c123c828c1f21f21bcee0734daa385bdc1ece0da451feb84e082017f3c9f5a9f

General

Target

2014_11rechnung_pdf_telekom_0000283882_november_00288273_11_0000000392_000005.exe
Size

148KB
MD5

719d4b8a24a98b938d0c393228e413f2
SHA1

9f55cdc8223b1ada8c7fdf678f605345442ce240
SHA256

29e65cd43000e27bb73556fce0dcbc2ec9a42a68dad623c251dc84a846651040
SHA512

e729442bc973b846cb07511c0654d65a425cc576f7a1847dc7800ac45fcaefaa0005327a779a7712017610130f47f4fbdf14f5b53ee812cfa725e09dca3d8d78
SSDEEP

3072:oykEWzxnWWEe+SuF1FZ01bzWQPg0qRfN2HOdUnylZ5MWz2M:drWzNWWEl1iiXpRfWOanyz5Rn

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
516	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\loibgjiv.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\loibgjiv.exe\""	Explorer.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2040 set thread context of 2012	2040	2014_11rechnung_pdf_telekom_0000283882_november_00288273_11_0000000392_000005.exe	28

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2040	2014_11rechnung_pdf_telekom_0000283882_november_00288273_11_0000000392_000005.exe
2012	2014_11rechnung_pdf_telekom_0000283882_november_00288273_11_0000000392_000005.exe
2012	2014_11rechnung_pdf_telekom_0000283882_november_00288273_11_0000000392_000005.exe
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1208	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2012	2014_11rechnung_pdf_telekom_0000283882_november_00288273_11_0000000392_000005.exe
Token: SeDebugPrivilege	1208	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1208	Explorer.EXE
1208	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1208	Explorer.EXE
1208	Explorer.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2040	2014_11rechnung_pdf_telekom_0000283882_november_00288273_11_0000000392_000005.exe
2040	2014_11rechnung_pdf_telekom_0000283882_november_00288273_11_0000000392_000005.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1208	Explorer.EXE

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 2012	2040	2014_11rechnung_pdf_telekom_0000283882_november_00288273_11_0000000392_000005.exe	28
PID 2040 wrote to memory of 2012	2040	2014_11rechnung_pdf_telekom_0000283882_november_00288273_11_0000000392_000005.exe	28
PID 2040 wrote to memory of 2012	2040	2014_11rechnung_pdf_telekom_0000283882_november_00288273_11_0000000392_000005.exe	28
PID 2040 wrote to memory of 2012	2040	2014_11rechnung_pdf_telekom_0000283882_november_00288273_11_0000000392_000005.exe	28
PID 2040 wrote to memory of 2012	2040	2014_11rechnung_pdf_telekom_0000283882_november_00288273_11_0000000392_000005.exe	28
PID 2040 wrote to memory of 2012	2040	2014_11rechnung_pdf_telekom_0000283882_november_00288273_11_0000000392_000005.exe	28
PID 2040 wrote to memory of 2012	2040	2014_11rechnung_pdf_telekom_0000283882_november_00288273_11_0000000392_000005.exe	28
PID 2040 wrote to memory of 2012	2040	2014_11rechnung_pdf_telekom_0000283882_november_00288273_11_0000000392_000005.exe	28
PID 2040 wrote to memory of 2012	2040	2014_11rechnung_pdf_telekom_0000283882_november_00288273_11_0000000392_000005.exe	28
PID 2040 wrote to memory of 2012	2040	2014_11rechnung_pdf_telekom_0000283882_november_00288273_11_0000000392_000005.exe	28
PID 2012 wrote to memory of 516	2012	2014_11rechnung_pdf_telekom_0000283882_november_00288273_11_0000000392_000005.exe	29
PID 2012 wrote to memory of 516	2012	2014_11rechnung_pdf_telekom_0000283882_november_00288273_11_0000000392_000005.exe	29
PID 2012 wrote to memory of 516	2012	2014_11rechnung_pdf_telekom_0000283882_november_00288273_11_0000000392_000005.exe	29
PID 2012 wrote to memory of 516	2012	2014_11rechnung_pdf_telekom_0000283882_november_00288273_11_0000000392_000005.exe	29
PID 2012 wrote to memory of 1208	2012	2014_11rechnung_pdf_telekom_0000283882_november_00288273_11_0000000392_000005.exe	16
PID 1208 wrote to memory of 1104	1208	Explorer.EXE	13
PID 1208 wrote to memory of 1176	1208	Explorer.EXE	17
PID 1208 wrote to memory of 1176	1208	Explorer.EXE	17
PID 1208 wrote to memory of 2012	1208	Explorer.EXE	28
PID 1208 wrote to memory of 516	1208	Explorer.EXE	29
PID 1208 wrote to memory of 516	1208	Explorer.EXE	29
PID 1208 wrote to memory of 580	1208	Explorer.EXE	30
PID 1208 wrote to memory of 580	1208	Explorer.EXE	30

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1104

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Users\Admin\AppData\Local\Temp\2014_11rechnung_pdf_telekom_0000283882_november_00288273_11_0000000392_000005.exe
  "C:\Users\Admin\AppData\Local\Temp\2014_11rechnung_pdf_telekom_0000283882_november_00288273_11_0000000392_000005.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Users\Admin\AppData\Local\Temp\2014_11rechnung_pdf_telekom_0000283882_november_00288273_11_0000000392_000005.exe
    C:\Users\Admin\AppData\Local\Temp\2014_11rechnung_pdf_telekom_0000283882_november_00288273_11_0000000392_000005.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2012
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS2476~1.BAT"
      4⤵
      Deletes itself
      PID:516

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "80219091721324126191014617661-1393502755-569819691-1119349333-1946713492-1349014926"
1⤵
PID:580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms2476501.bat

Filesize
201B

MD5
89e657c512fbc5aa47308b1bcc3ad2e8

SHA1
f87f4e9a8dd1d615aba678a5af2ad39764148356

SHA256
e7290d4108cf67eabd8188c4932a906372952ab71af91dd0d492ed9c6f5d9f67

SHA512
568ec87e014cc664110ba309e54f422d0af89e66256ed98b00bbfd18157f9a3e76411a8e7e6f78f7bf50273afe5f38d98d974a05fdbdcec8b6e14a12988d0f92

Download Submit
memory/580-97-0x0000000000390000-0x00000000003A7000-memory.dmp

Filesize
92KB

Download
memory/1104-98-0x0000000001C40000-0x0000000001C57000-memory.dmp

Filesize
92KB

Download
memory/1104-93-0x0000000037A90000-0x0000000037AA0000-memory.dmp

Filesize
64KB

Download
memory/1176-101-0x00000000001A0000-0x00000000001B7000-memory.dmp

Filesize
92KB

Download
memory/1176-100-0x0000000001B00000-0x0000000001B17000-memory.dmp

Filesize
92KB

Download
memory/1176-96-0x0000000037A90000-0x0000000037AA0000-memory.dmp

Filesize
64KB

Download
memory/1176-94-0x0000000037A90000-0x0000000037AA0000-memory.dmp

Filesize
64KB

Download
memory/1208-73-0x0000000002A60000-0x0000000002A77000-memory.dmp

Filesize
92KB

Download
memory/1208-75-0x0000000037A90000-0x0000000037AA0000-memory.dmp

Filesize
64KB

Download
memory/1208-99-0x0000000002A60000-0x0000000002A77000-memory.dmp

Filesize
92KB

Download
memory/2012-64-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2012-76-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2012-83-0x0000000000260000-0x0000000000274000-memory.dmp

Filesize
80KB

Download
memory/2012-68-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2012-63-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2012-61-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2012-59-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2012-57-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2012-56-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2040-54-0x0000000000320000-0x00000000003CC000-memory.dmp

Filesize
688KB

Download
memory/2040-66-0x00000000003D0000-0x00000000003D4000-memory.dmp

Filesize
16KB

Download
memory/2040-55-0x00000000760D1000-0x00000000760D3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing