Overview

overview

7

Static

static

Informatio...05.exe

windows7-x64

7

Informatio...05.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    218s
  • max time network
    304s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    27-11-2022 16:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Informationen_Kontobewegung_dezember_2014_de_20_8139_237_90109238_000129_000028_05.exe

  • Size

    148KB

  • MD5

    9d98c00e6856de4478554ffaa7d186b2

  • SHA1

    10f4dc27fc03d5e31f1050607c3d91a733b95a37

  • SHA256

    79f402d1a823a6c96389483aab9744640aa310546045f6ec76d491b0d9db356b

  • SHA512

    5ecfdd934ebe17a4835d6c08f124c3c2bf66a9a006e8438cd9ab0c33403d037e769477946faff0e465588385ae416bce46eb6524e67b6cdad3405bb3a18c8a5f

  • SSDEEP

    3072:Dku/PN/dw7QrkU8AuXhhHK7Zm1wdEb9leB0pPMMxgf6:wePN//kUbuRhHKmdhVMagf6

Score
7/10
persistence

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Informationen_Kontobewegung_dezember_2014_de_20_8139_237_90109238_000129_000028_05.exe
    "C:\Users\Admin\AppData\Local\Temp\Informationen_Kontobewegung_dezember_2014_de_20_8139_237_90109238_000129_000028_05.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1516
    • C:\Users\Admin\AppData\Local\Temp\Informationen_Kontobewegung_dezember_2014_de_20_8139_237_90109238_000129_000028_05.exe
      C:\Users\Admin\AppData\Local\Temp\Informationen_Kontobewegung_dezember_2014_de_20_8139_237_90109238_000129_000028_05.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1168
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS7921~1.BAT"
        3⤵
        • Deletes itself
        PID:1472
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1248
  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
      PID:1180
    • C:\Windows\system32\taskhost.exe
      "taskhost.exe"
      1⤵
        PID:1120
      • C:\Windows\system32\conhost.exe
        \??\C:\Windows\system32\conhost.exe "81686729620782064911818387811-13946366681372282858-361711192166301690-1847806715"
        1⤵
          PID:108

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\ms7921405.bat
          Filesize

          201B

          MD5

          ebd7fcff30110fff72cde88056bea5a9

          SHA1

          79c440bb8bf93e40ef6fbff2f94c5fca63ca1716

          SHA256

          cfb5874cb7033662ed24e5c4720cb94eee5a6f89a50ee4e3f17dbe179c3876be

          SHA512

          23083c9b26446aec3e77088d8aeca8e97a0936b73a71a06d1b6e6186c74e7662d283c588c2e3bfda1c750acaadf5d3b72a1efe840935b02ddc07ee61d453da85

          Download Submit
        • memory/108-88-0x00000000001E0000-0x00000000001F7000-memory.dmp
          Filesize

          92KB

          Download
        • memory/1120-81-0x0000000037060000-0x0000000037070000-memory.dmp
          Filesize

          64KB

          Download
        • memory/1120-89-0x0000000000120000-0x0000000000137000-memory.dmp
          Filesize

          92KB

          Download
        • memory/1168-71-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/1168-63-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/1168-64-0x00000000004010C0-mapping.dmp
          Download
        • memory/1168-67-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/1168-55-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/1168-56-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/1168-58-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/1168-62-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/1168-60-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/1180-83-0x0000000037060000-0x0000000037070000-memory.dmp
          Filesize

          64KB

          Download
        • memory/1180-91-0x0000000001BA0000-0x0000000001BB7000-memory.dmp
          Filesize

          92KB

          Download
        • memory/1248-75-0x0000000037060000-0x0000000037070000-memory.dmp
          Filesize

          64KB

          Download
        • memory/1248-73-0x00000000021A0000-0x00000000021B7000-memory.dmp
          Filesize

          92KB

          Download
        • memory/1248-90-0x00000000021A0000-0x00000000021B7000-memory.dmp
          Filesize

          92KB

          Download
        • memory/1472-80-0x0000000000120000-0x0000000000134000-memory.dmp
          Filesize

          80KB

          Download
        • memory/1472-87-0x0000000000120000-0x0000000000134000-memory.dmp
          Filesize

          80KB

          Download
        • memory/1472-72-0x0000000000000000-mapping.dmp
          Download
        • memory/1516-54-0x00000000757E1000-0x00000000757E3000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1516-65-0x0000000000240000-0x0000000000244000-memory.dmp
          Filesize

          16KB

          Download