bd5125c8b8651485be843145ee1fe3635590a32a6c9580464a43fa96f19d17ae

General

Target

2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe
Size

176KB
MD5

26599a5d851894bac450a5529f779960
SHA1

86ad307147dcc84a84433c6728444f8f36e7a1e8
SHA256

5375bce7f7d28f834652064ba8c6f41864f3e1fef385aa093a14cf00165976de
SHA512

87a354060184dc12c9ee156e863cf62ebb95bb3557c75851c987cf3889f7445ccf2e1c9b93ceb6a1bc74ae5fcf03d60b3a8b93cf112f1586a5a033b1a4b6199b
SSDEEP

3072:K1tv0jMkCL5x8KxMFS/71d0u6O6DZxwWpPcrKxCtxQ/LgM8rPp0j0:KTCEXz/7D0u6RlxRPk8P8r+I

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1168 cmd.exe

pid	process
1168	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\usrbdvpp.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\usrbdvpp.exe\""	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exeExplorer.EXE

pid	process
2032	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe
2032	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe
1368	Explorer.EXE
1368	Explorer.EXE
1368	Explorer.EXE
1368	Explorer.EXE
1368	Explorer.EXE
1368	Explorer.EXE
1368	Explorer.EXE
1368	Explorer.EXE
1368	Explorer.EXE
1368	Explorer.EXE
1368	Explorer.EXE
1368	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exeExplorer.EXE

pid process

2032 2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe
1368 Explorer.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	2032	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe
Token: SeDebugPrivilege	1368	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

1368 Explorer.EXE

pid	process
1368	Explorer.EXE

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exeExplorer.EXE

description	pid	process	target process
PID 2032 wrote to memory of 1168	2032	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe	cmd.exe
PID 2032 wrote to memory of 1168	2032	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe	cmd.exe
PID 2032 wrote to memory of 1168	2032	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe	cmd.exe
PID 2032 wrote to memory of 1168	2032	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe	cmd.exe
PID 2032 wrote to memory of 1368	2032	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe	Explorer.EXE
PID 1368 wrote to memory of 1244	1368	Explorer.EXE	taskhost.exe
PID 1368 wrote to memory of 1332	1368	Explorer.EXE	Dwm.exe
PID 1368 wrote to memory of 2032	1368	Explorer.EXE	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe
PID 1368 wrote to memory of 1168	1368	Explorer.EXE	cmd.exe
PID 1368 wrote to memory of 828	1368	Explorer.EXE	conhost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1368

C:\Users\Admin\AppData\Local\Temp\2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe
"C:\Users\Admin\AppData\Local\Temp\2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS7001~1.BAT"
3⤵
- Deletes itself
PID:1168

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1332

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1244

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-741916371193032224614466979491974295888940060136-750509052-6410529011775898760"
1⤵
PID:828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms7001333.bat

Filesize
201B

MD5
433abdbc6d6b6de8c36d7c15e6abcae4

SHA1
55b3e397bdf79e86f27490705fd94a9fb8daa5df

SHA256
4234feda6ef9c06ba5c5119890e8868d564c5260629faeb18ae264088cee423a

SHA512
3f9a4a76f946c191c6e4d810b96d1ae6345e7b82a7880b183073795cb11b2e0cfcb1ffcfca70cfaae4523c9eaeb085c03f80dd2c9cd54bc551a473f17b1e59c7

Download Submit
memory/828-77-0x00000000000A0000-0x00000000000B7000-memory.dmp

Filesize
92KB

Download
memory/828-71-0x0000000037AB0000-0x0000000037AC0000-memory.dmp

Filesize
64KB

Download
memory/1168-55-0x0000000000000000-mapping.dmp

Download
memory/1168-80-0x0000000000110000-0x0000000000124000-memory.dmp

Filesize
80KB

Download
memory/1168-79-0x0000000037C60000-0x0000000037C70000-memory.dmp

Filesize
64KB

Download
memory/1244-78-0x0000000001CE0000-0x0000000001CF7000-memory.dmp

Filesize
92KB

Download
memory/1244-70-0x0000000037AB0000-0x0000000037AC0000-memory.dmp

Filesize
64KB

Download
memory/1332-76-0x0000000000120000-0x0000000000137000-memory.dmp

Filesize
92KB

Download
memory/1332-69-0x0000000037AB0000-0x0000000037AC0000-memory.dmp

Filesize
64KB

Download
memory/1368-75-0x0000000002AD0000-0x0000000002AE7000-memory.dmp

Filesize
92KB

Download
memory/1368-58-0x0000000037AB0000-0x0000000037AC0000-memory.dmp

Filesize
64KB

Download
memory/1368-56-0x0000000002AD0000-0x0000000002AE7000-memory.dmp

Filesize
92KB

Download
memory/1368-81-0x000007FEF6600000-0x000007FEF6743000-memory.dmp

Filesize
1.3MB

Download
memory/1368-82-0x000007FEDDF20000-0x000007FEDDF2A000-memory.dmp

Filesize
40KB

Download
memory/2032-73-0x0000000000140000-0x000000000014D000-memory.dmp

Filesize
52KB

Download
memory/2032-74-0x0000000001020000-0x0000000001054000-memory.dmp

Filesize
208KB

Download
memory/2032-54-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download
memory/2032-63-0x00000000001F0000-0x0000000000204000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads