Overview

overview

7

Static

static

telekom_de...38.exe

windows7-x64

7

telekom_de...38.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    24-11-2022 04:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe

  • Size

    156KB

  • MD5

    6fed865f5e569f40c884f0dc9ba21f6f

  • SHA1

    603bf67bad75e611f80d311232edcb9f65706068

  • SHA256

    3f33ae4ea87e4c2f3b2c60152da482a116e9c453662ac438b50458e56edcd87c

  • SHA512

    b6a61eb80fac8d10435fa2280970c58a800fc86751e14bd3d5f1a1c62c7bc5a6b0b5b741770e0c6cfac78de20174d7c1cef6366c7bd0d07cabfad9d173a6cf31

  • SSDEEP

    3072:X2V3Q7emkdat92PH48GLnCo0dXjxTsuGb+j3FRvtVFVlD2Pq:mV3Q6m6at98LdzxwuGWJ7V1D

Score
7/10
persistence

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1260
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:1396
      • C:\Users\Admin\AppData\Local\Temp\telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe
        "C:\Users\Admin\AppData\Local\Temp\telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1504
        • C:\Users\Admin\AppData\Local\Temp\telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe
          C:\Users\Admin\AppData\Local\Temp\telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1536
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS3818~1.BAT"
            4⤵
            • Deletes itself
            PID:1796
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1344
      • C:\Windows\system32\conhost.exe
        \??\C:\Windows\system32\conhost.exe "-1035388673-49390344986238328-780695326-15180360221853456369-1052598401862982445"
        1⤵
          PID:1752

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\ms3818398.bat
          Filesize

          201B

          MD5

          d8da7ce80dbbca892298b4c77792299e

          SHA1

          c1f174ca6208b078da4d2836b66b8aa212f876af

          SHA256

          369b37aa38654860371b051bf244cf658e4d10fba62c2ddc762150f608a95e47

          SHA512

          65d109e2fd6d6dc220bdedcd9aced9a9dc4a9dfbecb3a3808d5a2d804d2c612f2ac5b14781592b32c8be347c33a77500dfc33cae13ce2fe8d111c4c597108650

          Download Submit

        • memory/1260-86-0x0000000037900000-0x0000000037910000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1260-88-0x0000000001C40000-0x0000000001C57000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1344-90-0x0000000000120000-0x0000000000137000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1344-87-0x0000000037900000-0x0000000037910000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1396-73-0x0000000002540000-0x0000000002557000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1396-89-0x0000000002540000-0x0000000002557000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1396-75-0x0000000037900000-0x0000000037910000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1504-54-0x00000000768A1000-0x00000000768A3000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1504-65-0x0000000000430000-0x0000000000434000-memory.dmp

          Filesize

          16KB

          Download

        • memory/1536-58-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1536-56-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1536-71-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1536-67-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1536-55-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1536-62-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1536-60-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1536-64-0x00000000004010C0-mapping.dmp

          Download

        • memory/1536-63-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1796-80-0x0000000000020000-0x0000000000034000-memory.dmp

          Filesize

          80KB

          Download

        • memory/1796-91-0x0000000037AB0000-0x0000000037AC0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1796-92-0x0000000037AB0000-0x0000000037AC0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1796-72-0x0000000000000000-mapping.dmp

          Download

        • memory/1796-94-0x0000000000080000-0x0000000000094000-memory.dmp

          Filesize

          80KB

          Download

        • memory/1796-95-0x0000000000020000-0x0000000000034000-memory.dmp

          Filesize

          80KB

          Download