a6c8410cf362d1b7fc2907f7bd6f1db7a925f131314967739631b568a046968c

General

Target

2014_11details_transaktion_37900000929_november_30908300059_11_0000000039.exe
Size

148KB
MD5

6d114c7a21aab94456d8e8d4aef88362
SHA1

1229f292c46ffa1bde2db69227c4e98c2e46ae3a
SHA256

0b577f76b08c5267eb5f2f8596127a28a6eaf5ff2089cff6be0b689f31850124
SHA512

828b656d5eeb4e225af9bc76fad68fd51f5bc6a867450f200e005782231cfd762ceef3d2341aa9e2dcfca9db656637dda71ee6b93083664a36e15f02a0342e03
SSDEEP

3072:5fSj3q4+o/mYSpVygq2xW+rQDuZz4AYOr8Hkv:xSusZSXRY+rBF4AYOr8

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1480	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\engtvbbi.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\engtvbbi.exe\""	Explorer.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 560 set thread context of 1868	560	2014_11details_transaktion_37900000929_november_30908300059_11_0000000039.exe	28

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
560	2014_11details_transaktion_37900000929_november_30908300059_11_0000000039.exe
560	2014_11details_transaktion_37900000929_november_30908300059_11_0000000039.exe
560	2014_11details_transaktion_37900000929_november_30908300059_11_0000000039.exe
1868	2014_11details_transaktion_37900000929_november_30908300059_11_0000000039.exe
1868	2014_11details_transaktion_37900000929_november_30908300059_11_0000000039.exe
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1268	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1868	2014_11details_transaktion_37900000929_november_30908300059_11_0000000039.exe
Token: SeDebugPrivilege	1268	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1268	Explorer.EXE
1268	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1268	Explorer.EXE
1268	Explorer.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
560	2014_11details_transaktion_37900000929_november_30908300059_11_0000000039.exe
560	2014_11details_transaktion_37900000929_november_30908300059_11_0000000039.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1268	Explorer.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 560 wrote to memory of 1868	560	2014_11details_transaktion_37900000929_november_30908300059_11_0000000039.exe	28
PID 560 wrote to memory of 1868	560	2014_11details_transaktion_37900000929_november_30908300059_11_0000000039.exe	28
PID 560 wrote to memory of 1868	560	2014_11details_transaktion_37900000929_november_30908300059_11_0000000039.exe	28
PID 560 wrote to memory of 1868	560	2014_11details_transaktion_37900000929_november_30908300059_11_0000000039.exe	28
PID 560 wrote to memory of 1868	560	2014_11details_transaktion_37900000929_november_30908300059_11_0000000039.exe	28
PID 560 wrote to memory of 1868	560	2014_11details_transaktion_37900000929_november_30908300059_11_0000000039.exe	28
PID 560 wrote to memory of 1868	560	2014_11details_transaktion_37900000929_november_30908300059_11_0000000039.exe	28
PID 560 wrote to memory of 1868	560	2014_11details_transaktion_37900000929_november_30908300059_11_0000000039.exe	28
PID 560 wrote to memory of 1868	560	2014_11details_transaktion_37900000929_november_30908300059_11_0000000039.exe	28
PID 560 wrote to memory of 1868	560	2014_11details_transaktion_37900000929_november_30908300059_11_0000000039.exe	28
PID 1868 wrote to memory of 1480	1868	2014_11details_transaktion_37900000929_november_30908300059_11_0000000039.exe	29
PID 1868 wrote to memory of 1480	1868	2014_11details_transaktion_37900000929_november_30908300059_11_0000000039.exe	29
PID 1868 wrote to memory of 1480	1868	2014_11details_transaktion_37900000929_november_30908300059_11_0000000039.exe	29
PID 1868 wrote to memory of 1480	1868	2014_11details_transaktion_37900000929_november_30908300059_11_0000000039.exe	29
PID 1868 wrote to memory of 1268	1868	2014_11details_transaktion_37900000929_november_30908300059_11_0000000039.exe	8
PID 1268 wrote to memory of 1120	1268	Explorer.EXE	10
PID 1268 wrote to memory of 1220	1268	Explorer.EXE	9
PID 1268 wrote to memory of 1480	1268	Explorer.EXE	29
PID 1268 wrote to memory of 1480	1268	Explorer.EXE	29
PID 1268 wrote to memory of 1292	1268	Explorer.EXE	30
PID 1268 wrote to memory of 1292	1268	Explorer.EXE	30

C:\Users\Admin\AppData\Local\Temp\2014_11details_transaktion_37900000929_november_30908300059_11_0000000039.exe
"C:\Users\Admin\AppData\Local\Temp\2014_11details_transaktion_37900000929_november_30908300059_11_0000000039.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:560
- C:\Users\Admin\AppData\Local\Temp\2014_11details_transaktion_37900000929_november_30908300059_11_0000000039.exe
  C:\Users\Admin\AppData\Local\Temp\2014_11details_transaktion_37900000929_november_30908300059_11_0000000039.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS2003~1.BAT"
    3⤵
    - Deletes itself
    PID:1480

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1268

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1220

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "14940505631944034461-119122327422666176-746627954-1186659599651802995481442006"
1⤵
PID:1292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms2003330.bat

Filesize
201B

MD5
31f1bad038236cdcb0de649f22b87aac

SHA1
438922311d652876658c9bda983f8976bc6f0f8a

SHA256
a3483616f687b358fe71c56fef0289bf3a57afc0cc007fed294092c3d32d3557

SHA512
179e3a255783be0f092be81905ff827d1ece88f26aa4a4cf338c00df7a8ed5b26bfbb8ee6dae2748c717de86d6d288d2ac820eb4743ed97fa46feeb0128d453d

Download Submit
memory/560-54-0x0000000075C11000-0x0000000075C13000-memory.dmp

Filesize
8KB

Download
memory/560-65-0x0000000000350000-0x0000000000354000-memory.dmp

Filesize
16KB

Download
memory/1120-79-0x00000000379A0000-0x00000000379B0000-memory.dmp

Filesize
64KB

Download
memory/1120-92-0x0000000000410000-0x0000000000427000-memory.dmp

Filesize
92KB

Download
memory/1220-83-0x00000000379A0000-0x00000000379B0000-memory.dmp

Filesize
64KB

Download
memory/1220-94-0x0000000000120000-0x0000000000137000-memory.dmp

Filesize
92KB

Download
memory/1268-72-0x0000000002A00000-0x0000000002A17000-memory.dmp

Filesize
92KB

Download
memory/1268-98-0x0000000002A00000-0x0000000002A17000-memory.dmp

Filesize
92KB

Download
memory/1268-93-0x0000000002A00000-0x0000000002A17000-memory.dmp

Filesize
92KB

Download
memory/1268-75-0x00000000379A0000-0x00000000379B0000-memory.dmp

Filesize
64KB

Download
memory/1292-95-0x0000000000080000-0x0000000000097000-memory.dmp

Filesize
92KB

Download
memory/1292-91-0x00000000379A0000-0x00000000379B0000-memory.dmp

Filesize
64KB

Download
memory/1292-90-0x00000000379A0000-0x00000000379B0000-memory.dmp

Filesize
64KB

Download
memory/1292-96-0x0000000000060000-0x0000000000077000-memory.dmp

Filesize
92KB

Download
memory/1480-81-0x0000000000140000-0x0000000000154000-memory.dmp

Filesize
80KB

Download
memory/1868-63-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1868-74-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1868-67-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1868-62-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1868-60-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1868-58-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1868-56-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1868-55-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing