c52ecf030cf4ebed1113d4e908caf5d42af307c4f31698b9e7fb24f7bc9cd707

Analysis

max time kernel
142s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
15-06-2023 01:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Zahlungsbeleg.exe
Size

456KB
MD5

185822f8aeb81190d66455775e3901d0
SHA1

7974fd030ff305dcaa7fde144f9704f079fd1759
SHA256

c52ecf030cf4ebed1113d4e908caf5d42af307c4f31698b9e7fb24f7bc9cd707
SHA512

8f7308ea23cbd6ff704ac630ff7cf6da281737588990b58a251ea21703c37e2dd5a7296caa622d993089656752adcb70779cd4a4ce79cc1f17b3724cf57c531f
SSDEEP

12288:ZrJT5pvPVnJiM6tQoNgrhModNgF/j7KEIz8s7y:RpvPVnJf6vsPgF/3ez8+y

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1244 set thread context of 1008	1244	Zahlungsbeleg.exe	36

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
1244	Zahlungsbeleg.exe
1244	Zahlungsbeleg.exe
1244	Zahlungsbeleg.exe
1244	Zahlungsbeleg.exe
1244	Zahlungsbeleg.exe
1244	Zahlungsbeleg.exe
1244	Zahlungsbeleg.exe
1244	Zahlungsbeleg.exe
1244	Zahlungsbeleg.exe
1008	AddInProcess32.exe
1008	AddInProcess32.exe
1008	AddInProcess32.exe
1008	AddInProcess32.exe
1008	AddInProcess32.exe
1008	AddInProcess32.exe
1008	AddInProcess32.exe
1008	AddInProcess32.exe
1008	AddInProcess32.exe
1008	AddInProcess32.exe
1008	AddInProcess32.exe
1008	AddInProcess32.exe
1008	AddInProcess32.exe
1008	AddInProcess32.exe
1008	AddInProcess32.exe
1008	AddInProcess32.exe
1008	AddInProcess32.exe
1008	AddInProcess32.exe
1008	AddInProcess32.exe
1008	AddInProcess32.exe
1008	AddInProcess32.exe
1008	AddInProcess32.exe
1008	AddInProcess32.exe
1008	AddInProcess32.exe
1008	AddInProcess32.exe
1008	AddInProcess32.exe
1008	AddInProcess32.exe
1008	AddInProcess32.exe
1008	AddInProcess32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1244	Zahlungsbeleg.exe
Token: SeDebugPrivilege	1008	AddInProcess32.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 2028	1244	Zahlungsbeleg.exe	27
PID 1244 wrote to memory of 2028	1244	Zahlungsbeleg.exe	27
PID 1244 wrote to memory of 2028	1244	Zahlungsbeleg.exe	27
PID 1244 wrote to memory of 676	1244	Zahlungsbeleg.exe	28
PID 1244 wrote to memory of 676	1244	Zahlungsbeleg.exe	28
PID 1244 wrote to memory of 676	1244	Zahlungsbeleg.exe	28
PID 1244 wrote to memory of 572	1244	Zahlungsbeleg.exe	29
PID 1244 wrote to memory of 572	1244	Zahlungsbeleg.exe	29
PID 1244 wrote to memory of 572	1244	Zahlungsbeleg.exe	29
PID 1244 wrote to memory of 1296	1244	Zahlungsbeleg.exe	30
PID 1244 wrote to memory of 1296	1244	Zahlungsbeleg.exe	30
PID 1244 wrote to memory of 1296	1244	Zahlungsbeleg.exe	30
PID 1244 wrote to memory of 1080	1244	Zahlungsbeleg.exe	31
PID 1244 wrote to memory of 1080	1244	Zahlungsbeleg.exe	31
PID 1244 wrote to memory of 1080	1244	Zahlungsbeleg.exe	31
PID 1244 wrote to memory of 1584	1244	Zahlungsbeleg.exe	32
PID 1244 wrote to memory of 1584	1244	Zahlungsbeleg.exe	32
PID 1244 wrote to memory of 1584	1244	Zahlungsbeleg.exe	32
PID 1244 wrote to memory of 1440	1244	Zahlungsbeleg.exe	33
PID 1244 wrote to memory of 1440	1244	Zahlungsbeleg.exe	33
PID 1244 wrote to memory of 1440	1244	Zahlungsbeleg.exe	33
PID 1244 wrote to memory of 1440	1244	Zahlungsbeleg.exe	33
PID 1244 wrote to memory of 432	1244	Zahlungsbeleg.exe	34
PID 1244 wrote to memory of 432	1244	Zahlungsbeleg.exe	34
PID 1244 wrote to memory of 432	1244	Zahlungsbeleg.exe	34
PID 1244 wrote to memory of 748	1244	Zahlungsbeleg.exe	35
PID 1244 wrote to memory of 748	1244	Zahlungsbeleg.exe	35
PID 1244 wrote to memory of 748	1244	Zahlungsbeleg.exe	35
PID 1244 wrote to memory of 1008	1244	Zahlungsbeleg.exe	36
PID 1244 wrote to memory of 1008	1244	Zahlungsbeleg.exe	36
PID 1244 wrote to memory of 1008	1244	Zahlungsbeleg.exe	36
PID 1244 wrote to memory of 1008	1244	Zahlungsbeleg.exe	36
PID 1244 wrote to memory of 1008	1244	Zahlungsbeleg.exe	36
PID 1244 wrote to memory of 1008	1244	Zahlungsbeleg.exe	36
PID 1244 wrote to memory of 1008	1244	Zahlungsbeleg.exe	36

C:\Users\Admin\AppData\Local\Temp\Zahlungsbeleg.exe
"C:\Users\Admin\AppData\Local\Temp\Zahlungsbeleg.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
  2⤵
  PID:2028
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
  2⤵
  PID:676
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
  2⤵
  PID:572
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
  2⤵
  PID:1296
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
  2⤵
  PID:1080
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
  2⤵
  PID:1584
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
  2⤵
  PID:1440
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:432
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
  2⤵
  PID:748
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1008

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1008-57-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1008-58-0x0000000000A40000-0x0000000000D43000-memory.dmp

Filesize
3.0MB

Download
memory/1008-59-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1244-54-0x0000000000E90000-0x0000000000F06000-memory.dmp

Filesize
472KB

Download
memory/1244-55-0x0000000000CB0000-0x0000000000D24000-memory.dmp

Filesize
464KB

Download
memory/1244-56-0x000000001AEC0000-0x000000001AF40000-memory.dmp

Filesize
512KB

Download