Overview

overview

10

Static

static

3

Abrechnung53534.exe

windows7-x64

10

Abrechnung53534.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    98s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-10-2024 00:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Abrechnung53534.exe

  • Size

    728KB

  • MD5

    c55825824295fb010050e0a8929088dd

  • SHA1

    e3047fa2e4128af1ca2cd5a854a9772421ab185e

  • SHA256

    0a77fc85a49ed22e8a829c57253cffff4af89a690cec2125ebdb53be09f64e86

  • SHA512

    7be00b8a624438b37d7d10b5327accb94e9ed0ab68ff809fd4a18699bf1f64cb6700827431225be366cf2ef4410c90ce314e2256b55bcc474a208de6e2f0b6d8

  • SSDEEP

    12288:cLgIvdjsT2N167Tn/VHbiaPzvLOyx1v2ef0j/uakSB0aA+PmLgaYM:eDvCD7/V+aPzSe1vto/T0aA+a5

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 23 IoCs
  • Modifies registry class 14 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch -p
    1⤵
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:780
    • C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
      2⤵
        PID:2184
      • C:\Windows\system32\wbem\wmiprvse.exe
        C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
        2⤵
          PID:2788
        • C:\Windows\system32\backgroundTaskHost.exe
          "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
          2⤵
            PID:4524
        • C:\Users\Admin\AppData\Local\Temp\Abrechnung53534.exe
          "C:\Users\Admin\AppData\Local\Temp\Abrechnung53534.exe"
          1⤵
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2332
          • C:\Users\Admin\AppData\Local\Temp\Abrechnung53534.exe
            C:\Users\Admin\AppData\Local\Temp\Abrechnung53534.exe
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:1804
        • C:\Users\Admin\AppData\Local\Temp\bjikobd.exe
          C:\Users\Admin\AppData\Local\Temp\bjikobd.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:5016
          • C:\Users\Admin\AppData\Local\Temp\bjikobd.exe
            C:\Users\Admin\AppData\Local\Temp\bjikobd.exe
            2⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3100
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3100 -s 656
              3⤵
              • Program crash
              PID:3144
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3100 -s 664
              3⤵
              • Program crash
              PID:2744
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3100 -ip 3100
          1⤵
            PID:1716
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3100 -ip 3100
            1⤵
              PID:4124

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\ProgramData\regid.1991-06.com.microsoft\znhmfgj
              Filesize

              654B

              MD5

              92125334f01fd050804771e1669ea39d

              SHA1

              68206bdab392de285a11f3a4eca674600660dafa

              SHA256

              04c1be3466e34faf06f24303a46e2d9d8d3cb10aa37f54bed4a8f80be752547f

              SHA512

              7231240bc48107714d686bb622fe29316bb707dfe6f2f86193cf9e160d9e4e80b1116358952a20a6af4d17a8e7d5b016574a227ea4f735701547157f52d0a127

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\bjikobd.exe
              Filesize

              728KB

              MD5

              c55825824295fb010050e0a8929088dd

              SHA1

              e3047fa2e4128af1ca2cd5a854a9772421ab185e

              SHA256

              0a77fc85a49ed22e8a829c57253cffff4af89a690cec2125ebdb53be09f64e86

              SHA512

              7be00b8a624438b37d7d10b5327accb94e9ed0ab68ff809fd4a18699bf1f64cb6700827431225be366cf2ef4410c90ce314e2256b55bcc474a208de6e2f0b6d8

              Download Submit

            • F:\$RECYCLE.BIN\S-1-5-18\desktop.ini
              Filesize

              129B

              MD5

              a526b9e7c716b3489d8cc062fbce4005

              SHA1

              2df502a944ff721241be20a9e449d2acd07e0312

              SHA256

              e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

              SHA512

              d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

              Download Submit

            • memory/780-19-0x0000000035220000-0x0000000035297000-memory.dmp

              Filesize

              476KB

              Download

            • memory/780-21-0x0000000035220000-0x0000000035297000-memory.dmp

              Filesize

              476KB

              Download

            • memory/780-3421-0x0000000035220000-0x0000000035297000-memory.dmp

              Filesize

              476KB

              Download

            • memory/780-235-0x0000000035220000-0x0000000035297000-memory.dmp

              Filesize

              476KB

              Download

            • memory/780-29-0x0000000035220000-0x0000000035297000-memory.dmp

              Filesize

              476KB

              Download

            • memory/780-25-0x0000000035220000-0x0000000035297000-memory.dmp

              Filesize

              476KB

              Download

            • memory/780-27-0x0000000035220000-0x0000000035297000-memory.dmp

              Filesize

              476KB

              Download

            • memory/780-22-0x0000000035220000-0x0000000035297000-memory.dmp

              Filesize

              476KB

              Download

            • memory/1804-4-0x0000000000401000-0x0000000000402000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1804-1-0x0000000000400000-0x0000000004429000-memory.dmp

              Filesize

              64.2MB

              Download

            • memory/1804-5-0x0000000004990000-0x0000000004BDB000-memory.dmp

              Filesize

              2.3MB

              Download

            • memory/1804-2-0x0000000000400000-0x0000000004429000-memory.dmp

              Filesize

              64.2MB

              Download

            • memory/1804-3-0x0000000004770000-0x000000000498A000-memory.dmp

              Filesize

              2.1MB

              Download

            • memory/2332-0-0x0000000000670000-0x0000000000675000-memory.dmp

              Filesize

              20KB

              Download

            • memory/3100-15-0x00000000049C0000-0x0000000004C0B000-memory.dmp

              Filesize

              2.3MB

              Download

            • memory/3100-13-0x0000000000400000-0x00000000004A4400-memory.dmp

              Filesize

              657KB

              Download

            • memory/5016-9-0x0000000000400000-0x00000000004B6000-memory.dmp

              Filesize

              728KB

              Download