c293428bf3f132f44093e00ed4e8d5f9711af0f69e0c4809976ad603afa5f579

General

Target

rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe
Size

168KB
MD5

91291b0c1fb27cff77c5a7731807abf0
SHA1

0cdd5dcdf23c65136faf067d55a098f1fb93469f
SHA256

ede3136fd45a022bb470ff9a2752d4b48c641e1fe6ddc4aa5fa3a414b6921b95
SHA512

65632a66c7cb3fdbdf0e89de5298b378597e96e8a1a96f232669dd7a70235b428b45f529f6175555ea67ad987dbdfade0697b3ee440bfebf9a473db3279b490a
SSDEEP

3072:pVmADg66x5y7FuW3jLi2ikZSYbmlpSchjDeL8lOW+9d+zr3/1C:pVA665pW3Z7ZS9h2LjOM

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1628	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\ianvmjrr.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\ianvmjrr.exe\""	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1516 set thread context of 1416	1516	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe	28

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
1516	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe
1416	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe
1416	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1264	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1416	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe
Token: SeDebugPrivilege	1264	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1264	Explorer.EXE
1264	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1264	Explorer.EXE
1264	Explorer.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1516	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe
1516	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1264	Explorer.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 1416	1516	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe	28
PID 1516 wrote to memory of 1416	1516	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe	28
PID 1516 wrote to memory of 1416	1516	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe	28
PID 1516 wrote to memory of 1416	1516	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe	28
PID 1516 wrote to memory of 1416	1516	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe	28
PID 1516 wrote to memory of 1416	1516	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe	28
PID 1516 wrote to memory of 1416	1516	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe	28
PID 1516 wrote to memory of 1416	1516	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe	28
PID 1516 wrote to memory of 1416	1516	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe	28
PID 1516 wrote to memory of 1416	1516	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe	28
PID 1416 wrote to memory of 1628	1416	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe	29
PID 1416 wrote to memory of 1628	1416	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe	29
PID 1416 wrote to memory of 1628	1416	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe	29
PID 1416 wrote to memory of 1628	1416	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe	29
PID 1416 wrote to memory of 1264	1416	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe	20
PID 1264 wrote to memory of 1120	1264	Explorer.EXE	15
PID 1264 wrote to memory of 1184	1264	Explorer.EXE	23

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Users\Admin\AppData\Local\Temp\rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe
  "C:\Users\Admin\AppData\Local\Temp\rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Users\Admin\AppData\Local\Temp\rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe
    C:\Users\Admin\AppData\Local\Temp\rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1416
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS9068~1.BAT"
      4⤵
      Deletes itself
      PID:1628

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1184

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms9068152.bat

Filesize
201B

MD5
56d8d1d756a52838c8c8e362aa327cb1

SHA1
914be71710c0f3955d04f3be74d760bd1ba9f9f5

SHA256
7ef50eaec707347f7bf540a24113a48e9f630912b10e76d1c18806cf39283aff

SHA512
c1ff62e371b18c7f56f88b81abc5207df351992162d8c27cebb4f6322108fc73ce67fd34b24d3c7f8c11104dede9490222f87a28a264008863b0430f86f76323

Download Submit
memory/1120-84-0x0000000001B40000-0x0000000001B57000-memory.dmp

Filesize
92KB

Download
memory/1120-81-0x0000000037600000-0x0000000037610000-memory.dmp

Filesize
64KB

Download
memory/1184-85-0x0000000000130000-0x0000000000147000-memory.dmp

Filesize
92KB

Download
memory/1184-82-0x0000000037600000-0x0000000037610000-memory.dmp

Filesize
64KB

Download
memory/1264-72-0x0000000002150000-0x0000000002167000-memory.dmp

Filesize
92KB

Download
memory/1264-87-0x000007FEC3A20000-0x000007FEC3A2A000-memory.dmp

Filesize
40KB

Download
memory/1264-86-0x000007FEF61E0000-0x000007FEF6323000-memory.dmp

Filesize
1.3MB

Download
memory/1264-83-0x0000000002150000-0x0000000002167000-memory.dmp

Filesize
92KB

Download
memory/1264-75-0x0000000037600000-0x0000000037610000-memory.dmp

Filesize
64KB

Download
memory/1416-62-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1416-74-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1416-67-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1416-63-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1416-60-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1416-58-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1416-56-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1416-55-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1516-65-0x00000000001D0000-0x00000000001D4000-memory.dmp

Filesize
16KB

Download
memory/1516-54-0x0000000075F01000-0x0000000075F03000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing