59969aac99f42d22ea4fba144df1c1c73a06c4f42f6535a90d0ddfe1133c1031

General

Target

telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe
Size

204KB
MD5

0fe1a6e23bb2accf9f57ba54b6002a2a
SHA1

e6b336b3e3b1d9043260b46bf5858a78ae114fd6
SHA256

58b48dc4fcff7d684c0a718a4475dc0b4b5ececa90b3d1e1092fccaf11399eb9
SHA512

c5ccc5c4eb739440a1a439a08e3725c0646e3653410b16b6c548b99c3fa3c8bb8fb074d180a158dddfc89ec102a373ed12f347446d2e401bc021beebb013850d
SSDEEP

3072:91FYqL5nh457wGZtUhxtGNC53yWMI++4V51iwhdlmBs1Z+cdn0t8+4I+VM:xYMw7wG3UTtfyU++Y51RldCh8+V+e

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1160 cmd.exe

pid	process
1160	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\ianvmjrr.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\ianvmjrr.exe\""	Explorer.EXE

Suspicious use of SetThreadContext 1 IoCs

Processes:

telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe

description	pid	process	target process
PID 1212 set thread context of 2004	1212	telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe	telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exetelekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exeExplorer.EXE

pid	process
1212	telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe
2004	telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe
2004	telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1204 Explorer.EXE

pid	process
1204	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	2004	telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe
Token: SeDebugPrivilege	1204	Explorer.EXE
Token: SeShutdownPrivilege	1204	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1204 Explorer.EXE
1204 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1204 Explorer.EXE
1204 Explorer.EXE

pid	process
1204	Explorer.EXE
1204	Explorer.EXE

pid	process
1204	Explorer.EXE
1204	Explorer.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe

pid	process
1212	telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe
1212	telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

1204 Explorer.EXE

pid	process
1204	Explorer.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exetelekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exeExplorer.EXE

description	pid	process	target process
PID 1212 wrote to memory of 2004	1212	telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe	telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe
PID 1212 wrote to memory of 2004	1212	telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe	telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe
PID 1212 wrote to memory of 2004	1212	telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe	telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe
PID 1212 wrote to memory of 2004	1212	telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe	telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe
PID 1212 wrote to memory of 2004	1212	telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe	telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe
PID 1212 wrote to memory of 2004	1212	telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe	telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe
PID 1212 wrote to memory of 2004	1212	telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe	telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe
PID 1212 wrote to memory of 2004	1212	telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe	telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe
PID 1212 wrote to memory of 2004	1212	telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe	telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe
PID 1212 wrote to memory of 2004	1212	telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe	telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe
PID 2004 wrote to memory of 1160	2004	telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe	cmd.exe
PID 2004 wrote to memory of 1160	2004	telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe	cmd.exe
PID 2004 wrote to memory of 1160	2004	telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe	cmd.exe
PID 2004 wrote to memory of 1160	2004	telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe	cmd.exe
PID 2004 wrote to memory of 1204	2004	telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe	Explorer.EXE
PID 1204 wrote to memory of 1120	1204	Explorer.EXE	taskhost.exe
PID 1204 wrote to memory of 1168	1204	Explorer.EXE	Dwm.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1204

C:\Users\Admin\AppData\Local\Temp\telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe
"C:\Users\Admin\AppData\Local\Temp\telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1212

C:\Users\Admin\AppData\Local\Temp\telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe
C:\Users\Admin\AppData\Local\Temp\telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS9336~1.BAT"
4⤵
- Deletes itself
PID:1160

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms9336058.bat

Filesize
201B

MD5
16cb737c753983679470c04a70277540

SHA1
a6c88f19216d9d0564ed0a0d9983aabc93ddd598

SHA256
d28b2646b4f28a419669beff2616923507a628a60fb1e1a4a7a1a8e6a9e3670f

SHA512
3ba5e6336e4cbd8008872c4bb3f45034e70d5e4d71db31e903ed2ee17528d2aeb6075ff3e160e25d9c9c6bf23e37b464617832d5b839e6be86bc555e9e380ccd

Download Submit
memory/1120-83-0x0000000001CB0000-0x0000000001CC7000-memory.dmp

Filesize
92KB

Download
memory/1120-80-0x0000000037C30000-0x0000000037C40000-memory.dmp

Filesize
64KB

Download
memory/1160-71-0x0000000000000000-mapping.dmp

Download
memory/1168-85-0x00000000001B0000-0x00000000001C7000-memory.dmp

Filesize
92KB

Download
memory/1168-82-0x0000000037C30000-0x0000000037C40000-memory.dmp

Filesize
64KB

Download
memory/1204-72-0x0000000002610000-0x0000000002627000-memory.dmp

Filesize
92KB

Download
memory/1204-87-0x000007FE92B60000-0x000007FE92B6A000-memory.dmp

Filesize
40KB

Download
memory/1204-86-0x000007FEF6B30000-0x000007FEF6C73000-memory.dmp

Filesize
1.3MB

Download
memory/1204-84-0x0000000002610000-0x0000000002627000-memory.dmp

Filesize
92KB

Download
memory/1204-75-0x0000000037C30000-0x0000000037C40000-memory.dmp

Filesize
64KB

Download
memory/1212-65-0x00000000003D0000-0x00000000003D4000-memory.dmp

Filesize
16KB

Download
memory/1212-54-0x00000000761E1000-0x00000000761E3000-memory.dmp

Filesize
8KB

Download
memory/2004-74-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2004-58-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2004-56-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2004-67-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2004-55-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2004-60-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2004-64-0x00000000004010C0-mapping.dmp

Download
memory/2004-63-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2004-62-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads