Overview

overview

7

Static

static

rechnung_1...05.exe

windows7-x64

7

rechnung_1...05.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    6s
  • max time network
    10s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/11/2022, 18:42 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe

  • Size

    172KB

  • MD5

    c06b551f110824f92f7dd6e1e286338b

  • SHA1

    b1451aabe43b20ddfe11ba08cda0716a47cf9fe6

  • SHA256

    0fdc5af087744ec47f94d6d98b05c2f018a5b16bb097a7826f096bc6f7ffd92f

  • SHA512

    4ae0cee0c75e61be40d33635b658d3ea0e074b7f4246a037da60ee6075906583b532236e41e1a3910684b9d8b71fecbcdadc1f9249bacf94b7726818cfbdc576

  • SSDEEP

    3072:Lw0CwITzueTD9d0h06Up164tnYx82gGtjdkruyjn:LwYuzue/9+hpK8i4IGtj4

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2340
    • C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      1⤵
        PID:3244
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
        1⤵
          PID:760
        • C:\Windows\Explorer.EXE
          C:\Windows\Explorer.EXE
          1⤵
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2940
          • C:\Users\Admin\AppData\Local\Temp\rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
            "C:\Users\Admin\AppData\Local\Temp\rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe"
            2⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:5008
            • C:\Users\Admin\AppData\Local\Temp\rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
              C:\Users\Admin\AppData\Local\Temp\rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2404
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS3378~1.BAT"
                4⤵
                  PID:5004
          • C:\Windows\system32\taskhostw.exe
            taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
            1⤵
              PID:2496
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
              1⤵
                PID:2356

              Network

                No results found
              • 178.79.208.1:80
                208 B
                 4
              No results found

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • memory/2404-134-0x0000000000400000-0x0000000000412000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2404-136-0x0000000000400000-0x0000000000412000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2940-138-0x00007FFBDD8B0000-0x00007FFBDD8C0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/5008-132-0x00000000014B0000-0x00000000014B4000-memory.dmp

                Filesize

                16KB

                Download

              We care about your privacy.

              This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.