937ba8c629a5ad48e3a6929fc1203970ddb89499ab160a5f31a1483952f9ee6e

General

Target

rechnung_11_2014_vodafone_team_00200034994_00003999300067_11_0000002738.exe
Size

148KB
MD5

85361cc6dd212579eb0c5974a7ab0faf
SHA1

8a9d5e8cd1f75b48b4113955b55849bc10a9eb14
SHA256

b673c683d1ae36a0c6401adda9d23e05468fe2a5067ad4d785b39c0aed4f125e
SHA512

593af436b85f2a2540b143c79a93211e499bec7de583cbdfa46fd5f432fa52c1f0ed99dc18e6eb654622bedeb1a0b3decb77b3ad09f46bc9c687117dec0dae3a
SSDEEP

1536:+fr+0Z9MV6eBqDDo2d7M6RO5UrU5mOLiWJ1L6RtJvfyGYkk/8H8LnSH0yxWuf:VYLeS08nc5UrUPLiWJKJf548HkSUyMuf

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2032	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\gtntglna.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\gtntglna.exe\""	Explorer.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1676 set thread context of 1952	1676	rechnung_11_2014_vodafone_team_00200034994_00003999300067_11_0000002738.exe	28

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1676	rechnung_11_2014_vodafone_team_00200034994_00003999300067_11_0000002738.exe
1676	rechnung_11_2014_vodafone_team_00200034994_00003999300067_11_0000002738.exe
1676	rechnung_11_2014_vodafone_team_00200034994_00003999300067_11_0000002738.exe
1952	rechnung_11_2014_vodafone_team_00200034994_00003999300067_11_0000002738.exe
1952	rechnung_11_2014_vodafone_team_00200034994_00003999300067_11_0000002738.exe
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1952	rechnung_11_2014_vodafone_team_00200034994_00003999300067_11_0000002738.exe
Token: SeDebugPrivilege	1212	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1212	Explorer.EXE
1212	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1212	Explorer.EXE
1212	Explorer.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1676	rechnung_11_2014_vodafone_team_00200034994_00003999300067_11_0000002738.exe
1676	rechnung_11_2014_vodafone_team_00200034994_00003999300067_11_0000002738.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1212	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 1952	1676	rechnung_11_2014_vodafone_team_00200034994_00003999300067_11_0000002738.exe	28
PID 1676 wrote to memory of 1952	1676	rechnung_11_2014_vodafone_team_00200034994_00003999300067_11_0000002738.exe	28
PID 1676 wrote to memory of 1952	1676	rechnung_11_2014_vodafone_team_00200034994_00003999300067_11_0000002738.exe	28
PID 1676 wrote to memory of 1952	1676	rechnung_11_2014_vodafone_team_00200034994_00003999300067_11_0000002738.exe	28
PID 1676 wrote to memory of 1952	1676	rechnung_11_2014_vodafone_team_00200034994_00003999300067_11_0000002738.exe	28
PID 1676 wrote to memory of 1952	1676	rechnung_11_2014_vodafone_team_00200034994_00003999300067_11_0000002738.exe	28
PID 1676 wrote to memory of 1952	1676	rechnung_11_2014_vodafone_team_00200034994_00003999300067_11_0000002738.exe	28
PID 1676 wrote to memory of 1952	1676	rechnung_11_2014_vodafone_team_00200034994_00003999300067_11_0000002738.exe	28
PID 1676 wrote to memory of 1952	1676	rechnung_11_2014_vodafone_team_00200034994_00003999300067_11_0000002738.exe	28
PID 1676 wrote to memory of 1952	1676	rechnung_11_2014_vodafone_team_00200034994_00003999300067_11_0000002738.exe	28
PID 1952 wrote to memory of 2032	1952	rechnung_11_2014_vodafone_team_00200034994_00003999300067_11_0000002738.exe	29
PID 1952 wrote to memory of 2032	1952	rechnung_11_2014_vodafone_team_00200034994_00003999300067_11_0000002738.exe	29
PID 1952 wrote to memory of 2032	1952	rechnung_11_2014_vodafone_team_00200034994_00003999300067_11_0000002738.exe	29
PID 1952 wrote to memory of 2032	1952	rechnung_11_2014_vodafone_team_00200034994_00003999300067_11_0000002738.exe	29
PID 1952 wrote to memory of 1212	1952	rechnung_11_2014_vodafone_team_00200034994_00003999300067_11_0000002738.exe	15
PID 1212 wrote to memory of 1100	1212	Explorer.EXE	18
PID 1212 wrote to memory of 1100	1212	Explorer.EXE	18
PID 1212 wrote to memory of 1184	1212	Explorer.EXE	17

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Users\Admin\AppData\Local\Temp\rechnung_11_2014_vodafone_team_00200034994_00003999300067_11_0000002738.exe
  "C:\Users\Admin\AppData\Local\Temp\rechnung_11_2014_vodafone_team_00200034994_00003999300067_11_0000002738.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Users\Admin\AppData\Local\Temp\rechnung_11_2014_vodafone_team_00200034994_00003999300067_11_0000002738.exe
    C:\Users\Admin\AppData\Local\Temp\rechnung_11_2014_vodafone_team_00200034994_00003999300067_11_0000002738.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1952
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS6374~1.BAT"
      4⤵
      Deletes itself
      PID:2032

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1184

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms6374069.bat

Filesize
201B

MD5
291fe7b0640bd8d8e88061c573eb59b6

SHA1
7c90b39691619025f5b39d4f95360b3274997a09

SHA256
09e825373c935227158bd9007e8526f8229c8d623178d862c6718dbf3600601d

SHA512
db7820a88f4745ed327cecfe19e3b9759ece10c67428f6ac01196df1ea1b8bfbab1f6188fe1586e0ebd9ab20a046bf68cb04d85cf16d72e084bc3ea112b64885

Download Submit
memory/1100-84-0x00000000378C0000-0x00000000378D0000-memory.dmp

Filesize
64KB

Download
memory/1100-88-0x0000000000160000-0x0000000000177000-memory.dmp

Filesize
92KB

Download
memory/1100-87-0x0000000000200000-0x0000000000217000-memory.dmp

Filesize
92KB

Download
memory/1100-83-0x00000000378C0000-0x00000000378D0000-memory.dmp

Filesize
64KB

Download
memory/1184-89-0x0000000000120000-0x0000000000137000-memory.dmp

Filesize
92KB

Download
memory/1184-85-0x00000000378C0000-0x00000000378D0000-memory.dmp

Filesize
64KB

Download
memory/1212-86-0x0000000002150000-0x0000000002167000-memory.dmp

Filesize
92KB

Download
memory/1212-90-0x0000000002150000-0x0000000002167000-memory.dmp

Filesize
92KB

Download
memory/1212-75-0x00000000378C0000-0x00000000378D0000-memory.dmp

Filesize
64KB

Download
memory/1212-73-0x0000000002150000-0x0000000002167000-memory.dmp

Filesize
92KB

Download
memory/1676-54-0x0000000075E31000-0x0000000075E33000-memory.dmp

Filesize
8KB

Download
memory/1676-65-0x0000000000280000-0x0000000000284000-memory.dmp

Filesize
16KB

Download
memory/1952-62-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1952-71-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1952-67-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1952-64-0x00000000004010C0-mapping.dmp

Download
memory/1952-63-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1952-60-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1952-58-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1952-56-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1952-55-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2032-72-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing