127a71b138122cfe8acd45eb8d123c7e8d2254619545491982822e9024ee609c

General

Target

2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe
Size

284KB
MD5

f5afa81b3f2846f6d052e3008fd4014c
SHA1

6d1b424d218965e291d5c4f38003630b41d1866a
SHA256

4297b97b54b2e293a3c5611a57ccafdb5348bc5c9e09397033102fef28823fe4
SHA512

1ae2aec94aaab35f02f99ebb6e20c5f9cbdae476e7becb97dc5900244dd2d119f6d1578c877676056fcfde22640acac6c910bb4322bf1fd0587db60143d39361
SSDEEP

6144:e0nTT0BiwUyoqwx658IIIOf1G4ELtrWWiz0Lm1+V+XjMSBaf/9:pnT+z8Byb+Xvw

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

364 cmd.exe

pid	process
364	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\uhbkhryw.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\uhbkhryw.exe\""	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exeExplorer.EXE

pid	process
1468	2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe
1468	2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1232 Explorer.EXE

pid	process
1232	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1468	2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe
Token: SeDebugPrivilege	1232	Explorer.EXE
Token: SeShutdownPrivilege	1232	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1232 Explorer.EXE
1232 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1232 Explorer.EXE
1232 Explorer.EXE

pid	process
1232	Explorer.EXE
1232	Explorer.EXE

pid	process
1232	Explorer.EXE
1232	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exeExplorer.EXE

description	pid	process	target process
PID 1468 wrote to memory of 364	1468	2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe	cmd.exe
PID 1468 wrote to memory of 364	1468	2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe	cmd.exe
PID 1468 wrote to memory of 364	1468	2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe	cmd.exe
PID 1468 wrote to memory of 364	1468	2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe	cmd.exe
PID 1468 wrote to memory of 1232	1468	2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe	Explorer.EXE
PID 1232 wrote to memory of 1124	1232	Explorer.EXE	taskhost.exe
PID 1232 wrote to memory of 1124	1232	Explorer.EXE	taskhost.exe
PID 1232 wrote to memory of 1172	1232	Explorer.EXE	Dwm.exe
PID 1232 wrote to memory of 1172	1232	Explorer.EXE	Dwm.exe
PID 1232 wrote to memory of 1468	1232	Explorer.EXE	2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe
PID 1232 wrote to memory of 364	1232	Explorer.EXE	cmd.exe
PID 1232 wrote to memory of 1400	1232	Explorer.EXE	conhost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1232

C:\Users\Admin\AppData\Local\Temp\2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS2003~1.BAT"
3⤵
- Deletes itself
PID:364

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1172

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1124

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-222919920-996351621-1275689780-19780765391532568160-11776637041275694713-790337471"
1⤵
PID:1400

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms2003330.bat

Filesize
201B

MD5
31f1bad038236cdcb0de649f22b87aac

SHA1
438922311d652876658c9bda983f8976bc6f0f8a

SHA256
a3483616f687b358fe71c56fef0289bf3a57afc0cc007fed294092c3d32d3557

SHA512
179e3a255783be0f092be81905ff827d1ece88f26aa4a4cf338c00df7a8ed5b26bfbb8ee6dae2748c717de86d6d288d2ac820eb4743ed97fa46feeb0128d453d

Download Submit
memory/364-55-0x0000000000000000-mapping.dmp

Download
memory/364-83-0x0000000037DF0000-0x0000000037E00000-memory.dmp

Filesize
64KB

Download
memory/364-85-0x0000000000180000-0x0000000000194000-memory.dmp

Filesize
80KB

Download
memory/1124-78-0x0000000001DC0000-0x0000000001DD7000-memory.dmp

Filesize
92KB

Download
memory/1124-64-0x0000000037C40000-0x0000000037C50000-memory.dmp

Filesize
64KB

Download
memory/1124-67-0x0000000037C40000-0x0000000037C50000-memory.dmp

Filesize
64KB

Download
memory/1124-75-0x0000000001E60000-0x0000000001E77000-memory.dmp

Filesize
92KB

Download
memory/1172-88-0x00000000002A0000-0x00000000002B7000-memory.dmp

Filesize
92KB

Download
memory/1172-77-0x0000000037C40000-0x0000000037C50000-memory.dmp

Filesize
64KB

Download
memory/1172-80-0x0000000037C40000-0x0000000037C50000-memory.dmp

Filesize
64KB

Download
memory/1172-87-0x00000000002C0000-0x00000000002D7000-memory.dmp

Filesize
92KB

Download
memory/1232-90-0x000007FEE32C0000-0x000007FEE32CA000-memory.dmp

Filesize
40KB

Download
memory/1232-89-0x000007FEF6800000-0x000007FEF6943000-memory.dmp

Filesize
1.3MB

Download
memory/1232-73-0x0000000002A30000-0x0000000002A47000-memory.dmp

Filesize
92KB

Download
memory/1232-58-0x0000000037C40000-0x0000000037C50000-memory.dmp

Filesize
64KB

Download
memory/1232-56-0x0000000002A30000-0x0000000002A47000-memory.dmp

Filesize
92KB

Download
memory/1400-84-0x0000000037C40000-0x0000000037C50000-memory.dmp

Filesize
64KB

Download
memory/1400-86-0x0000000000060000-0x0000000000077000-memory.dmp

Filesize
92KB

Download
memory/1468-54-0x00000000760B1000-0x00000000760B3000-memory.dmp

Filesize
8KB

Download
memory/1468-72-0x0000000000300000-0x0000000000314000-memory.dmp

Filesize
80KB

Download
memory/1468-71-0x0000000001280000-0x00000000012CA000-memory.dmp

Filesize
296KB

Download
memory/1468-69-0x00000000000D0000-0x00000000000DE000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads