Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 18:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fn_aktuell.vmp.exe
Resource
win7-20240611-en
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
fn_aktuell.vmp.exe
Resource
win10v2004-20240226-en
3 signatures
150 seconds
General
-
Target
fn_aktuell.vmp.exe
-
Size
11.6MB
-
MD5
44c42874ab529fc027eaba47f8fea472
-
SHA1
06ebfafbfb7bd2d89f6d7ea3d44521503f568862
-
SHA256
72e41ce80316c23eed2470bff5b88f10a9aabc4e69a0215f85147faabc192441
-
SHA512
b7a6ac3ba95de9ab6b4c5dad7185f3183e55d62a3ed6e5eadb519a623398597638b8160c509bbee8ed271b40a308c859e58f4e1598a226cca03aa2fa56e85992
-
SSDEEP
196608:PkHgWmUdZBRvpKVC+7Cs1r6gy2HwtijBXxDK3wip1em+awZa8vIXbh:cbmUdZBRBKVzCR/2QtOhDKjkdI
Score
5/10
Malware Config
Signatures
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
fn_aktuell.vmp.exepid process 4160 fn_aktuell.vmp.exe 4160 fn_aktuell.vmp.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
fn_aktuell.vmp.exepid process 4160 fn_aktuell.vmp.exe 4160 fn_aktuell.vmp.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
fn_aktuell.vmp.execmd.exedescription pid process target process PID 4160 wrote to memory of 1668 4160 fn_aktuell.vmp.exe cmd.exe PID 4160 wrote to memory of 1668 4160 fn_aktuell.vmp.exe cmd.exe PID 1668 wrote to memory of 4172 1668 cmd.exe certutil.exe PID 1668 wrote to memory of 4172 1668 cmd.exe certutil.exe PID 1668 wrote to memory of 5016 1668 cmd.exe find.exe PID 1668 wrote to memory of 5016 1668 cmd.exe find.exe PID 1668 wrote to memory of 3100 1668 cmd.exe find.exe PID 1668 wrote to memory of 3100 1668 cmd.exe find.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fn_aktuell.vmp.exe"C:\Users\Admin\AppData\Local\Temp\fn_aktuell.vmp.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\fn_aktuell.vmp.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\fn_aktuell.vmp.exe" MD53⤵PID:4172
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵PID:5016
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵PID:3100
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5148 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:81⤵PID:3936