6e7067386806391d3a0fa0357c05d06111f20dbd1c978767bbb3b82ea5ddc44f

General

Target

rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe
Size

168KB
MD5

f914047ba6e8f5bbc2eb67c2bf8336ee
SHA1

a90281ee27ac6d692fbc245e0ea688f3f9c860a2
SHA256

03baf1186fd318f5ed6ee848201f5f998c873cecaa2ec3313d6d60e17d78f4dd
SHA512

46c448718d92e834f410de23485d30848db8246ffd9d79fc5fe9575d7aa1a55cb646803dadeace3a4c891bbc9ba8cb2f46bc26285f6efc5c3a1030ab28502a1a
SSDEEP

3072:mdLyZlwEyKcoO29Y5eCPN2bViTphJP12EFs+NLVgu2TVAOWX:4Law7F3CY5e+CVi/yEXlVh2hk

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bfbckpnl.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\bfbckpnl.exe\""	Explorer.EXE

Suspicious use of SetThreadContext 1 IoCs

Processes:

rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe

description	pid	process	target process
PID 2016 set thread context of 2468	2016	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exerechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exeExplorer.EXE

pid	process
2016	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe
2016	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe
2016	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe
2016	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe
2016	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe
2016	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe
2468	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe
2468	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe
1040	Explorer.EXE
1040	Explorer.EXE
1040	Explorer.EXE
1040	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	2468	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe
Token: SeDebugPrivilege	1040	Explorer.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe

pid	process
2016	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe
2016	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exerechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exeExplorer.EXE

description	pid	process	target process
PID 2016 wrote to memory of 2468	2016	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe
PID 2016 wrote to memory of 2468	2016	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe
PID 2016 wrote to memory of 2468	2016	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe
PID 2016 wrote to memory of 2468	2016	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe
PID 2016 wrote to memory of 2468	2016	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe
PID 2016 wrote to memory of 2468	2016	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe
PID 2016 wrote to memory of 2468	2016	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe
PID 2016 wrote to memory of 2468	2016	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe
PID 2016 wrote to memory of 2468	2016	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe
PID 2468 wrote to memory of 5032	2468	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe	cmd.exe
PID 2468 wrote to memory of 5032	2468	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe	cmd.exe
PID 2468 wrote to memory of 5032	2468	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe	cmd.exe
PID 2468 wrote to memory of 1040	2468	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe	Explorer.EXE
PID 1040 wrote to memory of 2452	1040	Explorer.EXE	sihost.exe
PID 1040 wrote to memory of 2536	1040	Explorer.EXE	svchost.exe
PID 1040 wrote to memory of 2680	1040	Explorer.EXE	taskhostw.exe
PID 1040 wrote to memory of 3096	1040	Explorer.EXE	svchost.exe
PID 1040 wrote to memory of 3288	1040	Explorer.EXE	DllHost.exe

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3096

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1040

C:\Users\Admin\AppData\Local\Temp\rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe
"C:\Users\Admin\AppData\Local\Temp\rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2016

C:\Users\Admin\AppData\Local\Temp\rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe
C:\Users\Admin\AppData\Local\Temp\rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2468

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS8300~1.BAT"
4⤵
PID:5032

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2536

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2452

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1040-138-0x00007FF9A63F0000-0x00007FF9A6400000-memory.dmp

Filesize
64KB

Download
memory/2016-135-0x0000000000B00000-0x0000000000B04000-memory.dmp

Filesize
16KB

Download
memory/2468-132-0x0000000000000000-mapping.dmp

Download
memory/2468-133-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2468-136-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/5032-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads