e8a3ef1c9366a7a0ba1138557b3c39eaeac552c06bf55d0724a02e36467838c5

General

Target

volksbank_de_transaktions_id_000023928001_2014_11_0000390382755_00003997550002.exe
Size

148KB
MD5

85361cc6dd212579eb0c5974a7ab0faf
SHA1

8a9d5e8cd1f75b48b4113955b55849bc10a9eb14
SHA256

b673c683d1ae36a0c6401adda9d23e05468fe2a5067ad4d785b39c0aed4f125e
SHA512

593af436b85f2a2540b143c79a93211e499bec7de583cbdfa46fd5f432fa52c1f0ed99dc18e6eb654622bedeb1a0b3decb77b3ad09f46bc9c687117dec0dae3a
SSDEEP

1536:+fr+0Z9MV6eBqDDo2d7M6RO5UrU5mOLiWJ1L6RtJvfyGYkk/8H8LnSH0yxWuf:VYLeS08nc5UrUPLiWJKJf548HkSUyMuf

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
704	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\engtvbbi.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\engtvbbi.exe\""	Explorer.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1128 set thread context of 1484	1128	volksbank_de_transaktions_id_000023928001_2014_11_0000390382755_00003997550002.exe	28

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
1128	volksbank_de_transaktions_id_000023928001_2014_11_0000390382755_00003997550002.exe
1128	volksbank_de_transaktions_id_000023928001_2014_11_0000390382755_00003997550002.exe
1128	volksbank_de_transaktions_id_000023928001_2014_11_0000390382755_00003997550002.exe
1484	volksbank_de_transaktions_id_000023928001_2014_11_0000390382755_00003997550002.exe
1484	volksbank_de_transaktions_id_000023928001_2014_11_0000390382755_00003997550002.exe
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1244	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1484	volksbank_de_transaktions_id_000023928001_2014_11_0000390382755_00003997550002.exe
Token: SeDebugPrivilege	1244	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1244	Explorer.EXE
1244	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1244	Explorer.EXE
1244	Explorer.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1128	volksbank_de_transaktions_id_000023928001_2014_11_0000390382755_00003997550002.exe
1128	volksbank_de_transaktions_id_000023928001_2014_11_0000390382755_00003997550002.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1128 wrote to memory of 1484	1128	volksbank_de_transaktions_id_000023928001_2014_11_0000390382755_00003997550002.exe	28
PID 1128 wrote to memory of 1484	1128	volksbank_de_transaktions_id_000023928001_2014_11_0000390382755_00003997550002.exe	28
PID 1128 wrote to memory of 1484	1128	volksbank_de_transaktions_id_000023928001_2014_11_0000390382755_00003997550002.exe	28
PID 1128 wrote to memory of 1484	1128	volksbank_de_transaktions_id_000023928001_2014_11_0000390382755_00003997550002.exe	28
PID 1128 wrote to memory of 1484	1128	volksbank_de_transaktions_id_000023928001_2014_11_0000390382755_00003997550002.exe	28
PID 1128 wrote to memory of 1484	1128	volksbank_de_transaktions_id_000023928001_2014_11_0000390382755_00003997550002.exe	28
PID 1128 wrote to memory of 1484	1128	volksbank_de_transaktions_id_000023928001_2014_11_0000390382755_00003997550002.exe	28
PID 1128 wrote to memory of 1484	1128	volksbank_de_transaktions_id_000023928001_2014_11_0000390382755_00003997550002.exe	28
PID 1128 wrote to memory of 1484	1128	volksbank_de_transaktions_id_000023928001_2014_11_0000390382755_00003997550002.exe	28
PID 1128 wrote to memory of 1484	1128	volksbank_de_transaktions_id_000023928001_2014_11_0000390382755_00003997550002.exe	28
PID 1484 wrote to memory of 704	1484	volksbank_de_transaktions_id_000023928001_2014_11_0000390382755_00003997550002.exe	29
PID 1484 wrote to memory of 704	1484	volksbank_de_transaktions_id_000023928001_2014_11_0000390382755_00003997550002.exe	29
PID 1484 wrote to memory of 704	1484	volksbank_de_transaktions_id_000023928001_2014_11_0000390382755_00003997550002.exe	29
PID 1484 wrote to memory of 704	1484	volksbank_de_transaktions_id_000023928001_2014_11_0000390382755_00003997550002.exe	29
PID 1484 wrote to memory of 1244	1484	volksbank_de_transaktions_id_000023928001_2014_11_0000390382755_00003997550002.exe	15
PID 1244 wrote to memory of 1140	1244	Explorer.EXE	18
PID 1244 wrote to memory of 1180	1244	Explorer.EXE	17
PID 1244 wrote to memory of 704	1244	Explorer.EXE	29
PID 1244 wrote to memory of 704	1244	Explorer.EXE	29

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Users\Admin\AppData\Local\Temp\volksbank_de_transaktions_id_000023928001_2014_11_0000390382755_00003997550002.exe
  "C:\Users\Admin\AppData\Local\Temp\volksbank_de_transaktions_id_000023928001_2014_11_0000390382755_00003997550002.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1128
- - C:\Users\Admin\AppData\Local\Temp\volksbank_de_transaktions_id_000023928001_2014_11_0000390382755_00003997550002.exe
    C:\Users\Admin\AppData\Local\Temp\volksbank_de_transaktions_id_000023928001_2014_11_0000390382755_00003997550002.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1484
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\ms523388.bat"
      4⤵
      Deletes itself
      PID:704

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1180

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1140

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms523388.bat

Filesize
201B

MD5
89d03b08f9c53a7990029a9b3cdd6f20

SHA1
138d072e41a3a2ed5089eb5b2d91c078d3088d54

SHA256
9d81572fb472479eb48b4828b58ce8fb8722e75f1a98f1c0e6f3c04b2773a0a6

SHA512
9830499c25223e68d57c89f26ba8e6ed76bea872c03576c83fbc34ef90339ec9490515a4ce498f381f66ee45267754d47214613ec37f8894739917b76c653a47

Download Submit
memory/704-82-0x0000000000120000-0x0000000000134000-memory.dmp

Filesize
80KB

Download
memory/1128-54-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

Filesize
8KB

Download
memory/1128-65-0x0000000000380000-0x0000000000384000-memory.dmp

Filesize
16KB

Download
memory/1140-87-0x0000000001CB0000-0x0000000001CC7000-memory.dmp

Filesize
92KB

Download
memory/1140-84-0x0000000037AD0000-0x0000000037AE0000-memory.dmp

Filesize
64KB

Download
memory/1180-89-0x00000000001A0000-0x00000000001B7000-memory.dmp

Filesize
92KB

Download
memory/1180-86-0x0000000037AD0000-0x0000000037AE0000-memory.dmp

Filesize
64KB

Download
memory/1244-73-0x00000000029A0000-0x00000000029B7000-memory.dmp

Filesize
92KB

Download
memory/1244-88-0x00000000029A0000-0x00000000029B7000-memory.dmp

Filesize
92KB

Download
memory/1244-76-0x0000000037AD0000-0x0000000037AE0000-memory.dmp

Filesize
64KB

Download
memory/1484-62-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1484-75-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1484-71-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1484-67-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1484-63-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1484-60-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1484-58-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1484-56-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1484-55-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing