0c09d725fd26154365050141fe0af103ea9e34eda78af8f4b2dd79573b59066a

General

Target

informationen_zum_transaktions_02JS_2820_JWIOU_29MQ_2001_KA21.pdf.exe
Size

94KB
MD5

dbc35cd99daa5b3f3083e911a43b7c31
SHA1

dcbe9859542d22bc8684d798d9f5227624f5be97
SHA256

47063fabbef0d6759cc4076c988760f82ba0328e878431cce6a3691d052e7b06
SHA512

d8212148e1c5897e1c92b2eb054c9b158eafc49fb3047fe22dd01208c1384212ab388848e746f9c37e2b561975e300fe440fdc9877411f460b4cb7c9666ca641
SSDEEP

1536:CvSM+QtpWT1G9NS89i4XZ0wovNOinmYbGmjBtwiRAd6S9C5Qhkxolh+:Cv3I1G9NnH8vN0eGKBqLMS9cIkxolU

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1068 cmd.exe

pid	process
1068	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\engtvbbi.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\engtvbbi.exe\""	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

informationen_zum_transaktions_02JS_2820_JWIOU_29MQ_2001_KA21.pdf.exeExplorer.EXE

pid	process
1644	informationen_zum_transaktions_02JS_2820_JWIOU_29MQ_2001_KA21.pdf.exe
1644	informationen_zum_transaktions_02JS_2820_JWIOU_29MQ_2001_KA21.pdf.exe
1284	Explorer.EXE
1284	Explorer.EXE
1284	Explorer.EXE
1284	Explorer.EXE
1284	Explorer.EXE
1284	Explorer.EXE
1284	Explorer.EXE
1284	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1284 Explorer.EXE

pid	process
1284	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

informationen_zum_transaktions_02JS_2820_JWIOU_29MQ_2001_KA21.pdf.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1644	informationen_zum_transaktions_02JS_2820_JWIOU_29MQ_2001_KA21.pdf.exe
Token: SeDebugPrivilege	1284	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1284 Explorer.EXE
1284 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1284 Explorer.EXE
1284 Explorer.EXE

pid	process
1284	Explorer.EXE
1284	Explorer.EXE

pid	process
1284	Explorer.EXE
1284	Explorer.EXE

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

informationen_zum_transaktions_02JS_2820_JWIOU_29MQ_2001_KA21.pdf.exeExplorer.EXE

description	pid	process	target process
PID 1644 wrote to memory of 1068	1644	informationen_zum_transaktions_02JS_2820_JWIOU_29MQ_2001_KA21.pdf.exe	cmd.exe
PID 1644 wrote to memory of 1068	1644	informationen_zum_transaktions_02JS_2820_JWIOU_29MQ_2001_KA21.pdf.exe	cmd.exe
PID 1644 wrote to memory of 1068	1644	informationen_zum_transaktions_02JS_2820_JWIOU_29MQ_2001_KA21.pdf.exe	cmd.exe
PID 1644 wrote to memory of 1068	1644	informationen_zum_transaktions_02JS_2820_JWIOU_29MQ_2001_KA21.pdf.exe	cmd.exe
PID 1644 wrote to memory of 1284	1644	informationen_zum_transaktions_02JS_2820_JWIOU_29MQ_2001_KA21.pdf.exe	Explorer.EXE
PID 1284 wrote to memory of 1120	1284	Explorer.EXE	taskhost.exe
PID 1284 wrote to memory of 1176	1284	Explorer.EXE	Dwm.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1284

C:\Users\Admin\AppData\Local\Temp\informationen_zum_transaktions_02JS_2820_JWIOU_29MQ_2001_KA21.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\informationen_zum_transaktions_02JS_2820_JWIOU_29MQ_2001_KA21.pdf.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS6374~1.BAT"
3⤵
- Deletes itself
PID:1068

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms6374069.bat

Filesize
201B

MD5
016f814cfebbd887fa0fadc202b103d5

SHA1
7fef03893085fe3aaec917bc3536eda0e043de43

SHA256
bb43073b61de8c2d43af2581a9433068e48b8854438f06f77a58602b8e79ff24

SHA512
bec78a2a14bd4033c96f61f42e8fd19c11456c2f44204fee4f8d72b1e061c945ead8a35156a920fb4cffdd9d57a190ff4a176c921ec6364c87d23a5d1f067d4b

Download Submit
memory/1068-60-0x0000000000000000-mapping.dmp

Download
memory/1120-72-0x00000000002D0000-0x00000000002E7000-memory.dmp

Filesize
92KB

Download
memory/1120-67-0x0000000037750000-0x0000000037760000-memory.dmp

Filesize
64KB

Download
memory/1176-73-0x0000000000340000-0x0000000000357000-memory.dmp

Filesize
92KB

Download
memory/1176-70-0x0000000037750000-0x0000000037760000-memory.dmp

Filesize
64KB

Download
memory/1284-63-0x0000000037750000-0x0000000037760000-memory.dmp

Filesize
64KB

Download
memory/1284-61-0x0000000002BE0000-0x0000000002BF7000-memory.dmp

Filesize
92KB

Download
memory/1284-71-0x0000000002BE0000-0x0000000002BF7000-memory.dmp

Filesize
92KB

Download
memory/1644-54-0x00000000763D1000-0x00000000763D3000-memory.dmp

Filesize
8KB

Download
memory/1644-59-0x0000000000020000-0x000000000003B000-memory.dmp

Filesize
108KB

Download
memory/1644-57-0x0000000000020000-0x000000000003B000-memory.dmp

Filesize
108KB

Download
memory/1644-56-0x0000000000100000-0x000000000010E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads