3ea0ac45fa1a957e56017b3ff51f985835493648411e63a3f2877395e1e1c21a

General

Target

ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe
Size

168KB
MD5

60e3cb5dd482ce771d0e5c6576a8269c
SHA1

33573fa6ad2ac27d48bd3ef1f84739449ec4b682
SHA256

37d254df44c84c208156c066068f2397e57413affd480a80dc01d0b2eb0cbb31
SHA512

bf2fab79ed0dd3fe763f6e2a0b809454536a5335ef29ebea40d562f2b745d695489d9d3039ab0f79b9f982863bfa0a266996c827b2338712f61965077e65eaa8
SSDEEP

3072:CdLyZlwEyKcoO29Y5eCPN2bViTphJP12EFs+NLVgu2TVAOWX:sLaw7F3CY5e+CVi/yEXlVh2hk

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1356 cmd.exe

pid	process
1356	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\engtvbbi.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\engtvbbi.exe\""	Explorer.EXE

Suspicious use of SetThreadContext 1 IoCs

Processes:

ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe

description	pid	process	target process
PID 1952 set thread context of 1884	1952	ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe	ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exeihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exeExplorer.EXE

pid	process
1952	ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe
1952	ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe
1952	ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe
1884	ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe
1884	ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1264 Explorer.EXE

pid	process
1264	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1884	ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe
Token: SeDebugPrivilege	1264	Explorer.EXE
Token: SeShutdownPrivilege	1264	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1264 Explorer.EXE
1264 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1264 Explorer.EXE
1264 Explorer.EXE

pid	process
1264	Explorer.EXE
1264	Explorer.EXE

pid	process
1264	Explorer.EXE
1264	Explorer.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe

pid	process
1952	ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe
1952	ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

1264 Explorer.EXE

pid	process
1264	Explorer.EXE

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exeihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exeExplorer.EXE

description	pid	process	target process
PID 1952 wrote to memory of 1884	1952	ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe	ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe
PID 1952 wrote to memory of 1884	1952	ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe	ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe
PID 1952 wrote to memory of 1884	1952	ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe	ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe
PID 1952 wrote to memory of 1884	1952	ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe	ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe
PID 1952 wrote to memory of 1884	1952	ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe	ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe
PID 1952 wrote to memory of 1884	1952	ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe	ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe
PID 1952 wrote to memory of 1884	1952	ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe	ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe
PID 1952 wrote to memory of 1884	1952	ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe	ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe
PID 1952 wrote to memory of 1884	1952	ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe	ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe
PID 1952 wrote to memory of 1884	1952	ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe	ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe
PID 1884 wrote to memory of 1356	1884	ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe	cmd.exe
PID 1884 wrote to memory of 1356	1884	ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe	cmd.exe
PID 1884 wrote to memory of 1356	1884	ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe	cmd.exe
PID 1884 wrote to memory of 1356	1884	ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe	cmd.exe
PID 1884 wrote to memory of 1264	1884	ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe	Explorer.EXE
PID 1264 wrote to memory of 1140	1264	Explorer.EXE	taskhost.exe
PID 1264 wrote to memory of 1140	1264	Explorer.EXE	taskhost.exe
PID 1264 wrote to memory of 1200	1264	Explorer.EXE	Dwm.exe
PID 1264 wrote to memory of 1356	1264	Explorer.EXE	cmd.exe
PID 1264 wrote to memory of 1356	1264	Explorer.EXE	cmd.exe
PID 1264 wrote to memory of 672	1264	Explorer.EXE	conhost.exe
PID 1264 wrote to memory of 672	1264	Explorer.EXE	conhost.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1140

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1200

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1264

C:\Users\Admin\AppData\Local\Temp\ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe
"C:\Users\Admin\AppData\Local\Temp\ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1952

C:\Users\Admin\AppData\Local\Temp\ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe
C:\Users\Admin\AppData\Local\Temp\ihre_telekom_mobilfunk_november_2014_00002930200_1_3_5_021090_82137_002_008_0004.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS4763~1.BAT"
4⤵
- Deletes itself
PID:1356

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1123874482-19945975921781216027-3965285565148262981992111507-12905996-204665988"
1⤵
PID:672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms4763869.bat

Filesize
201B

MD5
adc3189d9c66a8213b24358c9d11b003

SHA1
444f310a211a3d24a99eb5af00923ff9a2ebc978

SHA256
dd1379c92f9cd543b002ea4cc458d9ce6120515226fea0e4a5510fe50e0669ad

SHA512
3ed2923f7f266434f783add82cda1a45feed7b77cd9330bf3fc6654d0fb54117b72db1ca307c8c88df816a3b23e0462cc90a5b188316d6f814b42acb46d47b85

Download Submit
memory/672-94-0x0000000000240000-0x0000000000257000-memory.dmp

Filesize
92KB

Download
memory/1140-97-0x0000000000330000-0x0000000000347000-memory.dmp

Filesize
92KB

Download
memory/1140-95-0x0000000036E00000-0x0000000036E10000-memory.dmp

Filesize
64KB

Download
memory/1140-91-0x0000000036E00000-0x0000000036E10000-memory.dmp

Filesize
64KB

Download
memory/1140-99-0x0000000000310000-0x0000000000327000-memory.dmp

Filesize
92KB

Download
memory/1200-98-0x0000000000120000-0x0000000000137000-memory.dmp

Filesize
92KB

Download
memory/1200-93-0x0000000036E00000-0x0000000036E10000-memory.dmp

Filesize
64KB

Download
memory/1264-96-0x0000000002A30000-0x0000000002A47000-memory.dmp

Filesize
92KB

Download
memory/1264-72-0x0000000002A30000-0x0000000002A47000-memory.dmp

Filesize
92KB

Download
memory/1264-75-0x0000000036E00000-0x0000000036E10000-memory.dmp

Filesize
64KB

Download
memory/1356-82-0x0000000000240000-0x0000000000254000-memory.dmp

Filesize
80KB

Download
memory/1356-92-0x0000000000260000-0x0000000000274000-memory.dmp

Filesize
80KB

Download
memory/1356-71-0x0000000000000000-mapping.dmp

Download
memory/1884-63-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1884-74-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1884-67-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1884-64-0x00000000004010C0-mapping.dmp

Download
memory/1884-62-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1884-60-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1884-58-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1884-56-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1884-55-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1952-65-0x0000000000280000-0x0000000000284000-memory.dmp

Filesize
16KB

Download
memory/1952-54-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads