66936b5913eb4845510491c6bb3ee1b653d7b51ec024ea3c591a65916dd64656

General

Target

2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe
Size

278KB
MD5

b650be9b84ff38f06f217ad982b8660d
SHA1

20c4b3e5dbe971309c3ec966e4e671d8c56580c5
SHA256

586ee2c334dff3ada56930d7de90999634893495ba8acd524273b955303b23fd
SHA512

d132fa2fc0cbbd1f03e9c83c06aef54ea5700ba648f6fa7a04b3bc235a65758d0168e72428820115e546cd6a785281253adf340444db22f79b4cffea45f31371
SSDEEP

6144:9iaYUpwXV9RIKWn/TUVs8oL48N8lqFzc+tRJSht4K:DzXrN8UbtPShiK

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1972	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\uhbkhryw.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\uhbkhryw.exe\""	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1744	2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe
1744	2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1212	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1744	2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe
Token: SeDebugPrivilege	1212	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1212	Explorer.EXE
1212	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1212	Explorer.EXE
1212	Explorer.EXE

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 1972	1744	2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe	28
PID 1744 wrote to memory of 1972	1744	2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe	28
PID 1744 wrote to memory of 1972	1744	2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe	28
PID 1744 wrote to memory of 1972	1744	2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe	28
PID 1744 wrote to memory of 1212	1744	2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe	14
PID 1212 wrote to memory of 1128	1212	Explorer.EXE	16
PID 1212 wrote to memory of 1168	1212	Explorer.EXE	15
PID 1212 wrote to memory of 1972	1212	Explorer.EXE	28
PID 1212 wrote to memory of 680	1212	Explorer.EXE	29
PID 1212 wrote to memory of 680	1212	Explorer.EXE	29

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Users\Admin\AppData\Local\Temp\2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe
  "C:\Users\Admin\AppData\Local\Temp\2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS4471~1.BAT"
    3⤵
    - Deletes itself
    PID:1972

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1168

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1128

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1939293537596589324-921098731-172747011413260344191876457680-1954737706-126982377"
1⤵
PID:680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms4471165.bat

Filesize
201B

MD5
1be8343c72c3eff2be27b15c9ff064d8

SHA1
6d973f59a2051d82eeb3fad0ce083def79bb280b

SHA256
17a3be29d1e99984ea91fed6cf3e3ef09dfb8f2fd4436c1ebcf4a246f01eb2d3

SHA512
9edfd7bbcbe77c165152b16993cfe208a73f94bef59453e77fc7cac554ebc8a1e4e9f97b4b1c13a91aa229367684bbc1da1884c75dad779289384a318a1325aa

Download Submit
memory/1128-67-0x0000000037250000-0x0000000037260000-memory.dmp

Filesize
64KB

Download
memory/1128-75-0x0000000001CC0000-0x0000000001CD7000-memory.dmp

Filesize
92KB

Download
memory/1168-74-0x0000000037250000-0x0000000037260000-memory.dmp

Filesize
64KB

Download
memory/1168-76-0x0000000000120000-0x0000000000137000-memory.dmp

Filesize
92KB

Download
memory/1212-61-0x0000000037250000-0x0000000037260000-memory.dmp

Filesize
64KB

Download
memory/1212-58-0x0000000002930000-0x0000000002947000-memory.dmp

Filesize
92KB

Download
memory/1212-77-0x0000000002930000-0x0000000002947000-memory.dmp

Filesize
92KB

Download
memory/1744-60-0x0000000000200000-0x000000000020E000-memory.dmp

Filesize
56KB

Download
memory/1744-63-0x00000000013C0000-0x000000000140C000-memory.dmp

Filesize
304KB

Download
memory/1744-54-0x0000000075F61000-0x0000000075F63000-memory.dmp

Filesize
8KB

Download
memory/1972-69-0x0000000000310000-0x0000000000324000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing