Overview

overview

7

Static

static

rechnung_1...05.exe

windows7-x64

7

rechnung_1...05.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    179s
  • max time network
    194s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    27-11-2022 18:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe

  • Size

    172KB

  • MD5

    c06b551f110824f92f7dd6e1e286338b

  • SHA1

    b1451aabe43b20ddfe11ba08cda0716a47cf9fe6

  • SHA256

    0fdc5af087744ec47f94d6d98b05c2f018a5b16bb097a7826f096bc6f7ffd92f

  • SHA512

    4ae0cee0c75e61be40d33635b658d3ea0e074b7f4246a037da60ee6075906583b532236e41e1a3910684b9d8b71fecbcdadc1f9249bacf94b7726818cfbdc576

  • SSDEEP

    3072:Lw0CwITzueTD9d0h06Up164tnYx82gGtjdkruyjn:LwYuzue/9+hpK8i4IGtj4

Score
7/10
persistence

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
    "C:\Users\Admin\AppData\Local\Temp\rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1072
    • C:\Users\Admin\AppData\Local\Temp\rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
      C:\Users\Admin\AppData\Local\Temp\rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1748
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS9068~1.BAT"
        3⤵
        • Deletes itself
        PID:1984
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1388
  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
      PID:1332
    • C:\Windows\system32\taskhost.exe
      "taskhost.exe"
      1⤵
        PID:1256

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\ms9068152.bat
        Filesize

        201B

        MD5

        56d8d1d756a52838c8c8e362aa327cb1

        SHA1

        914be71710c0f3955d04f3be74d760bd1ba9f9f5

        SHA256

        7ef50eaec707347f7bf540a24113a48e9f630912b10e76d1c18806cf39283aff

        SHA512

        c1ff62e371b18c7f56f88b81abc5207df351992162d8c27cebb4f6322108fc73ce67fd34b24d3c7f8c11104dede9490222f87a28a264008863b0430f86f76323

        Download Submit

      • memory/1072-54-0x0000000075D01000-0x0000000075D03000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1072-65-0x00000000002E0000-0x00000000002E4000-memory.dmp

        Filesize

        16KB

        Download

      • memory/1256-84-0x00000000001A0000-0x00000000001B7000-memory.dmp

        Filesize

        92KB

        Download

      • memory/1256-81-0x0000000037920000-0x0000000037930000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1332-85-0x0000000000230000-0x0000000000247000-memory.dmp

        Filesize

        92KB

        Download

      • memory/1332-82-0x0000000037920000-0x0000000037930000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1388-72-0x0000000002A50000-0x0000000002A67000-memory.dmp

        Filesize

        92KB

        Download

      • memory/1388-83-0x0000000002A50000-0x0000000002A67000-memory.dmp

        Filesize

        92KB

        Download

      • memory/1388-75-0x0000000037920000-0x0000000037930000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1748-63-0x0000000000400000-0x0000000000412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1748-74-0x0000000000400000-0x0000000000412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1748-62-0x0000000000400000-0x0000000000412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1748-67-0x0000000000400000-0x0000000000412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1748-60-0x0000000000400000-0x0000000000412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1748-58-0x0000000000400000-0x0000000000412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1748-56-0x0000000000400000-0x0000000000412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1748-55-0x0000000000400000-0x0000000000412000-memory.dmp

        Filesize

        72KB

        Download