1714c3efa400355682fdd7f5dbdee1ee0e4a003cb988b57d284f297cbdab495f

General

Target

2014_11transaktions_pdf_000093378_2014_0000919_11_v_00028836_n_827100007.exe
Size

278KB
MD5

b650be9b84ff38f06f217ad982b8660d
SHA1

20c4b3e5dbe971309c3ec966e4e671d8c56580c5
SHA256

586ee2c334dff3ada56930d7de90999634893495ba8acd524273b955303b23fd
SHA512

d132fa2fc0cbbd1f03e9c83c06aef54ea5700ba648f6fa7a04b3bc235a65758d0168e72428820115e546cd6a785281253adf340444db22f79b4cffea45f31371
SSDEEP

6144:9iaYUpwXV9RIKWn/TUVs8oL48N8lqFzc+tRJSht4K:DzXrN8UbtPShiK

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1308 cmd.exe

pid	process
1308	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\loibgjiv.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\loibgjiv.exe\""	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

2014_11transaktions_pdf_000093378_2014_0000919_11_v_00028836_n_827100007.exeExplorer.EXE

pid	process
936	2014_11transaktions_pdf_000093378_2014_0000919_11_v_00028836_n_827100007.exe
936	2014_11transaktions_pdf_000093378_2014_0000919_11_v_00028836_n_827100007.exe
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1264 Explorer.EXE

pid	process
1264	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

2014_11transaktions_pdf_000093378_2014_0000919_11_v_00028836_n_827100007.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	936	2014_11transaktions_pdf_000093378_2014_0000919_11_v_00028836_n_827100007.exe
Token: SeDebugPrivilege	1264	Explorer.EXE
Token: SeShutdownPrivilege	1264	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1264 Explorer.EXE
1264 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1264 Explorer.EXE
1264 Explorer.EXE

pid	process
1264	Explorer.EXE
1264	Explorer.EXE

pid	process
1264	Explorer.EXE
1264	Explorer.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

2014_11transaktions_pdf_000093378_2014_0000919_11_v_00028836_n_827100007.exeExplorer.EXE

description	pid	process	target process
PID 936 wrote to memory of 1308	936	2014_11transaktions_pdf_000093378_2014_0000919_11_v_00028836_n_827100007.exe	cmd.exe
PID 936 wrote to memory of 1308	936	2014_11transaktions_pdf_000093378_2014_0000919_11_v_00028836_n_827100007.exe	cmd.exe
PID 936 wrote to memory of 1308	936	2014_11transaktions_pdf_000093378_2014_0000919_11_v_00028836_n_827100007.exe	cmd.exe
PID 936 wrote to memory of 1308	936	2014_11transaktions_pdf_000093378_2014_0000919_11_v_00028836_n_827100007.exe	cmd.exe
PID 936 wrote to memory of 1264	936	2014_11transaktions_pdf_000093378_2014_0000919_11_v_00028836_n_827100007.exe	Explorer.EXE
PID 1264 wrote to memory of 1132	1264	Explorer.EXE	taskhost.exe
PID 1264 wrote to memory of 1216	1264	Explorer.EXE	Dwm.exe
PID 1264 wrote to memory of 1308	1264	Explorer.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1264

C:\Users\Admin\AppData\Local\Temp\2014_11transaktions_pdf_000093378_2014_0000919_11_v_00028836_n_827100007.exe
"C:\Users\Admin\AppData\Local\Temp\2014_11transaktions_pdf_000093378_2014_0000919_11_v_00028836_n_827100007.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:936

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS3024~1.BAT"
3⤵
- Deletes itself
PID:1308

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1216

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1132

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms3024091.bat
Filesize
201B

MD5
9c30c08ff702a4af3452b41f716bbf0a

SHA1
a9f08a97937fb85072640263f058d7423c284a17

SHA256
6e437ed21d2f9e34800cf199a0ebe3ea3645d515f536f6efc0b13c02afef160b

SHA512
cc5a1427ad792b0ff9726146c096c0623cb25ba30a2a3b91fff52f303293e575dd93c6a1cd6b2cab35051d1da970653abeecbb5186cca8b8248b2883cd76066d

Download Submit
memory/936-58-0x0000000000070000-0x00000000000BC000-memory.dmp

Filesize
304KB

Download
memory/936-57-0x00000000000F0000-0x00000000000FE000-memory.dmp

Filesize
56KB

Download
memory/936-54-0x0000000076941000-0x0000000076943000-memory.dmp

Filesize
8KB

Download
memory/1132-70-0x0000000037970000-0x0000000037980000-memory.dmp

Filesize
64KB

Download
memory/1132-71-0x0000000000210000-0x0000000000227000-memory.dmp

Filesize
92KB

Download
memory/1216-72-0x00000000019C0000-0x00000000019D7000-memory.dmp

Filesize
92KB

Download
memory/1216-68-0x0000000037970000-0x0000000037980000-memory.dmp

Filesize
64KB

Download
memory/1264-62-0x0000000037970000-0x0000000037980000-memory.dmp

Filesize
64KB

Download
memory/1264-60-0x00000000026F0000-0x0000000002707000-memory.dmp

Filesize
92KB

Download
memory/1264-73-0x00000000026F0000-0x0000000002707000-memory.dmp

Filesize
92KB

Download
memory/1264-74-0x000007FEF6C90000-0x000007FEF6DD3000-memory.dmp

Filesize
1.3MB

Download
memory/1264-75-0x000007FF56840000-0x000007FF5684A000-memory.dmp

Filesize
40KB

Download
memory/1308-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads