1a2c568dfc3d071ea5a5c19647af60fa3056618f23c55ae4103855672fc35929

General

Target

ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe
Size

164KB
MD5

b779127121ae2844dd49a63a9017fa2f
SHA1

638a99a79bc63a7211422db7b851725b62b3617b
SHA256

4241921870ae6fee9cef8a48cfa99f2189dd6d2e88ea22bff6caf6474d7d3ee0
SHA512

c43aafb393ba68406c02a507d1ad5fbc18d78625a65a4c65a5c921ad5bc0cde050a513860c1e9340d6b1dde77b687d1c1a33481e883d5f1097d159f1abab5d2d
SSDEEP

3072:ZJ/YG2oBH7RFQcISXZtYs9DiOkqBFtQhMpDhCVT1A6djL9Jf+yY:ZJ/GoJti4jFtQh2hCVTd/

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2036	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\gtntglna.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\gtntglna.exe\""	Explorer.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1788 set thread context of 904	1788	ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe	27

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
1788	ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe
904	ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe
904	ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe
1416	Explorer.EXE
1416	Explorer.EXE
1416	Explorer.EXE
1416	Explorer.EXE
1416	Explorer.EXE
1416	Explorer.EXE
1416	Explorer.EXE
1416	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	904	ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe
Token: SeDebugPrivilege	1416	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1416	Explorer.EXE
1416	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1416	Explorer.EXE
1416	Explorer.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1788	ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe
1788	ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1416	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 904	1788	ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe	27
PID 1788 wrote to memory of 904	1788	ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe	27
PID 1788 wrote to memory of 904	1788	ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe	27
PID 1788 wrote to memory of 904	1788	ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe	27
PID 1788 wrote to memory of 904	1788	ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe	27
PID 1788 wrote to memory of 904	1788	ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe	27
PID 1788 wrote to memory of 904	1788	ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe	27
PID 1788 wrote to memory of 904	1788	ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe	27
PID 1788 wrote to memory of 904	1788	ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe	27
PID 1788 wrote to memory of 904	1788	ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe	27
PID 904 wrote to memory of 2036	904	ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe	28
PID 904 wrote to memory of 2036	904	ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe	28
PID 904 wrote to memory of 2036	904	ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe	28
PID 904 wrote to memory of 2036	904	ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe	28
PID 904 wrote to memory of 1416	904	ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe	13
PID 1416 wrote to memory of 1228	1416	Explorer.EXE	15
PID 1416 wrote to memory of 1368	1416	Explorer.EXE	14
PID 1416 wrote to memory of 1368	1416	Explorer.EXE	14

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Users\Admin\AppData\Local\Temp\ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe
  "C:\Users\Admin\AppData\Local\Temp\ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Users\Admin\AppData\Local\Temp\ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe
    C:\Users\Admin\AppData\Local\Temp\ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:904
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS3962~1.BAT"
      4⤵
      Deletes itself
      PID:2036

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1368

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms3962763.bat

Filesize
201B

MD5
ae1df430147bd3693f349832fed63c6b

SHA1
d7e2b7edaa65315e4a9c155c0e31df4ce052dfba

SHA256
10b81d6355c5f61a2f46b55cbcff14e45a8cdb5316ac7148ab92c9c885e787fe

SHA512
687c42a401dcca857e847df168a8ebecde5a63b7be1715d1e58ab6147d24843e6a8a3ef9d3057b39edde1454301ae60c125bf95fdb6127cf69119d68e7db4fb8

Download Submit
memory/904-62-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/904-58-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/904-55-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/904-60-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/904-67-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/904-63-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/904-64-0x00000000004010C0-mapping.dmp

Download
memory/904-56-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/904-74-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1228-81-0x0000000037150000-0x0000000037160000-memory.dmp

Filesize
64KB

Download
memory/1228-87-0x0000000000330000-0x0000000000347000-memory.dmp

Filesize
92KB

Download
memory/1368-84-0x0000000037150000-0x0000000037160000-memory.dmp

Filesize
64KB

Download
memory/1368-89-0x00000000001A0000-0x00000000001B7000-memory.dmp

Filesize
92KB

Download
memory/1368-85-0x0000000037150000-0x0000000037160000-memory.dmp

Filesize
64KB

Download
memory/1368-88-0x00000000001C0000-0x00000000001D7000-memory.dmp

Filesize
92KB

Download
memory/1416-75-0x0000000037150000-0x0000000037160000-memory.dmp

Filesize
64KB

Download
memory/1416-90-0x00000000021E0000-0x00000000021F7000-memory.dmp

Filesize
92KB

Download
memory/1416-86-0x00000000021E0000-0x00000000021F7000-memory.dmp

Filesize
92KB

Download
memory/1416-72-0x00000000021E0000-0x00000000021F7000-memory.dmp

Filesize
92KB

Download
memory/1788-54-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download
memory/1788-65-0x0000000000380000-0x0000000000384000-memory.dmp

Filesize
16KB

Download
memory/2036-71-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing