07b39ffa07fb6be0bb14b3804d0d842b7e7b9287a951ba9a46d415926318fbed

General

Target

rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
Size

176KB
MD5

13997ebf7af8d37dda6697ac03f76cc3
SHA1

9be2bcd498406bdfb05f860ad726273c4a7b4f3a
SHA256

11ecf58db103eb2ded5b942f303d48b5d77e336b8edfe335fa7b81264d1f50ef
SHA512

2894ef41ec784fb39ec663ff8ca5fa8c0ebbd875f95f6e2b843c8bca59d63cc7c43f64df43898290cef31c4b32478819f437fcc4656606d0f7cd4721c735ffee
SSDEEP

3072:rGwR1qmB1TQgHtMF5a6I4Ya5Tlrjmvl3XymSPTyAAwoc9+IkMd+zr3/1C:7KLa6I4x3mdnCNAwo42M

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2024	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ypbkryye.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\ypbkryye.exe\""	Explorer.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 328 set thread context of 1152	328	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe	27

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
328	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
1152	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
1152	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
1412	Explorer.EXE
1412	Explorer.EXE
1412	Explorer.EXE
1412	Explorer.EXE
1412	Explorer.EXE
1412	Explorer.EXE
1412	Explorer.EXE
1412	Explorer.EXE
1412	Explorer.EXE
1412	Explorer.EXE
1412	Explorer.EXE
1412	Explorer.EXE
1412	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1152	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
Token: SeDebugPrivilege	1412	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1412	Explorer.EXE
1412	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1412	Explorer.EXE
1412	Explorer.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
328	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
328	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1412	Explorer.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 328 wrote to memory of 1152	328	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe	27
PID 328 wrote to memory of 1152	328	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe	27
PID 328 wrote to memory of 1152	328	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe	27
PID 328 wrote to memory of 1152	328	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe	27
PID 328 wrote to memory of 1152	328	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe	27
PID 328 wrote to memory of 1152	328	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe	27
PID 328 wrote to memory of 1152	328	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe	27
PID 328 wrote to memory of 1152	328	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe	27
PID 328 wrote to memory of 1152	328	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe	27
PID 328 wrote to memory of 1152	328	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe	27
PID 1152 wrote to memory of 2024	1152	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe	28
PID 1152 wrote to memory of 2024	1152	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe	28
PID 1152 wrote to memory of 2024	1152	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe	28
PID 1152 wrote to memory of 2024	1152	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe	28
PID 1152 wrote to memory of 1412	1152	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe	15
PID 1412 wrote to memory of 1260	1412	Explorer.EXE	17
PID 1412 wrote to memory of 1260	1412	Explorer.EXE	17
PID 1412 wrote to memory of 1336	1412	Explorer.EXE	16
PID 1412 wrote to memory of 2024	1412	Explorer.EXE	28
PID 1412 wrote to memory of 2024	1412	Explorer.EXE	28
PID 1412 wrote to memory of 2016	1412	Explorer.EXE	29

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1412
- C:\Users\Admin\AppData\Local\Temp\rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
  "C:\Users\Admin\AppData\Local\Temp\rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:328
- - C:\Users\Admin\AppData\Local\Temp\rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
    C:\Users\Admin\AppData\Local\Temp\rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1152
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS7981~1.BAT"
      4⤵
      Deletes itself
      PID:2024

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1336

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1260

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-163351683621330329862053060700-1521979429-1959676713-168701753410111669381152010898"
1⤵
PID:2016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms7981266.bat

Filesize
201B

MD5
49335464bb1d1c6236ab459873dfa258

SHA1
2b7b177283d7aae1b1732512deb0a050cd209bef

SHA256
4e884df3327dae1f4550958bd07e8211be2b819b8d4f263f67e6a0bbc15c545c

SHA512
7b996eaab9220e49bae9461ef3d6e38123c798398439378645a69351339201747d6f5c425f70797b9ad30d2d1bcd712b5326e5e2bec703419d71bdfceca27620

Download Submit
memory/328-66-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/328-54-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

Filesize
8KB

Download
memory/328-68-0x00000000001D0000-0x00000000001D4000-memory.dmp

Filesize
16KB

Download
memory/1152-60-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1152-62-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1152-63-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1152-58-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1152-67-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1152-75-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1152-56-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1152-55-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1260-90-0x0000000037A50000-0x0000000037A60000-memory.dmp

Filesize
64KB

Download
memory/1260-97-0x0000000001DF0000-0x0000000001E07000-memory.dmp

Filesize
92KB

Download
memory/1260-95-0x0000000001E10000-0x0000000001E27000-memory.dmp

Filesize
92KB

Download
memory/1260-83-0x0000000037A50000-0x0000000037A60000-memory.dmp

Filesize
64KB

Download
memory/1336-91-0x0000000037A50000-0x0000000037A60000-memory.dmp

Filesize
64KB

Download
memory/1336-98-0x00000000019C0000-0x00000000019D7000-memory.dmp

Filesize
92KB

Download
memory/1412-76-0x0000000037A50000-0x0000000037A60000-memory.dmp

Filesize
64KB

Download
memory/1412-96-0x0000000002220000-0x0000000002237000-memory.dmp

Filesize
92KB

Download
memory/1412-73-0x0000000002220000-0x0000000002237000-memory.dmp

Filesize
92KB

Download
memory/1412-99-0x0000000002220000-0x0000000002237000-memory.dmp

Filesize
92KB

Download
memory/2016-92-0x0000000037A50000-0x0000000037A60000-memory.dmp

Filesize
64KB

Download
memory/2016-94-0x00000000001D0000-0x00000000001E7000-memory.dmp

Filesize
92KB

Download
memory/2024-84-0x00000000000F0000-0x0000000000104000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing