19b0485f5edecaecc98f8c3e3b66b7af51c349c19271092713f310983f75f22e

General

Target

online_transaktions_11_2014_0939380001_12987384_93_39_003_365_9388347_00111_02000028.exe
Size

164KB
MD5

744c74d17d06d1a57fde4eb674b658e5
SHA1

4db6ca64d8891bea93e4fef0e54753afefe2fc1f
SHA256

2c4ebda5b2fc4e138ac11f456cafc4fbdf81f557c1d27469da123a8a4bad7da4
SHA512

ca43f4e7d33d1192facb320d27dfda3519b5fe8c723baa79e9e71b87a677ea75577fb8bb3ae45365207c736ec1f7273ceed12de5725ff20005f172e77538decd
SSDEEP

3072:aLYWOECeWVKXdevckFFAn+jUkrKkO2oATT5o/2OWo:aLwxeSKXgckZBx3o4TWq

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

944 cmd.exe

pid	process
944	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dhohjter.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\dhohjter.exe\""	Explorer.EXE

Suspicious use of SetThreadContext 1 IoCs

Processes:

online_transaktions_11_2014_0939380001_12987384_93_39_003_365_9388347_00111_02000028.exe

description	pid	process	target process
PID 1612 set thread context of 1812	1612	online_transaktions_11_2014_0939380001_12987384_93_39_003_365_9388347_00111_02000028.exe	online_transaktions_11_2014_0939380001_12987384_93_39_003_365_9388347_00111_02000028.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

online_transaktions_11_2014_0939380001_12987384_93_39_003_365_9388347_00111_02000028.exeonline_transaktions_11_2014_0939380001_12987384_93_39_003_365_9388347_00111_02000028.exeExplorer.EXE

pid	process
1612	online_transaktions_11_2014_0939380001_12987384_93_39_003_365_9388347_00111_02000028.exe
1812	online_transaktions_11_2014_0939380001_12987384_93_39_003_365_9388347_00111_02000028.exe
1812	online_transaktions_11_2014_0939380001_12987384_93_39_003_365_9388347_00111_02000028.exe
1356	Explorer.EXE
1356	Explorer.EXE
1356	Explorer.EXE
1356	Explorer.EXE
1356	Explorer.EXE
1356	Explorer.EXE
1356	Explorer.EXE
1356	Explorer.EXE
1356	Explorer.EXE
1356	Explorer.EXE
1356	Explorer.EXE
1356	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

online_transaktions_11_2014_0939380001_12987384_93_39_003_365_9388347_00111_02000028.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1812	online_transaktions_11_2014_0939380001_12987384_93_39_003_365_9388347_00111_02000028.exe
Token: SeDebugPrivilege	1356	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1356 Explorer.EXE
1356 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1356 Explorer.EXE
1356 Explorer.EXE

pid	process
1356	Explorer.EXE
1356	Explorer.EXE

pid	process
1356	Explorer.EXE
1356	Explorer.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

online_transaktions_11_2014_0939380001_12987384_93_39_003_365_9388347_00111_02000028.exe

pid	process
1612	online_transaktions_11_2014_0939380001_12987384_93_39_003_365_9388347_00111_02000028.exe
1612	online_transaktions_11_2014_0939380001_12987384_93_39_003_365_9388347_00111_02000028.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

1356 Explorer.EXE

pid	process
1356	Explorer.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

online_transaktions_11_2014_0939380001_12987384_93_39_003_365_9388347_00111_02000028.exeonline_transaktions_11_2014_0939380001_12987384_93_39_003_365_9388347_00111_02000028.exeExplorer.EXE

description	pid	process	target process
PID 1612 wrote to memory of 1812	1612	online_transaktions_11_2014_0939380001_12987384_93_39_003_365_9388347_00111_02000028.exe	online_transaktions_11_2014_0939380001_12987384_93_39_003_365_9388347_00111_02000028.exe
PID 1612 wrote to memory of 1812	1612	online_transaktions_11_2014_0939380001_12987384_93_39_003_365_9388347_00111_02000028.exe	online_transaktions_11_2014_0939380001_12987384_93_39_003_365_9388347_00111_02000028.exe
PID 1612 wrote to memory of 1812	1612	online_transaktions_11_2014_0939380001_12987384_93_39_003_365_9388347_00111_02000028.exe	online_transaktions_11_2014_0939380001_12987384_93_39_003_365_9388347_00111_02000028.exe
PID 1612 wrote to memory of 1812	1612	online_transaktions_11_2014_0939380001_12987384_93_39_003_365_9388347_00111_02000028.exe	online_transaktions_11_2014_0939380001_12987384_93_39_003_365_9388347_00111_02000028.exe
PID 1612 wrote to memory of 1812	1612	online_transaktions_11_2014_0939380001_12987384_93_39_003_365_9388347_00111_02000028.exe	online_transaktions_11_2014_0939380001_12987384_93_39_003_365_9388347_00111_02000028.exe
PID 1612 wrote to memory of 1812	1612	online_transaktions_11_2014_0939380001_12987384_93_39_003_365_9388347_00111_02000028.exe	online_transaktions_11_2014_0939380001_12987384_93_39_003_365_9388347_00111_02000028.exe
PID 1612 wrote to memory of 1812	1612	online_transaktions_11_2014_0939380001_12987384_93_39_003_365_9388347_00111_02000028.exe	online_transaktions_11_2014_0939380001_12987384_93_39_003_365_9388347_00111_02000028.exe
PID 1612 wrote to memory of 1812	1612	online_transaktions_11_2014_0939380001_12987384_93_39_003_365_9388347_00111_02000028.exe	online_transaktions_11_2014_0939380001_12987384_93_39_003_365_9388347_00111_02000028.exe
PID 1612 wrote to memory of 1812	1612	online_transaktions_11_2014_0939380001_12987384_93_39_003_365_9388347_00111_02000028.exe	online_transaktions_11_2014_0939380001_12987384_93_39_003_365_9388347_00111_02000028.exe
PID 1612 wrote to memory of 1812	1612	online_transaktions_11_2014_0939380001_12987384_93_39_003_365_9388347_00111_02000028.exe	online_transaktions_11_2014_0939380001_12987384_93_39_003_365_9388347_00111_02000028.exe
PID 1812 wrote to memory of 944	1812	online_transaktions_11_2014_0939380001_12987384_93_39_003_365_9388347_00111_02000028.exe	cmd.exe
PID 1812 wrote to memory of 944	1812	online_transaktions_11_2014_0939380001_12987384_93_39_003_365_9388347_00111_02000028.exe	cmd.exe
PID 1812 wrote to memory of 944	1812	online_transaktions_11_2014_0939380001_12987384_93_39_003_365_9388347_00111_02000028.exe	cmd.exe
PID 1812 wrote to memory of 944	1812	online_transaktions_11_2014_0939380001_12987384_93_39_003_365_9388347_00111_02000028.exe	cmd.exe
PID 1812 wrote to memory of 1356	1812	online_transaktions_11_2014_0939380001_12987384_93_39_003_365_9388347_00111_02000028.exe	Explorer.EXE
PID 1356 wrote to memory of 1240	1356	Explorer.EXE	taskhost.exe
PID 1356 wrote to memory of 1320	1356	Explorer.EXE	Dwm.exe
PID 1356 wrote to memory of 944	1356	Explorer.EXE	cmd.exe
PID 1356 wrote to memory of 944	1356	Explorer.EXE	cmd.exe
PID 1356 wrote to memory of 1256	1356	Explorer.EXE	conhost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1356

C:\Users\Admin\AppData\Local\Temp\online_transaktions_11_2014_0939380001_12987384_93_39_003_365_9388347_00111_02000028.exe
"C:\Users\Admin\AppData\Local\Temp\online_transaktions_11_2014_0939380001_12987384_93_39_003_365_9388347_00111_02000028.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1612

C:\Users\Admin\AppData\Local\Temp\online_transaktions_11_2014_0939380001_12987384_93_39_003_365_9388347_00111_02000028.exe
C:\Users\Admin\AppData\Local\Temp\online_transaktions_11_2014_0939380001_12987384_93_39_003_365_9388347_00111_02000028.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1812

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS3024~1.BAT"
4⤵
- Deletes itself
PID:944

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1320

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1240

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "104023927136570299919172501061910430442-1381025287-1952036318-18197740251938545325"
1⤵
PID:1256

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms3024091.bat

Filesize
201B

MD5
8780420fece291e7acd9bce3e959c79c

SHA1
42bcd99e12fd118e6a46bc93ac3df2a6631be57f

SHA256
155307b0ab84d059ceed0509481f8a396eaeb0ad8c21f9e9aef9a05443966810

SHA512
fc39bb7384db665c7acf861fa517c79ea30389bdb2cfff23d652ddcf66df976aae9a28868ef7a15afd664e30148ac655a4f3f4e19547eb8b7ed9cd3e538fd107

Download Submit
memory/944-72-0x0000000000000000-mapping.dmp

Download
memory/944-80-0x0000000000240000-0x0000000000254000-memory.dmp

Filesize
80KB

Download
memory/1240-87-0x0000000037550000-0x0000000037560000-memory.dmp

Filesize
64KB

Download
memory/1240-93-0x0000000001BD0000-0x0000000001BE7000-memory.dmp

Filesize
92KB

Download
memory/1256-90-0x00000000001B0000-0x00000000001C7000-memory.dmp

Filesize
92KB

Download
memory/1256-88-0x0000000037550000-0x0000000037560000-memory.dmp

Filesize
64KB

Download
memory/1320-86-0x0000000037550000-0x0000000037560000-memory.dmp

Filesize
64KB

Download
memory/1320-92-0x0000000000130000-0x0000000000147000-memory.dmp

Filesize
92KB

Download
memory/1356-91-0x00000000025A0000-0x00000000025B7000-memory.dmp

Filesize
92KB

Download
memory/1356-73-0x00000000025A0000-0x00000000025B7000-memory.dmp

Filesize
92KB

Download
memory/1356-75-0x0000000037550000-0x0000000037560000-memory.dmp

Filesize
64KB

Download
memory/1612-54-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/1612-65-0x0000000000280000-0x0000000000284000-memory.dmp

Filesize
16KB

Download
memory/1812-58-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1812-71-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1812-67-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1812-63-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1812-64-0x00000000004010C0-mapping.dmp

Download
memory/1812-60-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1812-62-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1812-56-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1812-55-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads