012c6e4c376585d25e49af005a2b8151aa06963e65807fe45187ea7ccb3cd5b3

General

Target

rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
Size

176KB
MD5

5095f22cbdd7c59303fb7d670c97afa5
SHA1

35712036e76c5215b512f9ddb73321617387a98c
SHA256

79e4ffae8c0d0abd80d090d5f3465855b25955509e78d0ced3eab4cfa6d43015
SHA512

9c4815c773a1b57c1178056fec3063894869b51af02cca52baf94a8ee1644d90a2b7444951979f15ecf90f718ad920353cf21927e754158580e479ea5106c0fc
SSDEEP

3072:5KzHNmI+9MEJRuOmz1C+cSQStd3jUQdW6OTHeOO16ogZrssN6wc+ga0Mhze:5qHByNJGBC+Cqz14TE6dZr5PQ

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1940	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\gtntglna.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\gtntglna.exe\""	Explorer.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1992 set thread context of 2012	1992	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe	27

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
1992	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
1992	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
1992	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
2012	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
2012	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
1420	Explorer.EXE
1420	Explorer.EXE
1420	Explorer.EXE
1420	Explorer.EXE
1420	Explorer.EXE
1420	Explorer.EXE
1420	Explorer.EXE
1420	Explorer.EXE
1420	Explorer.EXE
1420	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2012	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
Token: SeDebugPrivilege	1420	Explorer.EXE
Token: SeShutdownPrivilege	1420	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1420	Explorer.EXE
1420	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1420	Explorer.EXE
1420	Explorer.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1992	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
1992	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1420	Explorer.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2012	1992	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe	27
PID 1992 wrote to memory of 2012	1992	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe	27
PID 1992 wrote to memory of 2012	1992	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe	27
PID 1992 wrote to memory of 2012	1992	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe	27
PID 1992 wrote to memory of 2012	1992	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe	27
PID 1992 wrote to memory of 2012	1992	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe	27
PID 1992 wrote to memory of 2012	1992	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe	27
PID 1992 wrote to memory of 2012	1992	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe	27
PID 1992 wrote to memory of 2012	1992	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe	27
PID 1992 wrote to memory of 2012	1992	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe	27
PID 2012 wrote to memory of 1940	2012	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe	28
PID 2012 wrote to memory of 1940	2012	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe	28
PID 2012 wrote to memory of 1940	2012	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe	28
PID 2012 wrote to memory of 1940	2012	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe	28
PID 2012 wrote to memory of 1420	2012	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe	14
PID 1420 wrote to memory of 1260	1420	Explorer.EXE	16
PID 1420 wrote to memory of 1364	1420	Explorer.EXE	15
PID 1420 wrote to memory of 1940	1420	Explorer.EXE	28
PID 1420 wrote to memory of 1940	1420	Explorer.EXE	28
PID 1420 wrote to memory of 984	1420	Explorer.EXE	29

C:\Users\Admin\AppData\Local\Temp\rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
"C:\Users\Admin\AppData\Local\Temp\rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Users\Admin\AppData\Local\Temp\rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
  C:\Users\Admin\AppData\Local\Temp\rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS7921~1.BAT"
    3⤵
    - Deletes itself
    PID:1940

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1420

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1364

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1260

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-758819449-1324412901-1241252627-25441830175320628-98242187-14929936411147370683"
1⤵
PID:984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms7921405.bat

Filesize
201B

MD5
ad1952aa4665d56c4a470871ff6ccd94

SHA1
ed158f9adae7230bf2bdf4c0ba39c4253a318a89

SHA256
5880e263922a8c0ead27768e590038f50d4ba7bc48494764278726c8d1f2718f

SHA512
0a384e88359a86ce446784a8d080b56e4698f9db0cee80d663c33c8f8fbd47920296e175f20b043b15129e4ab11ceeabe287e19f92b4a7649f90535a0510f04d

Download Submit
memory/1260-91-0x0000000001D30000-0x0000000001D47000-memory.dmp

Filesize
92KB

Download
memory/1260-81-0x0000000037540000-0x0000000037550000-memory.dmp

Filesize
64KB

Download
memory/1364-92-0x00000000001B0000-0x00000000001C7000-memory.dmp

Filesize
92KB

Download
memory/1364-84-0x0000000037540000-0x0000000037550000-memory.dmp

Filesize
64KB

Download
memory/1420-72-0x0000000002270000-0x0000000002287000-memory.dmp

Filesize
92KB

Download
memory/1420-93-0x0000000002270000-0x0000000002287000-memory.dmp

Filesize
92KB

Download
memory/1420-76-0x0000000002270000-0x0000000002287000-memory.dmp

Filesize
92KB

Download
memory/1420-75-0x0000000037540000-0x0000000037550000-memory.dmp

Filesize
64KB

Download
memory/1940-89-0x00000000001F0000-0x0000000000204000-memory.dmp

Filesize
80KB

Download
memory/1940-82-0x00000000001D0000-0x00000000001E4000-memory.dmp

Filesize
80KB

Download
memory/1992-65-0x00000000002D0000-0x00000000002D4000-memory.dmp

Filesize
16KB

Download
memory/1992-54-0x0000000076121000-0x0000000076123000-memory.dmp

Filesize
8KB

Download
memory/2012-74-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2012-63-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2012-62-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2012-67-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2012-60-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2012-58-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2012-56-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2012-55-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing