05913b199955c2c15a36eebe6fae62d86deada696cf142d8e72fbd441bfd0098

General

Target

2014_11rechnung_4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe
Size

254KB
MD5

825afbdeee126eeebae9200dd497b6fd
SHA1

59e6e30d6c386e71d54aa8f7ee53228bce17f4ea
SHA256

69e685713b90b3dd56876565c92dd47ab247cd20326b6dbc1e5792e0f1544914
SHA512

f96711b02d23d5b790eac2444de976a6e931446862c21f1f9498e79ccd021e7528772f5c551510198159e915380af7c2b23e3dfb78c69e7067d47705265c4e03
SSDEEP

6144:v86CSUrscKPe+V/3fdrQ57f+urD/CIfSDte:v8tvscA5Jfdyr3/CIGs

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1992 cmd.exe

pid	process
1992	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\gtntglna.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\gtntglna.exe\""	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

2014_11rechnung_4768955881_pdf_sign_telekom_de_deutschland_gmbh.exeExplorer.EXE

pid	process
1448	2014_11rechnung_4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe
1448	2014_11rechnung_4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe
1420	Explorer.EXE
1420	Explorer.EXE
1420	Explorer.EXE
1420	Explorer.EXE
1420	Explorer.EXE
1420	Explorer.EXE
1420	Explorer.EXE
1420	Explorer.EXE
1420	Explorer.EXE
1420	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2014_11rechnung_4768955881_pdf_sign_telekom_de_deutschland_gmbh.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1448	2014_11rechnung_4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe
Token: SeDebugPrivilege	1420	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1420 Explorer.EXE
1420 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1420 Explorer.EXE
1420 Explorer.EXE

pid	process
1420	Explorer.EXE
1420	Explorer.EXE

pid	process
1420	Explorer.EXE
1420	Explorer.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

2014_11rechnung_4768955881_pdf_sign_telekom_de_deutschland_gmbh.exeExplorer.EXE

description	pid	process	target process
PID 1448 wrote to memory of 1992	1448	2014_11rechnung_4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe	cmd.exe
PID 1448 wrote to memory of 1992	1448	2014_11rechnung_4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe	cmd.exe
PID 1448 wrote to memory of 1992	1448	2014_11rechnung_4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe	cmd.exe
PID 1448 wrote to memory of 1992	1448	2014_11rechnung_4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe	cmd.exe
PID 1448 wrote to memory of 1420	1448	2014_11rechnung_4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe	Explorer.EXE
PID 1420 wrote to memory of 1260	1420	Explorer.EXE	taskhost.exe
PID 1420 wrote to memory of 1364	1420	Explorer.EXE	Dwm.exe
PID 1420 wrote to memory of 1448	1420	Explorer.EXE	2014_11rechnung_4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe
PID 1420 wrote to memory of 1992	1420	Explorer.EXE	cmd.exe
PID 1420 wrote to memory of 2012	1420	Explorer.EXE	conhost.exe
PID 1420 wrote to memory of 2012	1420	Explorer.EXE	conhost.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1260

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1420

C:\Users\Admin\AppData\Local\Temp\2014_11rechnung_4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe
"C:\Users\Admin\AppData\Local\Temp\2014_11rechnung_4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS4763~1.BAT"
3⤵
- Deletes itself
PID:1992

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1364

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-758819449-1324412901-1241252627-25441830175320628-98242187-14929936411147370683"
1⤵
PID:2012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms4763869.bat

Filesize
201B

MD5
e8c5089a988718d37119e2dcd509293f

SHA1
d3fa9cb1ac7b66c09b5b90d76893d90a522d0530

SHA256
557d1d90f8bf20904e0dfb45ff0d72e8a4b508cc4bb81269369a3b4e4730a0cd

SHA512
787a6292ccae5468c3560b71a4ed97ff48e0507e2a7870c34b801aa8730981b2c0c912a161b7ef6d08c1051ddfa65c925e06dbe0fa29522291d077ccfe4cfdaf

Download Submit
memory/1260-81-0x0000000001D30000-0x0000000001D47000-memory.dmp

Filesize
92KB

Download
memory/1260-68-0x0000000037540000-0x0000000037550000-memory.dmp

Filesize
64KB

Download
memory/1364-70-0x0000000037540000-0x0000000037550000-memory.dmp

Filesize
64KB

Download
memory/1364-82-0x00000000001B0000-0x00000000001C7000-memory.dmp

Filesize
92KB

Download
memory/1420-83-0x0000000002270000-0x0000000002287000-memory.dmp

Filesize
92KB

Download
memory/1420-56-0x0000000002270000-0x0000000002287000-memory.dmp

Filesize
92KB

Download
memory/1420-58-0x0000000037540000-0x0000000037550000-memory.dmp

Filesize
64KB

Download
memory/1448-64-0x0000000000230000-0x0000000000244000-memory.dmp

Filesize
80KB

Download
memory/1448-67-0x0000000000B90000-0x0000000000BD2000-memory.dmp

Filesize
264KB

Download
memory/1448-59-0x00000000001B0000-0x00000000001BD000-memory.dmp

Filesize
52KB

Download
memory/1448-54-0x0000000076121000-0x0000000076123000-memory.dmp

Filesize
8KB

Download
memory/1992-77-0x00000000376F0000-0x0000000037700000-memory.dmp

Filesize
64KB

Download
memory/1992-78-0x00000000000F0000-0x0000000000104000-memory.dmp

Filesize
80KB

Download
memory/1992-55-0x0000000000000000-mapping.dmp

Download
memory/2012-76-0x0000000037540000-0x0000000037550000-memory.dmp

Filesize
64KB

Download
memory/2012-80-0x00000000000D0000-0x00000000000E7000-memory.dmp

Filesize
92KB

Download
memory/2012-79-0x00000000000F0000-0x0000000000107000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads