b9ed671152085ba283e466409f8d37f01ed6d336d0404c83ecc1114bc4cb1aa6

General

Target

rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
Size

176KB
MD5

26599a5d851894bac450a5529f779960
SHA1

86ad307147dcc84a84433c6728444f8f36e7a1e8
SHA256

5375bce7f7d28f834652064ba8c6f41864f3e1fef385aa093a14cf00165976de
SHA512

87a354060184dc12c9ee156e863cf62ebb95bb3557c75851c987cf3889f7445ccf2e1c9b93ceb6a1bc74ae5fcf03d60b3a8b93cf112f1586a5a033b1a4b6199b
SSDEEP

3072:K1tv0jMkCL5x8KxMFS/71d0u6O6DZxwWpPcrKxCtxQ/LgM8rPp0j0:KTCEXz/7D0u6RlxRPk8P8r+I

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1928 cmd.exe

pid	process
1928	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\uhbkhryw.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\uhbkhryw.exe\""	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exeExplorer.EXE

pid	process
1340	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
1340	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
1252	Explorer.EXE
1252	Explorer.EXE
1252	Explorer.EXE
1252	Explorer.EXE
1252	Explorer.EXE
1252	Explorer.EXE
1252	Explorer.EXE
1252	Explorer.EXE
1252	Explorer.EXE
1252	Explorer.EXE
1252	Explorer.EXE
1252	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exeExplorer.EXE

pid process

1340 rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
1252 Explorer.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1340	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
Token: SeDebugPrivilege	1252	Explorer.EXE
Token: SeShutdownPrivilege	1252	Explorer.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exeExplorer.EXE

description	pid	process	target process
PID 1340 wrote to memory of 1928	1340	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe	cmd.exe
PID 1340 wrote to memory of 1928	1340	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe	cmd.exe
PID 1340 wrote to memory of 1928	1340	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe	cmd.exe
PID 1340 wrote to memory of 1928	1340	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe	cmd.exe
PID 1340 wrote to memory of 1252	1340	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe	Explorer.EXE
PID 1252 wrote to memory of 1132	1252	Explorer.EXE	taskhost.exe
PID 1252 wrote to memory of 1196	1252	Explorer.EXE	Dwm.exe
PID 1252 wrote to memory of 1196	1252	Explorer.EXE	Dwm.exe
PID 1252 wrote to memory of 1340	1252	Explorer.EXE	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
PID 1252 wrote to memory of 1928	1252	Explorer.EXE	cmd.exe
PID 1252 wrote to memory of 572	1252	Explorer.EXE	conhost.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1132

C:\Users\Admin\AppData\Local\Temp\rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
"C:\Users\Admin\AppData\Local\Temp\rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS2925~1.BAT"
2⤵
- Deletes itself
PID:1928

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1252

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1196

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1508999312-1455282543-1881155359-19061942572067650160-92758748816470456691106760199"
1⤵
PID:572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms2925246.bat

Filesize
201B

MD5
3142e73f59dbe917a3a007564dab977e

SHA1
d2f6dcbd8f5deadd899e6fa8f1c4a98d30019bd2

SHA256
c45ebc6a706c589d677fe5416c44facbca0559a38c4239b40367904ada55f70c

SHA512
092f399c48bfbad1dbff100e0fcd93504f645d0c533f62360cc17f63d79b0dbfc00da015c8bcf38ebe78413671c417c0f23ab2f61b44981f54eb93b04846bd05

Download Submit
memory/572-74-0x0000000037930000-0x0000000037940000-memory.dmp

Filesize
64KB

Download
memory/572-83-0x0000000000090000-0x00000000000A7000-memory.dmp

Filesize
92KB

Download
memory/1132-80-0x0000000000490000-0x00000000004A7000-memory.dmp

Filesize
92KB

Download
memory/1132-72-0x0000000037930000-0x0000000037940000-memory.dmp

Filesize
64KB

Download
memory/1196-78-0x0000000037930000-0x0000000037940000-memory.dmp

Filesize
64KB

Download
memory/1196-81-0x0000000001BC0000-0x0000000001BD7000-memory.dmp

Filesize
92KB

Download
memory/1196-84-0x0000000001BA0000-0x0000000001BB7000-memory.dmp

Filesize
92KB

Download
memory/1196-75-0x0000000037930000-0x0000000037940000-memory.dmp

Filesize
64KB

Download
memory/1252-79-0x0000000002A60000-0x0000000002A77000-memory.dmp

Filesize
92KB

Download
memory/1252-58-0x0000000037930000-0x0000000037940000-memory.dmp

Filesize
64KB

Download
memory/1252-56-0x0000000002A60000-0x0000000002A77000-memory.dmp

Filesize
92KB

Download
memory/1340-54-0x0000000076191000-0x0000000076193000-memory.dmp

Filesize
8KB

Download
memory/1340-66-0x0000000000270000-0x0000000000284000-memory.dmp

Filesize
80KB

Download
memory/1340-76-0x0000000000180000-0x000000000018D000-memory.dmp

Filesize
52KB

Download
memory/1340-77-0x0000000000210000-0x0000000000244000-memory.dmp

Filesize
208KB

Download
memory/1928-55-0x0000000000000000-mapping.dmp

Download
memory/1928-73-0x0000000037AE0000-0x0000000037AF0000-memory.dmp

Filesize
64KB

Download
memory/1928-82-0x0000000000130000-0x0000000000144000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads