57a05ec8b4864121ec704fa85f8c4b92937f240030982a1b04ecb5dbdceb1af7

General

Target

rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
Size

172KB
MD5

b2967a3ca6cfebc2e66f4c69d19dc055
SHA1

8832ee55e68abeb97738f4a62063860686246474
SHA256

9c4853fb813000f747396db86faea3122e6f7395f600bef9b3bc5f6eea133a9b
SHA512

00be2036a0fae86686f5de9c86f861fa534b52357636618adfb80c8edaf4ac9110fd6cca76fd7d9774ad090e0e3b2bc2d2ed71e314a4c147be8dc64c888f6e6e
SSDEEP

3072:M5AvWhLGWKpp91HMGGCPwqMBV/oFPUNuG:QSWhLG5fBRPSyF

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe

description	pid	process	target process
PID 2552 set thread context of 3016	2552	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe

Modifies registry class 14 IoCs

Processes:

rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RECHNU~1.EXE \"%1\""	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\shell\print	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\shell\print\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RECHNU~1.EXE /p \"%1\""	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\DefaultIcon	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\shell	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\shell\printto\command	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\shell\printto\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RECHNU~1.EXE /pt \"%1\" \"%2\" \"%3\" \"%4\""	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RECHNU~1.EXE,0"	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\shell\open\command	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\shell\print\command	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\ = "Tif Document"	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\shell\open	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\shell\printto	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exerechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe

pid	process
2552	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
2552	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
2552	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
2552	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
2552	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
2552	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
3016	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
3016	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe

description pid process

Token: SeDebugPrivilege 3016 rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe

description	pid	process
Token: SeDebugPrivilege	3016	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe

pid	process
2552	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
2552	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exerechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe

description	pid	process	target process
PID 2552 wrote to memory of 3016	2552	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
PID 2552 wrote to memory of 3016	2552	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
PID 2552 wrote to memory of 3016	2552	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
PID 2552 wrote to memory of 3016	2552	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
PID 2552 wrote to memory of 3016	2552	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
PID 2552 wrote to memory of 3016	2552	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
PID 2552 wrote to memory of 3016	2552	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
PID 2552 wrote to memory of 3016	2552	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
PID 2552 wrote to memory of 3016	2552	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
PID 3016 wrote to memory of 4932	3016	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe	cmd.exe
PID 3016 wrote to memory of 4932	3016	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe	cmd.exe
PID 3016 wrote to memory of 4932	3016	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe	cmd.exe
PID 3016 wrote to memory of 980	3016	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:980

C:\Users\Admin\AppData\Local\Temp\rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
"C:\Users\Admin\AppData\Local\Temp\rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2552

C:\Users\Admin\AppData\Local\Temp\rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
C:\Users\Admin\AppData\Local\Temp\rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\ms711097.bat"
4⤵
PID:4932

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/980-140-0x00007FF9E5890000-0x00007FF9E58A0000-memory.dmp

Filesize
64KB

Download
memory/2552-136-0x0000000003C80000-0x0000000003C84000-memory.dmp

Filesize
16KB

Download
memory/3016-135-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3016-133-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3016-132-0x0000000000000000-mapping.dmp

Download
memory/3016-137-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3016-139-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4932-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads