97844e1f93932ed31656b47cbbc1a1086351e542d07007b3ad1842905c357fee

General

Target

2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.exe
Size

306KB
MD5

756fae3b80bf129ce578006534c1413f
SHA1

00ec3c18110067acd9014a27c366160f2ea18ab3
SHA256

69b81b054100dc55fa61aa0edb9acdecccb84ab84fa37177b33e5d9814067633
SHA512

10274e2d15f6c7990acee9dd6b8e4d3b30c5dc810321198257671862f125baecede3cb5193468f8361d3289fb4623cb3ab6a9f0caceb780eaa6e0e4ef4d1626e
SSDEEP

6144:Ci37LbbWiaYUpwXV9RIKWn/TUVs8oL48N8lqFzc+tRJShtvUdJk:CO/izXrN8UbtPShoJk

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2044 cmd.exe

pid	process
2044	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dhohjter.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\dhohjter.exe\""	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.exeExplorer.EXE

pid	process
1988	2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.exe
1988	2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.exe
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1988	2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.exe
Token: SeDebugPrivilege	1384	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1384 Explorer.EXE
1384 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1384 Explorer.EXE
1384 Explorer.EXE

pid	process
1384	Explorer.EXE
1384	Explorer.EXE

pid	process
1384	Explorer.EXE
1384	Explorer.EXE

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.exeExplorer.EXE

description	pid	process	target process
PID 1988 wrote to memory of 2044	1988	2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.exe	cmd.exe
PID 1988 wrote to memory of 2044	1988	2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.exe	cmd.exe
PID 1988 wrote to memory of 2044	1988	2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.exe	cmd.exe
PID 1988 wrote to memory of 2044	1988	2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.exe	cmd.exe
PID 1988 wrote to memory of 1384	1988	2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.exe	Explorer.EXE
PID 1384 wrote to memory of 1216	1384	Explorer.EXE	taskhost.exe
PID 1384 wrote to memory of 1316	1384	Explorer.EXE	Dwm.exe
PID 1384 wrote to memory of 1988	1384	Explorer.EXE	2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.exe
PID 1384 wrote to memory of 2044	1384	Explorer.EXE	cmd.exe
PID 1384 wrote to memory of 2020	1384	Explorer.EXE	conhost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1384

C:\Users\Admin\AppData\Local\Temp\2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.exe
"C:\Users\Admin\AppData\Local\Temp\2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS6374~1.BAT"
3⤵
- Deletes itself
PID:2044

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1316

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1216

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1446658263-1339523300-753965598-227977199164476895119719313621729516100977601142"
1⤵
PID:2020

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms6374069.bat
Filesize
201B

MD5
889ed06ab2691e3eb0cd6439f14730c9

SHA1
3ccc56555e327d29d637aa55692586e061b1b48c

SHA256
4c803fc15cc4ef8dfc9f20d0cb93fa07afbf1becf56751a11955cd20d70ca851

SHA512
7417a8ba275b8de74e8322fe793c5acbbe678672caea8b080c4554304ec1ea2a3ee14fc27ac9cf4ae5c768b8922de1d774eddc57f57ef796b745c225c88d2e4d

Download Submit
memory/1216-65-0x00000000376C0000-0x00000000376D0000-memory.dmp

Filesize
64KB

Download
memory/1216-78-0x0000000000420000-0x0000000000437000-memory.dmp

Filesize
92KB

Download
memory/1316-79-0x0000000001C40000-0x0000000001C57000-memory.dmp

Filesize
92KB

Download
memory/1316-68-0x00000000376C0000-0x00000000376D0000-memory.dmp

Filesize
64KB

Download
memory/1384-77-0x0000000002200000-0x0000000002217000-memory.dmp

Filesize
92KB

Download
memory/1384-60-0x00000000376C0000-0x00000000376D0000-memory.dmp

Filesize
64KB

Download
memory/1384-58-0x0000000002200000-0x0000000002217000-memory.dmp

Filesize
92KB

Download
memory/1988-75-0x0000000000140000-0x000000000014E000-memory.dmp

Filesize
56KB

Download
memory/1988-66-0x0000000000180000-0x0000000000194000-memory.dmp

Filesize
80KB

Download
memory/1988-76-0x0000000000230000-0x0000000000284000-memory.dmp

Filesize
336KB

Download
memory/1988-54-0x0000000075911000-0x0000000075913000-memory.dmp

Filesize
8KB

Download
memory/2020-73-0x00000000376C0000-0x00000000376D0000-memory.dmp

Filesize
64KB

Download
memory/2020-80-0x00000000000D0000-0x00000000000E7000-memory.dmp

Filesize
92KB

Download
memory/2044-57-0x0000000000000000-mapping.dmp

Download
memory/2044-81-0x0000000037870000-0x0000000037880000-memory.dmp

Filesize
64KB

Download
memory/2044-82-0x0000000000150000-0x0000000000164000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads