7052d7b51107748d341fc994b05fcd5a80a7945a8808aa02089e3d63d58f4a2f

General

Target

2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe
Size

176KB
MD5

26599a5d851894bac450a5529f779960
SHA1

86ad307147dcc84a84433c6728444f8f36e7a1e8
SHA256

5375bce7f7d28f834652064ba8c6f41864f3e1fef385aa093a14cf00165976de
SHA512

87a354060184dc12c9ee156e863cf62ebb95bb3557c75851c987cf3889f7445ccf2e1c9b93ceb6a1bc74ae5fcf03d60b3a8b93cf112f1586a5a033b1a4b6199b
SSDEEP

3072:K1tv0jMkCL5x8KxMFS/71d0u6O6DZxwWpPcrKxCtxQ/LgM8rPp0j0:KTCEXz/7D0u6RlxRPk8P8r+I

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2036	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\ianvmjrr.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\ianvmjrr.exe\""	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1096	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe
1096	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1096	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe
1220	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1096	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe
Token: SeDebugPrivilege	1220	Explorer.EXE
Token: SeShutdownPrivilege	1220	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1220	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 2036	1096	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe	28
PID 1096 wrote to memory of 2036	1096	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe	28
PID 1096 wrote to memory of 2036	1096	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe	28
PID 1096 wrote to memory of 2036	1096	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe	28
PID 1096 wrote to memory of 1220	1096	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe	17
PID 1220 wrote to memory of 1116	1220	Explorer.EXE	19
PID 1220 wrote to memory of 1172	1220	Explorer.EXE	18
PID 1220 wrote to memory of 1096	1220	Explorer.EXE	16
PID 1220 wrote to memory of 2036	1220	Explorer.EXE	28
PID 1220 wrote to memory of 2036	1220	Explorer.EXE	28
PID 1220 wrote to memory of 1636	1220	Explorer.EXE	29
PID 1220 wrote to memory of 1636	1220	Explorer.EXE	29

C:\Users\Admin\AppData\Local\Temp\2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe
"C:\Users\Admin\AppData\Local\Temp\2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS8537~1.BAT"
  2⤵
  - Deletes itself
  PID:2036

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1220

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1172

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1116

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1485155040-96825141253633638296356627-958849348-668981143445992585-1329175643"
1⤵
PID:1636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms8537768.bat

Filesize
201B

MD5
32fe1da454966377ce5b31db065b49bb

SHA1
662af7be8acdf0c43a1adb0e5d3cfa9a6d72801e

SHA256
e3fa3cf7b4e82a375e3f35396b06bb32435dd146f085505c3ab506be7b245e7e

SHA512
56f8a87929cdb3c2a77125c078a790b05b346642fcfe7426017b2e7d8513fb5a3986d32b1da0794d404397ddad33a1fb9a8f12f2c65e5e650823dca797adbcd8

Download Submit
memory/1096-54-0x0000000075991000-0x0000000075993000-memory.dmp

Filesize
8KB

Download
memory/1096-79-0x0000000001370000-0x00000000013A4000-memory.dmp

Filesize
208KB

Download
memory/1096-78-0x00000000001F0000-0x00000000001FD000-memory.dmp

Filesize
52KB

Download
memory/1096-63-0x0000000000260000-0x0000000000274000-memory.dmp

Filesize
80KB

Download
memory/1116-75-0x0000000036F80000-0x0000000036F90000-memory.dmp

Filesize
64KB

Download
memory/1116-82-0x0000000001B40000-0x0000000001B57000-memory.dmp

Filesize
92KB

Download
memory/1172-73-0x0000000036F80000-0x0000000036F90000-memory.dmp

Filesize
64KB

Download
memory/1172-83-0x00000000001A0000-0x00000000001B7000-memory.dmp

Filesize
92KB

Download
memory/1220-58-0x0000000036F80000-0x0000000036F90000-memory.dmp

Filesize
64KB

Download
memory/1220-56-0x0000000002A70000-0x0000000002A87000-memory.dmp

Filesize
92KB

Download
memory/1220-80-0x0000000002A70000-0x0000000002A87000-memory.dmp

Filesize
92KB

Download
memory/1636-81-0x0000000000080000-0x0000000000097000-memory.dmp

Filesize
92KB

Download
memory/1636-74-0x0000000036F80000-0x0000000036F90000-memory.dmp

Filesize
64KB

Download
memory/1636-77-0x0000000036F80000-0x0000000036F90000-memory.dmp

Filesize
64KB

Download
memory/1636-84-0x0000000000060000-0x0000000000077000-memory.dmp

Filesize
92KB

Download
memory/2036-85-0x0000000037130000-0x0000000037140000-memory.dmp

Filesize
64KB

Download
memory/2036-86-0x0000000037130000-0x0000000037140000-memory.dmp

Filesize
64KB

Download
memory/2036-87-0x0000000000110000-0x0000000000124000-memory.dmp

Filesize
80KB

Download
memory/2036-88-0x00000000000F0000-0x0000000000104000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing