57178f00f9f85ab148973e66fb232f962ad0e82827da9053a004d86182a4c835

General

Target

rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
Size

172KB
MD5

7ae552b119e733d998108725e33b8fd3
SHA1

d3c7ebaca0a527731ba611dcffce8dd163d0e885
SHA256

afcb82f94147382a98a3d67b695565114b2675e90eabb55b0c28f0efa0ef0712
SHA512

e8fd51702a69a820a32c23548ad1b7d131ea6f9a79021095317ef25d75f3143f68fd090fd177467021d2a9f940de8fab42769d90046621fad3cd6d5aae27fa8c
SSDEEP

3072:ba4ZKMWBexMF+4eXsy3cvf5ftCC6ofPBPK5dTLiwCOv8G7PAPplKrrz:b3bXxI+4GZcXgohPKLF8Coh

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1072	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\gtntglna.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\gtntglna.exe\""	Explorer.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1628 set thread context of 1152	1628	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe	27

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\shell	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\shell\printto	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\ = "Tif Document"	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\DefaultIcon	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\shell\printto\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RECHNU~1.EXE /pt \"%1\" \"%2\" \"%3\" \"%4\""	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RECHNU~1.EXE,0"	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\shell\print\command	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\shell\print\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RECHNU~1.EXE /p \"%1\""	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\shell\open\command	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\shell\open	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RECHNU~1.EXE \"%1\""	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\shell\print	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\shell\printto\command	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1628	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
1628	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
1628	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
1152	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
1152	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
1416	Explorer.EXE
1416	Explorer.EXE
1416	Explorer.EXE
1416	Explorer.EXE
1416	Explorer.EXE
1416	Explorer.EXE
1416	Explorer.EXE
1416	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1152	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
Token: SeDebugPrivilege	1416	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1416	Explorer.EXE
1416	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1416	Explorer.EXE
1416	Explorer.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1628	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
1628	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1416	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 1152	1628	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe	27
PID 1628 wrote to memory of 1152	1628	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe	27
PID 1628 wrote to memory of 1152	1628	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe	27
PID 1628 wrote to memory of 1152	1628	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe	27
PID 1628 wrote to memory of 1152	1628	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe	27
PID 1628 wrote to memory of 1152	1628	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe	27
PID 1628 wrote to memory of 1152	1628	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe	27
PID 1628 wrote to memory of 1152	1628	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe	27
PID 1628 wrote to memory of 1152	1628	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe	27
PID 1628 wrote to memory of 1152	1628	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe	27
PID 1152 wrote to memory of 1072	1152	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe	28
PID 1152 wrote to memory of 1072	1152	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe	28
PID 1152 wrote to memory of 1072	1152	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe	28
PID 1152 wrote to memory of 1072	1152	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe	28
PID 1152 wrote to memory of 1416	1152	rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe	12
PID 1416 wrote to memory of 1228	1416	Explorer.EXE	13
PID 1416 wrote to memory of 1368	1416	Explorer.EXE	6
PID 1416 wrote to memory of 1368	1416	Explorer.EXE	6

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1368

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Users\Admin\AppData\Local\Temp\rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
  "C:\Users\Admin\AppData\Local\Temp\rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Users\Admin\AppData\Local\Temp\rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
    C:\Users\Admin\AppData\Local\Temp\rechnungonline_telekom_000002920019_2014_11_43726700032_de_003938289_027.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1152
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS6137~1.BAT"
      4⤵
      Deletes itself
      PID:1072

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms6137067.bat

Filesize
201B

MD5
07400f2b1f491327c1ecc8727baf73d5

SHA1
c8119f5a4c7819e932e20444cd49cc9405bbb9bc

SHA256
db068c8005580e0863285416aad7bec55f6955e87780c258b3ad53ebcc6de850

SHA512
5a8afdd8b44817c9363ebff08c059da80728b61c6f4de5169375a9c6e1e90a2a74de846fc7ff101bb634ba51a0f6ff395400c64c2d9f56efc98a4fd826b065e2

Download Submit
memory/1152-62-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1152-55-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1152-60-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1152-58-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1152-63-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1152-67-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1152-74-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1152-56-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1228-84-0x0000000037150000-0x0000000037160000-memory.dmp

Filesize
64KB

Download
memory/1228-87-0x0000000000330000-0x0000000000347000-memory.dmp

Filesize
92KB

Download
memory/1368-85-0x0000000037150000-0x0000000037160000-memory.dmp

Filesize
64KB

Download
memory/1368-86-0x0000000037150000-0x0000000037160000-memory.dmp

Filesize
64KB

Download
memory/1368-88-0x00000000001C0000-0x00000000001D7000-memory.dmp

Filesize
92KB

Download
memory/1368-89-0x00000000001A0000-0x00000000001B7000-memory.dmp

Filesize
92KB

Download
memory/1416-72-0x00000000021E0000-0x00000000021F7000-memory.dmp

Filesize
92KB

Download
memory/1416-75-0x0000000037150000-0x0000000037160000-memory.dmp

Filesize
64KB

Download
memory/1416-77-0x00000000021E0000-0x00000000021F7000-memory.dmp

Filesize
92KB

Download
memory/1416-90-0x00000000021E0000-0x00000000021F7000-memory.dmp

Filesize
92KB

Download
memory/1628-65-0x0000000000340000-0x0000000000344000-memory.dmp

Filesize
16KB

Download
memory/1628-54-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing