ad2c3d1bfac4fa8097c648da61cdfe12873e694caa519e9efee37b0d3f9deb3e

General

Target

rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
Size

180KB
MD5

f96874ad23fde2f0b3af2af1565beb73
SHA1

16e63fa7df0f2e8964d2e9cf2541b9ccd5c31106
SHA256

0ed91af7f5dd71ee724ef0bddaae43bdd10721fa21f2b226f69f3156085126fc
SHA512

e5c621a7bd62832ba331b2d0ee40d72e81d9a6892a662ded20c1c23e56b553b829f1691293728b1a8d190c6dd3c0dfdccfe77551ebe2bf7e3220d411c77e803d
SSDEEP

3072:t1ezQdDuZph4fWy6c3v40y+rzqVCr+YARsI6u2t4Y9sBG0hac0v2D+:t1eUNuFIdt3vTrz1r+R7F2t4pUO

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2012	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ypbkryye.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\ypbkryye.exe\""	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1832	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
1832	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1832	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
Token: SeDebugPrivilege	1256	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1256	Explorer.EXE
1256	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1256	Explorer.EXE
1256	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1256	Explorer.EXE

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 2012	1832	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe	28
PID 1832 wrote to memory of 2012	1832	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe	28
PID 1832 wrote to memory of 2012	1832	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe	28
PID 1832 wrote to memory of 2012	1832	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe	28
PID 1832 wrote to memory of 1256	1832	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe	7
PID 1256 wrote to memory of 1132	1256	Explorer.EXE	10
PID 1256 wrote to memory of 1200	1256	Explorer.EXE	8
PID 1256 wrote to memory of 2012	1256	Explorer.EXE	28
PID 1256 wrote to memory of 1388	1256	Explorer.EXE	29
PID 1256 wrote to memory of 1388	1256	Explorer.EXE	29

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Users\Admin\AppData\Local\Temp\rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
  "C:\Users\Admin\AppData\Local\Temp\rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS4763~1.BAT"
    3⤵
    - Deletes itself
    PID:2012

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1200

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1132

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1770888054612873202-901907602939310166-2047457743390157209372018021-615967886"
1⤵
PID:1388

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms4763869.bat

Filesize
201B

MD5
0e8e71e363062669f2243f04b8d585eb

SHA1
81ddb015847dcd70b043a06d68e2a92eea04d845

SHA256
61c63999f8884aad8f5115f0e5158c97fdb564b725e08eb7f838c0f2f57b5a3e

SHA512
2368a2cc080bc0f84b12192cf39de6e0b580bad37b912445bbf2ff12645aa32a3b9bf06774b1b6c69b55f242e4b7297f3a2f78402af95ed3e147f618afa44e10

Download Submit
memory/1132-76-0x0000000001B50000-0x0000000001B67000-memory.dmp

Filesize
92KB

Download
memory/1132-65-0x00000000379B0000-0x00000000379C0000-memory.dmp

Filesize
64KB

Download
memory/1200-77-0x00000000002B0000-0x00000000002C7000-memory.dmp

Filesize
92KB

Download
memory/1200-72-0x00000000379B0000-0x00000000379C0000-memory.dmp

Filesize
64KB

Download
memory/1256-78-0x0000000001C30000-0x0000000001C47000-memory.dmp

Filesize
92KB

Download
memory/1256-56-0x0000000001C30000-0x0000000001C47000-memory.dmp

Filesize
92KB

Download
memory/1256-59-0x00000000379B0000-0x00000000379C0000-memory.dmp

Filesize
64KB

Download
memory/1388-75-0x0000000000080000-0x0000000000097000-memory.dmp

Filesize
92KB

Download
memory/1388-74-0x00000000379B0000-0x00000000379C0000-memory.dmp

Filesize
64KB

Download
memory/1832-60-0x0000000000EF0000-0x0000000000F25000-memory.dmp

Filesize
212KB

Download
memory/1832-58-0x00000000001D0000-0x00000000001DD000-memory.dmp

Filesize
52KB

Download
memory/1832-54-0x00000000763F1000-0x00000000763F3000-memory.dmp

Filesize
8KB

Download
memory/2012-66-0x0000000000080000-0x0000000000094000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing