cba6eb0ffdb2077738d9d406e65188b825dce19e22066de2e6a2d3bb4f13c673

General

Target

2014_11rechnung_4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe
Size

254KB
MD5

825afbdeee126eeebae9200dd497b6fd
SHA1

59e6e30d6c386e71d54aa8f7ee53228bce17f4ea
SHA256

69e685713b90b3dd56876565c92dd47ab247cd20326b6dbc1e5792e0f1544914
SHA512

f96711b02d23d5b790eac2444de976a6e931446862c21f1f9498e79ccd021e7528772f5c551510198159e915380af7c2b23e3dfb78c69e7067d47705265c4e03
SSDEEP

6144:v86CSUrscKPe+V/3fdrQ57f+urD/CIfSDte:v8tvscA5Jfdyr3/CIGs

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1744 cmd.exe

pid	process
1744	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\gtntglna.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\gtntglna.exe\""	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

2014_11rechnung_4768955881_pdf_sign_telekom_de_deutschland_gmbh.exeExplorer.EXE

pid	process
1888	2014_11rechnung_4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe
1888	2014_11rechnung_4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE
1372	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

2014_11rechnung_4768955881_pdf_sign_telekom_de_deutschland_gmbh.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1888	2014_11rechnung_4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe
Token: SeDebugPrivilege	1372	Explorer.EXE
Token: SeShutdownPrivilege	1372	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1372 Explorer.EXE
1372 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1372 Explorer.EXE
1372 Explorer.EXE

pid	process
1372	Explorer.EXE
1372	Explorer.EXE

pid	process
1372	Explorer.EXE
1372	Explorer.EXE

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

2014_11rechnung_4768955881_pdf_sign_telekom_de_deutschland_gmbh.exeExplorer.EXE

description	pid	process	target process
PID 1888 wrote to memory of 1744	1888	2014_11rechnung_4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe	cmd.exe
PID 1888 wrote to memory of 1744	1888	2014_11rechnung_4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe	cmd.exe
PID 1888 wrote to memory of 1744	1888	2014_11rechnung_4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe	cmd.exe
PID 1888 wrote to memory of 1744	1888	2014_11rechnung_4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe	cmd.exe
PID 1888 wrote to memory of 1372	1888	2014_11rechnung_4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe	Explorer.EXE
PID 1372 wrote to memory of 1248	1372	Explorer.EXE	taskhost.exe
PID 1372 wrote to memory of 1248	1372	Explorer.EXE	taskhost.exe
PID 1372 wrote to memory of 1316	1372	Explorer.EXE	Dwm.exe
PID 1372 wrote to memory of 1316	1372	Explorer.EXE	Dwm.exe
PID 1372 wrote to memory of 1744	1372	Explorer.EXE	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2014_11rechnung_4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe
"C:\Users\Admin\AppData\Local\Temp\2014_11rechnung_4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS7994~1.BAT"
2⤵
- Deletes itself
PID:1744

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1372

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1316

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1248

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms7994488.bat
Filesize
201B

MD5
4eb16d94e78f5b51b9ae890d51771c33

SHA1
ef38462252e1ae9474af816c4ddff7d19e4a7117

SHA256
34598f4fd127864cce395fe46f45da1b176445b56c25596904227f5aee821e3b

SHA512
b31c9fa9e8755577698681356785f6e4a040ad8eb573d25da38c3f25dfc3d3b6b4b00db88e1c259189083589c212ca0c421a69982f1193c9c54210711b6e9b1d

Download Submit
memory/1248-75-0x0000000001BF0000-0x0000000001C07000-memory.dmp

Filesize
92KB

Download
memory/1248-69-0x00000000370F0000-0x0000000037100000-memory.dmp

Filesize
64KB

Download
memory/1248-76-0x0000000001B40000-0x0000000001B57000-memory.dmp

Filesize
92KB

Download
memory/1248-72-0x00000000370F0000-0x0000000037100000-memory.dmp

Filesize
64KB

Download
memory/1316-78-0x0000000000250000-0x0000000000267000-memory.dmp

Filesize
92KB

Download
memory/1316-79-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/1316-73-0x00000000370F0000-0x0000000037100000-memory.dmp

Filesize
64KB

Download
memory/1316-74-0x00000000370F0000-0x0000000037100000-memory.dmp

Filesize
64KB

Download
memory/1372-56-0x0000000002210000-0x0000000002227000-memory.dmp

Filesize
92KB

Download
memory/1372-77-0x0000000002210000-0x0000000002227000-memory.dmp

Filesize
92KB

Download
memory/1372-60-0x00000000370F0000-0x0000000037100000-memory.dmp

Filesize
64KB

Download
memory/1744-71-0x0000000000130000-0x0000000000144000-memory.dmp

Filesize
80KB

Download
memory/1744-55-0x0000000000000000-mapping.dmp

Download
memory/1888-54-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download
memory/1888-59-0x0000000001090000-0x00000000010D2000-memory.dmp

Filesize
264KB

Download
memory/1888-58-0x0000000000130000-0x000000000013D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads