Analysis
-
max time kernel
142s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
09-05-2024 06:24
Static task
static1
Behavioral task
behavioral1
Sample
Guten Tag DM 1.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
Guten Tag DM 1.exe
Resource
win10v2004-20240508-en
General
-
Target
Guten Tag DM 1.exe
-
Size
1.9MB
-
MD5
acdf1484fdbb410e623b46ae931652fa
-
SHA1
1fa059452c938462620bfca3a1d20118ef72bba6
-
SHA256
7667cf6eafeb3ee55c7c4cfdd65e9a56261cc40af3d550932d6d1af5f2c0fbde
-
SHA512
1e531a75e2bd3a2f17b856dd804bfafc03be769de5accbfb339ebbbd196661e6ddf0a18c41748c1f9db4d4e4c7edaa6ba63936414d8bc7e861084d4746390ee7
-
SSDEEP
24576:ETfEWQMHi9jzdDnAHo5kqK5dFv0oDoL2+8+LpTiGYEe0XmMZWwu8sXEJw+loSY:ucW4frOj/We+1TiTZREJw+lDY
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 2988 Guten Tag DM 1.tmp -
Loads dropped DLL 2 IoCs
pid Process 1760 Guten Tag DM 1.exe 2988 Guten Tag DM 1.tmp -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 3 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2988 Guten Tag DM 1.tmp -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1760 wrote to memory of 2988 1760 Guten Tag DM 1.exe 28 PID 1760 wrote to memory of 2988 1760 Guten Tag DM 1.exe 28 PID 1760 wrote to memory of 2988 1760 Guten Tag DM 1.exe 28 PID 1760 wrote to memory of 2988 1760 Guten Tag DM 1.exe 28 PID 1760 wrote to memory of 2988 1760 Guten Tag DM 1.exe 28 PID 1760 wrote to memory of 2988 1760 Guten Tag DM 1.exe 28 PID 1760 wrote to memory of 2988 1760 Guten Tag DM 1.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\ Guten Tag DM 1.exe"C:\Users\Admin\AppData\Local\Temp\ Guten Tag DM 1.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Users\Admin\AppData\Local\Temp\is-7E5AS.tmp\ Guten Tag DM 1.tmp"C:\Users\Admin\AppData\Local\Temp\is-7E5AS.tmp\ Guten Tag DM 1.tmp" /SL5="$40150,1272135,858112,C:\Users\Admin\AppData\Local\Temp\ Guten Tag DM 1.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:2988
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD5558b1d3291218b17bb1a0cad8213ddda
SHA183e9a74421e2dc60fb2b407ce3a65333a7e510ab
SHA25692f2a10d1915692dd00cf6ff33c48819f39cd072b1a2bd04d93006934df31e5d
SHA512f765a1c0ff15fd428fc98d802d898324b5d3cd284323bc55c05e7b267c6093cb8b3ccb2b2b2b5c538b843a6107020b1ddeafce62eafb1c0b07117fd457679e7c
-
Filesize
232KB
MD555c310c0319260d798757557ab3bf636
SHA10892eb7ed31d8bb20a56c6835990749011a2d8de
SHA25654e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed
SHA512e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57