6094698d44b68d64eafcf362a8af275a8232e3e21a9ceeda57eb71b6dded396b

General

Target

rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
Size

176KB
MD5

72fa9e74d45dda3085eafb77eb497b1a
SHA1

536b13842b5c0ff70177c0c4fd80ce1ff892a15e
SHA256

7a4e899fc05973c8d3fb596750fc1b848daad7cd2cc6cee2c8fb44977e39c45d
SHA512

f5313d65269010038072e25e2ca6859a914a5db31815ee662def861a7809f6098fd25dc68c142efd5e0929e420221393e73aa77fbcd4ba8af4da95a73329737c
SSDEEP

3072:zQnHNmI+yMkJR+Omz1C+cSQStd3jUQdW6OTHeOO16ogZrssN6wc+ga0Mhze:zwHBRtJ2BC+Cqz14TE6dZr5PQ

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
752	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\uhbkhryw.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\uhbkhryw.exe\""	Explorer.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1348 set thread context of 952	1348	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe	28

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
1348	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
1348	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
1348	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
952	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
952	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1232	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	952	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
Token: SeDebugPrivilege	1232	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1232	Explorer.EXE
1232	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1232	Explorer.EXE
1232	Explorer.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1348	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
1348	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1232	Explorer.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 952	1348	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe	28
PID 1348 wrote to memory of 952	1348	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe	28
PID 1348 wrote to memory of 952	1348	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe	28
PID 1348 wrote to memory of 952	1348	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe	28
PID 1348 wrote to memory of 952	1348	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe	28
PID 1348 wrote to memory of 952	1348	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe	28
PID 1348 wrote to memory of 952	1348	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe	28
PID 1348 wrote to memory of 952	1348	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe	28
PID 1348 wrote to memory of 952	1348	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe	28
PID 1348 wrote to memory of 952	1348	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe	28
PID 952 wrote to memory of 752	952	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe	29
PID 952 wrote to memory of 752	952	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe	29
PID 952 wrote to memory of 752	952	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe	29
PID 952 wrote to memory of 752	952	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe	29
PID 952 wrote to memory of 1232	952	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe	9
PID 1232 wrote to memory of 1128	1232	Explorer.EXE	17
PID 1232 wrote to memory of 1188	1232	Explorer.EXE	16
PID 1232 wrote to memory of 752	1232	Explorer.EXE	29
PID 1232 wrote to memory of 752	1232	Explorer.EXE	29
PID 1232 wrote to memory of 884	1232	Explorer.EXE	30
PID 1232 wrote to memory of 884	1232	Explorer.EXE	30

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Users\Admin\AppData\Local\Temp\rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
  "C:\Users\Admin\AppData\Local\Temp\rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1348
- - C:\Users\Admin\AppData\Local\Temp\rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
    C:\Users\Admin\AppData\Local\Temp\rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:952
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS9336~1.BAT"
      4⤵
      Deletes itself
      PID:752

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1188

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1128

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "436240817150613290616966337001036007755-187255413-1327847309-1152356929-235637084"
1⤵
PID:884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms9336058.bat

Filesize
201B

MD5
4777d531ba3fd10fbe004d7e2887cdaa

SHA1
5854a210c32a34b3dc7124788382f7ac9015ad87

SHA256
362d5b246b91bbdffda3721e4155078b2f235487745ebf8001e489672505e032

SHA512
6941009902e50b543579945340c5bf13827dfa4a552f9c55e7999cf057895606317fe7b2eadfb02da39c71583a60e08d988610646c984dbe0c7ef0631f5a7938

Download Submit
memory/752-80-0x0000000000230000-0x0000000000244000-memory.dmp

Filesize
80KB

Download
memory/884-91-0x00000000000F0000-0x0000000000107000-memory.dmp

Filesize
92KB

Download
memory/952-62-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/952-56-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/952-63-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/952-55-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/952-67-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/952-60-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/952-58-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/952-74-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1128-89-0x0000000037100000-0x0000000037110000-memory.dmp

Filesize
64KB

Download
memory/1128-92-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/1188-94-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/1232-75-0x0000000037100000-0x0000000037110000-memory.dmp

Filesize
64KB

Download
memory/1232-72-0x0000000002140000-0x0000000002157000-memory.dmp

Filesize
92KB

Download
memory/1232-93-0x0000000002140000-0x0000000002157000-memory.dmp

Filesize
92KB

Download
memory/1348-65-0x0000000000250000-0x0000000000254000-memory.dmp

Filesize
16KB

Download
memory/1348-54-0x0000000075F81000-0x0000000075F83000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing