07b39ffa07fb6be0bb14b3804d0d842b7e7b9287a951ba9a46d415926318fbed

General

Target

rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
Size

176KB
MD5

13997ebf7af8d37dda6697ac03f76cc3
SHA1

9be2bcd498406bdfb05f860ad726273c4a7b4f3a
SHA256

11ecf58db103eb2ded5b942f303d48b5d77e336b8edfe335fa7b81264d1f50ef
SHA512

2894ef41ec784fb39ec663ff8ca5fa8c0ebbd875f95f6e2b843c8bca59d63cc7c43f64df43898290cef31c4b32478819f437fcc4656606d0f7cd4721c735ffee
SSDEEP

3072:rGwR1qmB1TQgHtMF5a6I4Ya5Tlrjmvl3XymSPTyAAwoc9+IkMd+zr3/1C:7KLa6I4x3mdnCNAwo42M

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe

description	pid	process	target process
PID 1148 set thread context of 1572	1148	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exerechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe

pid	process
1148	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
1148	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
1572	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
1572	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe

description pid process

Token: SeDebugPrivilege 1572 rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe

description	pid	process
Token: SeDebugPrivilege	1572	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe

pid	process
1148	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
1148	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exerechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe

description	pid	process	target process
PID 1148 wrote to memory of 1572	1148	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
PID 1148 wrote to memory of 1572	1148	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
PID 1148 wrote to memory of 1572	1148	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
PID 1148 wrote to memory of 1572	1148	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
PID 1148 wrote to memory of 1572	1148	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
PID 1148 wrote to memory of 1572	1148	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
PID 1148 wrote to memory of 1572	1148	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
PID 1148 wrote to memory of 1572	1148	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
PID 1148 wrote to memory of 1572	1148	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
PID 1572 wrote to memory of 752	1572	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe	cmd.exe
PID 1572 wrote to memory of 752	1572	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe	cmd.exe
PID 1572 wrote to memory of 752	1572	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe	cmd.exe
PID 1572 wrote to memory of 2704	1572	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2704

C:\Users\Admin\AppData\Local\Temp\rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
"C:\Users\Admin\AppData\Local\Temp\rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1148

C:\Users\Admin\AppData\Local\Temp\rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
C:\Users\Admin\AppData\Local\Temp\rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS2479~1.BAT"
4⤵
PID:752

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/752-140-0x0000000000000000-mapping.dmp

Download
memory/1148-132-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/1148-133-0x0000000000790000-0x000000000084F000-memory.dmp

Filesize
764KB

Download
memory/1148-137-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/1572-134-0x0000000000000000-mapping.dmp

Download
memory/1572-135-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1572-138-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1572-139-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads