe8018a07b07a8f2210702d74996d85c6c4a190fde9306d230a72ea7bef631aa9dc5cb2c0d5e9dc45a5bb15443

  • SSDEEP

    3072:CQq8+Jd06U0a/t1DKd6neha4lDpzhy7GwDs:28e0dt1LOawDaSx

Score
7/10
persistence

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1276
    • C:\Users\Admin\AppData\Local\Temp\de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe
      "C:\Users\Admin\AppData\Local\Temp\de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1716
      • C:\Users\Admin\AppData\Local\Temp\de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe
        C:\Users\Admin\AppData\Local\Temp\de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1932
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\ms525478.bat"
          4⤵
          • Deletes itself
          PID:1084
  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
      PID:1224
    • C:\Windows\system32\taskhost.exe
      "taskhost.exe"
      1⤵
        PID:1128
      • C:\Windows\system32\conhost.exe
        \??\C:\Windows\system32\conhost.exe "-1822157377-614470190119780098-973487695469261956-12314532321411569134876411351"
        1⤵
          PID:468

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\ms525478.bat
          Filesize

          201B

          MD5

          baa49b28cf2afc05981cbbf84dbe389d

          SHA1

          81be593cd8912d6bb45fbfea8cbd3cc4fa4ddfc8

          SHA256

          5b5951326fbc70f9a32024980336f6e381596c539334e1c0b09dccf29c569ae8

          SHA512

          a5dc116132b856fdf6bd3add75c5eafbba79196fac0b6171ec77f8efdeb293ee2e050635727486349f844a98c72e5ad902433d2ea6a94666f1f03ef58b82d948

          Download Submit

        • memory/468-93-0x0000000000170000-0x0000000000187000-memory.dmp

          Filesize

          92KB

          Download

        • memory/468-91-0x0000000037100000-0x0000000037110000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1084-92-0x0000000000410000-0x0000000000424000-memory.dmp

          Filesize

          80KB

          Download

        • memory/1084-81-0x0000000000410000-0x0000000000424000-memory.dmp

          Filesize

          80KB

          Download

        • memory/1084-90-0x00000000372B0000-0x00000000372C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1128-84-0x0000000037100000-0x0000000037110000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1128-94-0x0000000001C80000-0x0000000001C97000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1128-85-0x0000000001C80000-0x0000000001C97000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1224-86-0x0000000037100000-0x0000000037110000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1224-89-0x0000000001B50000-0x0000000001B67000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1276-87-0x00000000029E0000-0x00000000029F7000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1276-75-0x0000000037100000-0x0000000037110000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1276-72-0x00000000029E0000-0x00000000029F7000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1716-65-0x0000000000300000-0x0000000000304000-memory.dmp

          Filesize

          16KB

          Download

        • memory/1716-54-0x00000000757E1000-0x00000000757E3000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1932-63-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1932-74-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1932-67-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1932-62-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1932-60-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1932-58-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1932-56-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1932-55-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download