7ca90ef98dff9d41879a6e9b58386bb316e38093ad60f62a256332c9c880302a

General

Target

2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe
Size

306KB
MD5

756fae3b80bf129ce578006534c1413f
SHA1

00ec3c18110067acd9014a27c366160f2ea18ab3
SHA256

69b81b054100dc55fa61aa0edb9acdecccb84ab84fa37177b33e5d9814067633
SHA512

10274e2d15f6c7990acee9dd6b8e4d3b30c5dc810321198257671862f125baecede3cb5193468f8361d3289fb4623cb3ab6a9f0caceb780eaa6e0e4ef4d1626e
SSDEEP

6144:Ci37LbbWiaYUpwXV9RIKWn/TUVs8oL48N8lqFzc+tRJShtvUdJk:CO/izXrN8UbtPShoJk

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

764 cmd.exe

pid	process
764	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\uhbkhryw.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\uhbkhryw.exe\""	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exeExplorer.EXE

pid	process
1244	2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe
1244	2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1188 Explorer.EXE

pid	process
1188	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1244	2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe
Token: SeDebugPrivilege	1188	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1188 Explorer.EXE
1188 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1188 Explorer.EXE
1188 Explorer.EXE

pid	process
1188	Explorer.EXE
1188	Explorer.EXE

pid	process
1188	Explorer.EXE
1188	Explorer.EXE

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exeExplorer.EXE

description	pid	process	target process
PID 1244 wrote to memory of 764	1244	2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe	cmd.exe
PID 1244 wrote to memory of 764	1244	2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe	cmd.exe
PID 1244 wrote to memory of 764	1244	2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe	cmd.exe
PID 1244 wrote to memory of 764	1244	2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe	cmd.exe
PID 1244 wrote to memory of 1188	1244	2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe	Explorer.EXE
PID 1188 wrote to memory of 1104	1188	Explorer.EXE	taskhost.exe
PID 1188 wrote to memory of 1156	1188	Explorer.EXE	Dwm.exe
PID 1188 wrote to memory of 1244	1188	Explorer.EXE	2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe
PID 1188 wrote to memory of 764	1188	Explorer.EXE	cmd.exe
PID 1188 wrote to memory of 1512	1188	Explorer.EXE	conhost.exe

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1156

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1188

C:\Users\Admin\AppData\Local\Temp\2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe
"C:\Users\Admin\AppData\Local\Temp\2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1244

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS4471~1.BAT"
3⤵
- Deletes itself
PID:764

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1104

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1831818130-1283168371-1831030738119302411279436381-362963907626218511-282828471"
1⤵
PID:1512

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms4471165.bat
Filesize
201B

MD5
1be8343c72c3eff2be27b15c9ff064d8

SHA1
6d973f59a2051d82eeb3fad0ce083def79bb280b

SHA256
17a3be29d1e99984ea91fed6cf3e3ef09dfb8f2fd4436c1ebcf4a246f01eb2d3

SHA512
9edfd7bbcbe77c165152b16993cfe208a73f94bef59453e77fc7cac554ebc8a1e4e9f97b4b1c13a91aa229367684bbc1da1884c75dad779289384a318a1325aa

Download Submit
memory/764-78-0x0000000000200000-0x0000000000214000-memory.dmp

Filesize
80KB

Download
memory/764-59-0x0000000000000000-mapping.dmp

Download
memory/764-76-0x0000000037490000-0x00000000374A0000-memory.dmp

Filesize
64KB

Download
memory/1104-81-0x0000000001BA0000-0x0000000001BB7000-memory.dmp

Filesize
92KB

Download
memory/1104-70-0x00000000372E0000-0x00000000372F0000-memory.dmp

Filesize
64KB

Download
memory/1156-72-0x00000000372E0000-0x00000000372F0000-memory.dmp

Filesize
64KB

Download
memory/1156-82-0x0000000000120000-0x0000000000137000-memory.dmp

Filesize
92KB

Download
memory/1188-62-0x00000000372E0000-0x00000000372F0000-memory.dmp

Filesize
64KB

Download
memory/1188-60-0x00000000021F0000-0x0000000002207000-memory.dmp

Filesize
92KB

Download
memory/1188-80-0x00000000021F0000-0x0000000002207000-memory.dmp

Filesize
92KB

Download
memory/1188-83-0x000007FEF5EC0000-0x000007FEF6003000-memory.dmp

Filesize
1.3MB

Download
memory/1188-84-0x000007FED5C80000-0x000007FED5C8A000-memory.dmp

Filesize
40KB

Download
memory/1244-68-0x00000000005B0000-0x00000000005C4000-memory.dmp

Filesize
80KB

Download
memory/1244-54-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

Filesize
8KB

Download
memory/1244-58-0x00000000002A0000-0x00000000002F4000-memory.dmp

Filesize
336KB

Download
memory/1244-57-0x0000000000140000-0x000000000014E000-memory.dmp

Filesize
56KB

Download
memory/1512-77-0x00000000372E0000-0x00000000372F0000-memory.dmp

Filesize
64KB

Download
memory/1512-79-0x0000000000110000-0x0000000000127000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads