Analysis
-
max time kernel
176s -
max time network
160s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 10:03
Static task
static1
Behavioral task
behavioral1
Sample
2014_11rechnung_4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
2014_11rechnung_4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe
Resource
win10v2004-20220812-en
General
-
Target
2014_11rechnung_4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe
-
Size
254KB
-
MD5
825afbdeee126eeebae9200dd497b6fd
-
SHA1
59e6e30d6c386e71d54aa8f7ee53228bce17f4ea
-
SHA256
69e685713b90b3dd56876565c92dd47ab247cd20326b6dbc1e5792e0f1544914
-
SHA512
f96711b02d23d5b790eac2444de976a6e931446862c21f1f9498e79ccd021e7528772f5c551510198159e915380af7c2b23e3dfb78c69e7067d47705265c4e03
-
SSDEEP
6144:v86CSUrscKPe+V/3fdrQ57f+urD/CIfSDte:v8tvscA5Jfdyr3/CIGs
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1744 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Explorer.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\gtntglna.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\gtntglna.exe\"" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
2014_11rechnung_4768955881_pdf_sign_telekom_de_deutschland_gmbh.exeExplorer.EXEpid process 1888 2014_11rechnung_4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe 1888 2014_11rechnung_4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe 1372 Explorer.EXE 1372 Explorer.EXE 1372 Explorer.EXE 1372 Explorer.EXE 1372 Explorer.EXE 1372 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
2014_11rechnung_4768955881_pdf_sign_telekom_de_deutschland_gmbh.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1888 2014_11rechnung_4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe Token: SeDebugPrivilege 1372 Explorer.EXE Token: SeShutdownPrivilege 1372 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1372 Explorer.EXE 1372 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1372 Explorer.EXE 1372 Explorer.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
2014_11rechnung_4768955881_pdf_sign_telekom_de_deutschland_gmbh.exeExplorer.EXEdescription pid process target process PID 1888 wrote to memory of 1744 1888 2014_11rechnung_4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe cmd.exe PID 1888 wrote to memory of 1744 1888 2014_11rechnung_4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe cmd.exe PID 1888 wrote to memory of 1744 1888 2014_11rechnung_4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe cmd.exe PID 1888 wrote to memory of 1744 1888 2014_11rechnung_4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe cmd.exe PID 1888 wrote to memory of 1372 1888 2014_11rechnung_4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe Explorer.EXE PID 1372 wrote to memory of 1248 1372 Explorer.EXE taskhost.exe PID 1372 wrote to memory of 1248 1372 Explorer.EXE taskhost.exe PID 1372 wrote to memory of 1316 1372 Explorer.EXE Dwm.exe PID 1372 wrote to memory of 1316 1372 Explorer.EXE Dwm.exe PID 1372 wrote to memory of 1744 1372 Explorer.EXE cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2014_11rechnung_4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe"C:\Users\Admin\AppData\Local\Temp\2014_11rechnung_4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS7994~1.BAT"2⤵
- Deletes itself
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\ms7994488.batFilesize
201B
MD54eb16d94e78f5b51b9ae890d51771c33
SHA1ef38462252e1ae9474af816c4ddff7d19e4a7117
SHA25634598f4fd127864cce395fe46f45da1b176445b56c25596904227f5aee821e3b
SHA512b31c9fa9e8755577698681356785f6e4a040ad8eb573d25da38c3f25dfc3d3b6b4b00db88e1c259189083589c212ca0c421a69982f1193c9c54210711b6e9b1d
-
memory/1248-75-0x0000000001BF0000-0x0000000001C07000-memory.dmpFilesize
92KB
-
memory/1248-69-0x00000000370F0000-0x0000000037100000-memory.dmpFilesize
64KB
-
memory/1248-76-0x0000000001B40000-0x0000000001B57000-memory.dmpFilesize
92KB
-
memory/1248-72-0x00000000370F0000-0x0000000037100000-memory.dmpFilesize
64KB
-
memory/1316-78-0x0000000000250000-0x0000000000267000-memory.dmpFilesize
92KB
-
memory/1316-79-0x0000000000230000-0x0000000000247000-memory.dmpFilesize
92KB
-
memory/1316-73-0x00000000370F0000-0x0000000037100000-memory.dmpFilesize
64KB
-
memory/1316-74-0x00000000370F0000-0x0000000037100000-memory.dmpFilesize
64KB
-
memory/1372-56-0x0000000002210000-0x0000000002227000-memory.dmpFilesize
92KB
-
memory/1372-77-0x0000000002210000-0x0000000002227000-memory.dmpFilesize
92KB
-
memory/1372-60-0x00000000370F0000-0x0000000037100000-memory.dmpFilesize
64KB
-
memory/1744-71-0x0000000000130000-0x0000000000144000-memory.dmpFilesize
80KB
-
memory/1744-55-0x0000000000000000-mapping.dmp
-
memory/1888-54-0x0000000075811000-0x0000000075813000-memory.dmpFilesize
8KB
-
memory/1888-59-0x0000000001090000-0x00000000010D2000-memory.dmpFilesize
264KB
-
memory/1888-58-0x0000000000130000-0x000000000013D000-memory.dmpFilesize
52KB