829eb7c767810b5c873ea432903774873246c2676bf02356827ecb97a55844df

General

Target

2014_11rechnung_4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe
Size

257KB
MD5

13ad6aabcc3fa5508629b1abdbc35c11
SHA1

66db64ad6421ca3dc7e6d3947af652227a7e92e2
SHA256

bbf30567b1c29bf5af5fe39487faf0a42b5ad6b2e8e66ed264e00defb08dbd6b
SHA512

88ef1f1689808a20eebb3345f9ab1972c076d981b03d3cf239847017e959907f9a4ed009817c71b269f93998646a2df32cdc84ff130b77d85bbf074051a38c4c
SSDEEP

6144:AIC9kGrTF4+DsFuetesc62acDUWvqNn0:AICtrW+0OscDU8qN0

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2044 cmd.exe

pid	process
2044	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\gtntglna.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\gtntglna.exe\""	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

2014_11rechnung_4768955881_pdf_sign_telekom_de_deutschland_gmbh.exeExplorer.EXE

pid	process
548	2014_11rechnung_4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe
548	2014_11rechnung_4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2014_11rechnung_4768955881_pdf_sign_telekom_de_deutschland_gmbh.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	548	2014_11rechnung_4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe
Token: SeDebugPrivilege	1380	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1380 Explorer.EXE
1380 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1380 Explorer.EXE
1380 Explorer.EXE

pid	process
1380	Explorer.EXE
1380	Explorer.EXE

pid	process
1380	Explorer.EXE
1380	Explorer.EXE

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

2014_11rechnung_4768955881_pdf_sign_telekom_de_deutschland_gmbh.exeExplorer.EXE

description	pid	process	target process
PID 548 wrote to memory of 2044	548	2014_11rechnung_4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe	cmd.exe
PID 548 wrote to memory of 2044	548	2014_11rechnung_4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe	cmd.exe
PID 548 wrote to memory of 2044	548	2014_11rechnung_4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe	cmd.exe
PID 548 wrote to memory of 2044	548	2014_11rechnung_4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe	cmd.exe
PID 548 wrote to memory of 1380	548	2014_11rechnung_4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe	Explorer.EXE
PID 1380 wrote to memory of 1224	1380	Explorer.EXE	taskhost.exe
PID 1380 wrote to memory of 1312	1380	Explorer.EXE	Dwm.exe
PID 1380 wrote to memory of 2044	1380	Explorer.EXE	cmd.exe
PID 1380 wrote to memory of 1988	1380	Explorer.EXE	conhost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1380

C:\Users\Admin\AppData\Local\Temp\2014_11rechnung_4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe
"C:\Users\Admin\AppData\Local\Temp\2014_11rechnung_4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:548

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\ms523388.bat"
3⤵
- Deletes itself
PID:2044

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1312

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1224

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "18030029191689121224-53587856411056271022452121551826211983-759266678-360416788"
1⤵
PID:1988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms523388.bat

Filesize
201B

MD5
a50cefb0e916550abde40374b97fd3cd

SHA1
0cad8314542b30849a1d46f30bb1b04f38f3563c

SHA256
9229913e63175bba2b06d00667adac596bcb3befe09a69e0b0b0dc14100effdd

SHA512
a5c2f41d988886bafe7592cbbe7acaa6181894256e1b998f78ae91eb4c0adc4c74fd903d8b71c4a823997c341a31ecdfa15d901ac2ae51dc775fdd1df3546400

Download Submit
memory/548-60-0x0000000001260000-0x00000000012A3000-memory.dmp

Filesize
268KB

Download
memory/548-54-0x0000000076831000-0x0000000076833000-memory.dmp

Filesize
8KB

Download
memory/548-58-0x0000000000170000-0x000000000017D000-memory.dmp

Filesize
52KB

Download
memory/1224-66-0x0000000037CA0000-0x0000000037CB0000-memory.dmp

Filesize
64KB

Download
memory/1224-71-0x0000000001B40000-0x0000000001B57000-memory.dmp

Filesize
92KB

Download
memory/1312-70-0x0000000037CA0000-0x0000000037CB0000-memory.dmp

Filesize
64KB

Download
memory/1312-72-0x0000000001BB0000-0x0000000001BC7000-memory.dmp

Filesize
92KB

Download
memory/1380-59-0x0000000037CA0000-0x0000000037CB0000-memory.dmp

Filesize
64KB

Download
memory/1380-56-0x0000000002250000-0x0000000002267000-memory.dmp

Filesize
92KB

Download
memory/1380-73-0x0000000002250000-0x0000000002267000-memory.dmp

Filesize
92KB

Download
memory/2044-55-0x0000000000000000-mapping.dmp

Download
memory/2044-67-0x0000000000140000-0x0000000000154000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads