Analysis
-
max time kernel
153s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 23:19
Static task
static1
Behavioral task
behavioral1
Sample
2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe
Resource
win10v2004-20220812-en
General
-
Target
2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe
-
Size
306KB
-
MD5
756fae3b80bf129ce578006534c1413f
-
SHA1
00ec3c18110067acd9014a27c366160f2ea18ab3
-
SHA256
69b81b054100dc55fa61aa0edb9acdecccb84ab84fa37177b33e5d9814067633
-
SHA512
10274e2d15f6c7990acee9dd6b8e4d3b30c5dc810321198257671862f125baecede3cb5193468f8361d3289fb4623cb3ab6a9f0caceb780eaa6e0e4ef4d1626e
-
SSDEEP
6144:Ci37LbbWiaYUpwXV9RIKWn/TUVs8oL48N8lqFzc+tRJShtvUdJk:CO/izXrN8UbtPShoJk
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 764 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\uhbkhryw.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\uhbkhryw.exe\"" Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exeExplorer.EXEpid process 1244 2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe 1244 2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE 1188 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1188 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1244 2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe Token: SeDebugPrivilege 1188 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1188 Explorer.EXE 1188 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1188 Explorer.EXE 1188 Explorer.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exeExplorer.EXEdescription pid process target process PID 1244 wrote to memory of 764 1244 2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe cmd.exe PID 1244 wrote to memory of 764 1244 2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe cmd.exe PID 1244 wrote to memory of 764 1244 2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe cmd.exe PID 1244 wrote to memory of 764 1244 2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe cmd.exe PID 1244 wrote to memory of 1188 1244 2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe Explorer.EXE PID 1188 wrote to memory of 1104 1188 Explorer.EXE taskhost.exe PID 1188 wrote to memory of 1156 1188 Explorer.EXE Dwm.exe PID 1188 wrote to memory of 1244 1188 Explorer.EXE 2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe PID 1188 wrote to memory of 764 1188 Explorer.EXE cmd.exe PID 1188 wrote to memory of 1512 1188 Explorer.EXE conhost.exe
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe"C:\Users\Admin\AppData\Local\Temp\2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS4471~1.BAT"3⤵
- Deletes itself
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1831818130-1283168371-1831030738119302411279436381-362963907626218511-282828471"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\ms4471165.batFilesize
201B
MD51be8343c72c3eff2be27b15c9ff064d8
SHA16d973f59a2051d82eeb3fad0ce083def79bb280b
SHA25617a3be29d1e99984ea91fed6cf3e3ef09dfb8f2fd4436c1ebcf4a246f01eb2d3
SHA5129edfd7bbcbe77c165152b16993cfe208a73f94bef59453e77fc7cac554ebc8a1e4e9f97b4b1c13a91aa229367684bbc1da1884c75dad779289384a318a1325aa
-
memory/764-78-0x0000000000200000-0x0000000000214000-memory.dmpFilesize
80KB
-
memory/764-59-0x0000000000000000-mapping.dmp
-
memory/764-76-0x0000000037490000-0x00000000374A0000-memory.dmpFilesize
64KB
-
memory/1104-81-0x0000000001BA0000-0x0000000001BB7000-memory.dmpFilesize
92KB
-
memory/1104-70-0x00000000372E0000-0x00000000372F0000-memory.dmpFilesize
64KB
-
memory/1156-72-0x00000000372E0000-0x00000000372F0000-memory.dmpFilesize
64KB
-
memory/1156-82-0x0000000000120000-0x0000000000137000-memory.dmpFilesize
92KB
-
memory/1188-62-0x00000000372E0000-0x00000000372F0000-memory.dmpFilesize
64KB
-
memory/1188-60-0x00000000021F0000-0x0000000002207000-memory.dmpFilesize
92KB
-
memory/1188-80-0x00000000021F0000-0x0000000002207000-memory.dmpFilesize
92KB
-
memory/1188-83-0x000007FEF5EC0000-0x000007FEF6003000-memory.dmpFilesize
1.3MB
-
memory/1188-84-0x000007FED5C80000-0x000007FED5C8A000-memory.dmpFilesize
40KB
-
memory/1244-68-0x00000000005B0000-0x00000000005C4000-memory.dmpFilesize
80KB
-
memory/1244-54-0x0000000075CF1000-0x0000000075CF3000-memory.dmpFilesize
8KB
-
memory/1244-58-0x00000000002A0000-0x00000000002F4000-memory.dmpFilesize
336KB
-
memory/1244-57-0x0000000000140000-0x000000000014E000-memory.dmpFilesize
56KB
-
memory/1512-77-0x00000000372E0000-0x00000000372F0000-memory.dmpFilesize
64KB
-
memory/1512-79-0x0000000000110000-0x0000000000127000-memory.dmpFilesize
92KB