e8a140df0524e3974f2da8805e882b52722c667b96d9b8b856471bdfd4e69354

General

Target

2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe
Size

283KB
MD5

a168f69f6e79f6830b1c3f0ac54d68e6
SHA1

1cfbae35bf5e26762432e3bdae57193c92b898af
SHA256

a4b10ed2faa80a978480458dc4f95543ebad4a497d2b441346c7b44adee51e78
SHA512

1a557575ff7ff6e67edb58c6acd28bc2bacf4dbc985ead70d935d0e0a6d0e36635fc252dcd51d61ef022f84370eee53ee5e66aa1d2370074a24e97578f799773
SSDEEP

6144:MHT0BiwUyoqwx658IIIOf1G4ELtrWWiz0Lm1+V+XjMSBaf/9:MH+z8Byb+Xvw

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1148	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\usrbdvpp.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\usrbdvpp.exe\""	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1456	2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe
1456	2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1348	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1456	2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe
Token: SeDebugPrivilege	1348	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1348	Explorer.EXE
1348	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1348	Explorer.EXE
1348	Explorer.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 1148	1456	2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe	27
PID 1456 wrote to memory of 1148	1456	2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe	27
PID 1456 wrote to memory of 1148	1456	2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe	27
PID 1456 wrote to memory of 1148	1456	2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe	27
PID 1456 wrote to memory of 1348	1456	2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe	15
PID 1348 wrote to memory of 1200	1348	Explorer.EXE	17
PID 1348 wrote to memory of 1308	1348	Explorer.EXE	16
PID 1348 wrote to memory of 1148	1348	Explorer.EXE	27
PID 1348 wrote to memory of 1148	1348	Explorer.EXE	27

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Users\Admin\AppData\Local\Temp\2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1456
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS6374~1.BAT"
    3⤵
    - Deletes itself
    PID:1148

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1308

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms6374069.bat

Filesize
201B

MD5
889ed06ab2691e3eb0cd6439f14730c9

SHA1
3ccc56555e327d29d637aa55692586e061b1b48c

SHA256
4c803fc15cc4ef8dfc9f20d0cb93fa07afbf1becf56751a11955cd20d70ca851

SHA512
7417a8ba275b8de74e8322fe793c5acbbe678672caea8b080c4554304ec1ea2a3ee14fc27ac9cf4ae5c768b8922de1d774eddc57f57ef796b745c225c88d2e4d

Download Submit
memory/1148-67-0x00000000000F0000-0x0000000000104000-memory.dmp

Filesize
80KB

Download
memory/1200-69-0x0000000000560000-0x0000000000577000-memory.dmp

Filesize
92KB

Download
memory/1200-68-0x0000000036F30000-0x0000000036F40000-memory.dmp

Filesize
64KB

Download
memory/1308-77-0x00000000001A0000-0x00000000001B7000-memory.dmp

Filesize
92KB

Download
memory/1308-70-0x0000000036F30000-0x0000000036F40000-memory.dmp

Filesize
64KB

Download
memory/1308-72-0x00000000001A0000-0x00000000001B7000-memory.dmp

Filesize
92KB

Download
memory/1348-74-0x0000000002620000-0x0000000002637000-memory.dmp

Filesize
92KB

Download
memory/1348-58-0x0000000002620000-0x0000000002637000-memory.dmp

Filesize
92KB

Download
memory/1348-62-0x0000000036F30000-0x0000000036F40000-memory.dmp

Filesize
64KB

Download
memory/1348-78-0x0000000002620000-0x0000000002637000-memory.dmp

Filesize
92KB

Download
memory/1348-79-0x000007FEF6230000-0x000007FEF6373000-memory.dmp

Filesize
1.3MB

Download
memory/1348-80-0x000007FEF8E00000-0x000007FEF8E0A000-memory.dmp

Filesize
40KB

Download
memory/1456-61-0x0000000000AD0000-0x0000000000B1A000-memory.dmp

Filesize
296KB

Download
memory/1456-60-0x0000000000130000-0x000000000013E000-memory.dmp

Filesize
56KB

Download
memory/1456-54-0x0000000074B51000-0x0000000074B53000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing