Overview

overview

7

Static

static

652c4f1b4f...65.zip

windows7-x64

1

652c4f1b4f...65.zip

windows10-2004-x64

1

de_0000239...98.exe

windows7-x64

7

de_0000239...98.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    4s
  • max time network
    45s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/11/2022, 03:43

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe

  • Size

    156KB

  • MD5

    9b011c8f47d228d12160ca7cd6ca9c1f

  • SHA1

    2fdd519c11980440a2c6e62ca66638903bb006fe

  • SHA256

    8876ae1e261a99ebbad73c1a89e525fa43f1fb6b9241eec58793d818542ac437

  • SHA512

    d22c9d34850a89720b7a1d97d39d0d245cbea70140817092ae7996eb633513d1f1a31eca8100ac13576731b1a923eca691d0149cea63712c34e082ae3f65ed0a

  • SSDEEP

    3072:LCKpj8ySAFBsh6z6CoxIzQFO/YYWhGYeMF:OKpAvkz6xFz

Score
5/10

Malware Config

Signatures

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:2628
      • C:\Users\Admin\AppData\Local\Temp\de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe
        "C:\Users\Admin\AppData\Local\Temp\de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4164
        • C:\Users\Admin\AppData\Local\Temp\de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe
          C:\Users\Admin\AppData\Local\Temp\de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4700
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS3251~1.BAT"
            4⤵
              PID:3372

      Network

            MITRE ATT&CK Matrix

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/2628-138-0x00007FF80E710000-0x00007FF80E720000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4164-135-0x0000000001060000-0x0000000001064000-memory.dmp

              Filesize

              16KB

              Download

            • memory/4700-133-0x0000000000400000-0x0000000000412000-memory.dmp

              Filesize

              72KB

              Download

            • memory/4700-136-0x0000000000400000-0x0000000000412000-memory.dmp

              Filesize

              72KB

              Download