Overview

overview

7

Static

static

Informatio...05.exe

windows7-x64

7

Informatio...05.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    27-11-2022 16:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Informationen_Kontobewegung_dezember_2014_de_20_8139_237_90109238_000129_000028_05.exe

  • Size

    148KB

  • MD5

    e904fb9ef69599c6afec8a00eaa0844f

  • SHA1

    a1edfcaa398b4d4e80d84317fabcdbee7a926ab0

  • SHA256

    9f8b764b140f5384b3cc712640b76fb697566ec30e82508e4b35409ce400869d

  • SHA512

    105bcc7bee4904c7d1bc9d06e4a6c74ea11f6e73bca9d430543f6eb3d3e72df4468e98d966f161b528854c93feca45d03ca475ae450f3224961411e5565d6e05

  • SSDEEP

    3072:EwvzPBhF4kWWGhQr5ZlLP8GJMKvtYPmmzvmBVWLaig768K5:jzPvF4k8oLPSPVzOBsX5

Score
7/10
persistence

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1248
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:1372
      • C:\Users\Admin\AppData\Local\Temp\Informationen_Kontobewegung_dezember_2014_de_20_8139_237_90109238_000129_000028_05.exe
        "C:\Users\Admin\AppData\Local\Temp\Informationen_Kontobewegung_dezember_2014_de_20_8139_237_90109238_000129_000028_05.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1280
        • C:\Users\Admin\AppData\Local\Temp\Informationen_Kontobewegung_dezember_2014_de_20_8139_237_90109238_000129_000028_05.exe
          C:\Users\Admin\AppData\Local\Temp\Informationen_Kontobewegung_dezember_2014_de_20_8139_237_90109238_000129_000028_05.exe
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:608
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS3907~1.BAT"
            4⤵
            • Deletes itself
            PID:864
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1316
      • C:\Windows\system32\conhost.exe
        \??\C:\Windows\system32\conhost.exe "-896320395-77617795928886066-7603354532678941992059585062-713211726-539040378"
        1⤵
          PID:1348

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\ms3907252.bat
          Filesize

          201B

          MD5

          b04edcfd647409dd6eb2cdeb8a01d8f1

          SHA1

          80f2c413da488b1dcd8e337b4bd0c94872727db2

          SHA256

          74bce4b1e609d17160b0e9d8d05a4044b269fcef01102234c9a6dd9c0b5a2d87

          SHA512

          fff8f4dc1ffb274c37ee3c4bf7637dd8962a1fb41ce01bd5bfc29152abd71588c04179fda373fbb508b1a3d5a4b0729120a1425f0ace8faf9ad0f96c48c3390f

          Download Submit
        • memory/608-74-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/608-58-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/608-60-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/608-55-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/608-63-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/608-64-0x00000000004010C0-mapping.dmp
          Download
        • memory/608-56-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/608-67-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/608-62-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/864-87-0x0000000000170000-0x0000000000184000-memory.dmp
          Filesize

          80KB

          Download
        • memory/864-71-0x0000000000000000-mapping.dmp
          Download
        • memory/1248-83-0x00000000370F0000-0x0000000037100000-memory.dmp
          Filesize

          64KB

          Download
        • memory/1248-94-0x0000000001B40000-0x0000000001B57000-memory.dmp
          Filesize

          92KB

          Download
        • memory/1248-92-0x0000000001BF0000-0x0000000001C07000-memory.dmp
          Filesize

          92KB

          Download
        • memory/1248-86-0x00000000370F0000-0x0000000037100000-memory.dmp
          Filesize

          64KB

          Download
        • memory/1280-54-0x0000000075811000-0x0000000075813000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1280-65-0x0000000000340000-0x0000000000344000-memory.dmp
          Filesize

          16KB

          Download
        • memory/1316-91-0x00000000370F0000-0x0000000037100000-memory.dmp
          Filesize

          64KB

          Download
        • memory/1316-90-0x00000000370F0000-0x0000000037100000-memory.dmp
          Filesize

          64KB

          Download
        • memory/1316-95-0x0000000000250000-0x0000000000267000-memory.dmp
          Filesize

          92KB

          Download
        • memory/1316-96-0x0000000000230000-0x0000000000247000-memory.dmp
          Filesize

          92KB

          Download
        • memory/1372-75-0x00000000370F0000-0x0000000037100000-memory.dmp
          Filesize

          64KB

          Download
        • memory/1372-93-0x0000000002210000-0x0000000002227000-memory.dmp
          Filesize

          92KB

          Download
        • memory/1372-72-0x0000000002210000-0x0000000002227000-memory.dmp
          Filesize

          92KB

          Download
        • memory/1372-97-0x0000000002210000-0x0000000002227000-memory.dmp
          Filesize

          92KB

          Download