Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 18:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fn_aktuell.vmp.exe
Resource
win7-20240611-en
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
fn_aktuell.vmp.exe
Resource
win10v2004-20240226-en
3 signatures
150 seconds
General
-
Target
fn_aktuell.vmp.exe
-
Size
11.6MB
-
MD5
44c42874ab529fc027eaba47f8fea472
-
SHA1
06ebfafbfb7bd2d89f6d7ea3d44521503f568862
-
SHA256
72e41ce80316c23eed2470bff5b88f10a9aabc4e69a0215f85147faabc192441
-
SHA512
b7a6ac3ba95de9ab6b4c5dad7185f3183e55d62a3ed6e5eadb519a623398597638b8160c509bbee8ed271b40a308c859e58f4e1598a226cca03aa2fa56e85992
-
SSDEEP
196608:PkHgWmUdZBRvpKVC+7Cs1r6gy2HwtijBXxDK3wip1em+awZa8vIXbh:cbmUdZBRBKVzCR/2QtOhDKjkdI
Score
5/10
Malware Config
Signatures
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
fn_aktuell.vmp.exepid process 1672 fn_aktuell.vmp.exe 1672 fn_aktuell.vmp.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
fn_aktuell.vmp.exepid process 1672 fn_aktuell.vmp.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
fn_aktuell.vmp.execmd.exedescription pid process target process PID 1672 wrote to memory of 1960 1672 fn_aktuell.vmp.exe cmd.exe PID 1672 wrote to memory of 1960 1672 fn_aktuell.vmp.exe cmd.exe PID 1672 wrote to memory of 1960 1672 fn_aktuell.vmp.exe cmd.exe PID 1960 wrote to memory of 2256 1960 cmd.exe certutil.exe PID 1960 wrote to memory of 2256 1960 cmd.exe certutil.exe PID 1960 wrote to memory of 2256 1960 cmd.exe certutil.exe PID 1960 wrote to memory of 2624 1960 cmd.exe find.exe PID 1960 wrote to memory of 2624 1960 cmd.exe find.exe PID 1960 wrote to memory of 2624 1960 cmd.exe find.exe PID 1960 wrote to memory of 2672 1960 cmd.exe find.exe PID 1960 wrote to memory of 2672 1960 cmd.exe find.exe PID 1960 wrote to memory of 2672 1960 cmd.exe find.exe PID 1672 wrote to memory of 2072 1672 fn_aktuell.vmp.exe WerFault.exe PID 1672 wrote to memory of 2072 1672 fn_aktuell.vmp.exe WerFault.exe PID 1672 wrote to memory of 2072 1672 fn_aktuell.vmp.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fn_aktuell.vmp.exe"C:\Users\Admin\AppData\Local\Temp\fn_aktuell.vmp.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\fn_aktuell.vmp.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\fn_aktuell.vmp.exe" MD53⤵PID:2256
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵PID:2624
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵PID:2672
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1672 -s 10442⤵PID:2072