Analysis
-
max time kernel
184s -
max time network
206s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
27-11-2022 18:38
Static task
static1
Behavioral task
behavioral1
Sample
ihre_festnetz_rechnung_november_2014_54_7_0_2_8_00000390002_210_22_41_66_00000007.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
ihre_festnetz_rechnung_november_2014_54_7_0_2_8_00000390002_210_22_41_66_00000007.exe
Resource
win10v2004-20220812-en
General
-
Target
ihre_festnetz_rechnung_november_2014_54_7_0_2_8_00000390002_210_22_41_66_00000007.exe
-
Size
168KB
-
MD5
60e3cb5dd482ce771d0e5c6576a8269c
-
SHA1
33573fa6ad2ac27d48bd3ef1f84739449ec4b682
-
SHA256
37d254df44c84c208156c066068f2397e57413affd480a80dc01d0b2eb0cbb31
-
SHA512
bf2fab79ed0dd3fe763f6e2a0b809454536a5335ef29ebea40d562f2b745d695489d9d3039ab0f79b9f982863bfa0a266996c827b2338712f61965077e65eaa8
-
SSDEEP
3072:CdLyZlwEyKcoO29Y5eCPN2bViTphJP12EFs+NLVgu2TVAOWX:sLaw7F3CY5e+CVi/yEXlVh2hk
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 832 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\loibgjiv.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\loibgjiv.exe\"" Explorer.EXE -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 576 set thread context of 768 576 ihre_festnetz_rechnung_november_2014_54_7_0_2_8_00000390002_210_22_41_66_00000007.exe 28 -
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 576 ihre_festnetz_rechnung_november_2014_54_7_0_2_8_00000390002_210_22_41_66_00000007.exe 576 ihre_festnetz_rechnung_november_2014_54_7_0_2_8_00000390002_210_22_41_66_00000007.exe 576 ihre_festnetz_rechnung_november_2014_54_7_0_2_8_00000390002_210_22_41_66_00000007.exe 768 ihre_festnetz_rechnung_november_2014_54_7_0_2_8_00000390002_210_22_41_66_00000007.exe 768 ihre_festnetz_rechnung_november_2014_54_7_0_2_8_00000390002_210_22_41_66_00000007.exe 1252 Explorer.EXE 1252 Explorer.EXE 1252 Explorer.EXE 1252 Explorer.EXE 1252 Explorer.EXE 1252 Explorer.EXE 1252 Explorer.EXE 1252 Explorer.EXE 1252 Explorer.EXE 1252 Explorer.EXE 1252 Explorer.EXE 1252 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1252 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 768 ihre_festnetz_rechnung_november_2014_54_7_0_2_8_00000390002_210_22_41_66_00000007.exe Token: SeDebugPrivilege 1252 Explorer.EXE Token: SeShutdownPrivilege 1252 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1252 Explorer.EXE 1252 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1252 Explorer.EXE 1252 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 576 ihre_festnetz_rechnung_november_2014_54_7_0_2_8_00000390002_210_22_41_66_00000007.exe 576 ihre_festnetz_rechnung_november_2014_54_7_0_2_8_00000390002_210_22_41_66_00000007.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 1252 Explorer.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 576 wrote to memory of 768 576 ihre_festnetz_rechnung_november_2014_54_7_0_2_8_00000390002_210_22_41_66_00000007.exe 28 PID 576 wrote to memory of 768 576 ihre_festnetz_rechnung_november_2014_54_7_0_2_8_00000390002_210_22_41_66_00000007.exe 28 PID 576 wrote to memory of 768 576 ihre_festnetz_rechnung_november_2014_54_7_0_2_8_00000390002_210_22_41_66_00000007.exe 28 PID 576 wrote to memory of 768 576 ihre_festnetz_rechnung_november_2014_54_7_0_2_8_00000390002_210_22_41_66_00000007.exe 28 PID 576 wrote to memory of 768 576 ihre_festnetz_rechnung_november_2014_54_7_0_2_8_00000390002_210_22_41_66_00000007.exe 28 PID 576 wrote to memory of 768 576 ihre_festnetz_rechnung_november_2014_54_7_0_2_8_00000390002_210_22_41_66_00000007.exe 28 PID 576 wrote to memory of 768 576 ihre_festnetz_rechnung_november_2014_54_7_0_2_8_00000390002_210_22_41_66_00000007.exe 28 PID 576 wrote to memory of 768 576 ihre_festnetz_rechnung_november_2014_54_7_0_2_8_00000390002_210_22_41_66_00000007.exe 28 PID 576 wrote to memory of 768 576 ihre_festnetz_rechnung_november_2014_54_7_0_2_8_00000390002_210_22_41_66_00000007.exe 28 PID 576 wrote to memory of 768 576 ihre_festnetz_rechnung_november_2014_54_7_0_2_8_00000390002_210_22_41_66_00000007.exe 28 PID 768 wrote to memory of 832 768 ihre_festnetz_rechnung_november_2014_54_7_0_2_8_00000390002_210_22_41_66_00000007.exe 29 PID 768 wrote to memory of 832 768 ihre_festnetz_rechnung_november_2014_54_7_0_2_8_00000390002_210_22_41_66_00000007.exe 29 PID 768 wrote to memory of 832 768 ihre_festnetz_rechnung_november_2014_54_7_0_2_8_00000390002_210_22_41_66_00000007.exe 29 PID 768 wrote to memory of 832 768 ihre_festnetz_rechnung_november_2014_54_7_0_2_8_00000390002_210_22_41_66_00000007.exe 29 PID 768 wrote to memory of 1252 768 ihre_festnetz_rechnung_november_2014_54_7_0_2_8_00000390002_210_22_41_66_00000007.exe 16 PID 1252 wrote to memory of 1128 1252 Explorer.EXE 18 PID 1252 wrote to memory of 1188 1252 Explorer.EXE 17 PID 1252 wrote to memory of 832 1252 Explorer.EXE 29 PID 1252 wrote to memory of 832 1252 Explorer.EXE 29 PID 1252 wrote to memory of 1768 1252 Explorer.EXE 30 PID 1252 wrote to memory of 1768 1252 Explorer.EXE 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\ihre_festnetz_rechnung_november_2014_54_7_0_2_8_00000390002_210_22_41_66_00000007.exe"C:\Users\Admin\AppData\Local\Temp\ihre_festnetz_rechnung_november_2014_54_7_0_2_8_00000390002_210_22_41_66_00000007.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Users\Admin\AppData\Local\Temp\ihre_festnetz_rechnung_november_2014_54_7_0_2_8_00000390002_210_22_41_66_00000007.exeC:\Users\Admin\AppData\Local\Temp\ihre_festnetz_rechnung_november_2014_54_7_0_2_8_00000390002_210_22_41_66_00000007.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS6747~1.BAT"3⤵
- Deletes itself
PID:832
-
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1252
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1188
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1128
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "371639937-1550695799392767421066594319-41650781-1145440702-3288159681746029166"1⤵PID:1768
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
201B
MD54cae181a8896e259f10b5a2a2991a88b
SHA18874876acf74828d3f471558b6fae1ff13844cb7
SHA25670920bdba9cc2065de68add460bcb3dd58a26c36611f022fbc5272611446b90e
SHA51277857bc188f9cb7915b128591035336c8bc92f299fb266fd45d103ee465299e9d852708862dc4be6fa916b5fa53eec4429b4bf6b7365b7a3895cb911fff85798