Analysis
-
max time kernel
135s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 14:09
Static task
static1
Behavioral task
behavioral1
Sample
2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.pdf.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.pdf.exe
Resource
win10v2004-20220812-en
General
-
Target
2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.pdf.exe
-
Size
140KB
-
MD5
112b33bfeb2514bf11b0595c55173b32
-
SHA1
bde96a6d72babb9d5dea78d98dfa434ab2108624
-
SHA256
585f86ba3173d7a8560a2e82d6adcc8e3e3772bbaefb3239547b43a6685f21c1
-
SHA512
eb9a80e201d751740d0992459e1fcd61f3973113ab62c4d0b930dabcb165095492dc7d70ddfe8267c707d1b73df3a0df772c755b2477839a1f754e17be51401b
-
SSDEEP
3072:sJjzdejzg3KOSD+dN6so3Llk5aAGGUvXaIurWuK6o5yw5pP9m+OnlNEWd/SGv4MC:URejz+KOW+dNmLeaAGdZuK/z5T5pP9mI
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 560 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\usrbdvpp.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\usrbdvpp.exe\"" Explorer.EXE -
Suspicious use of SetThreadContext 1 IoCs
Processes:
2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.pdf.exedescription pid process target process PID 1632 set thread context of 1124 1632 2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.pdf.exe 2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.pdf.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.pdf.exe2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.pdf.exeExplorer.EXEpid process 1632 2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.pdf.exe 1632 2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.pdf.exe 1632 2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.pdf.exe 1124 2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.pdf.exe 1124 2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.pdf.exe 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1208 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.pdf.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1124 2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.pdf.exe Token: SeDebugPrivilege 1208 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1208 Explorer.EXE 1208 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1208 Explorer.EXE 1208 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.pdf.exepid process 1632 2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.pdf.exe 1632 2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.pdf.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.pdf.exe2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.pdf.exeExplorer.EXEdescription pid process target process PID 1632 wrote to memory of 1124 1632 2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.pdf.exe 2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.pdf.exe PID 1632 wrote to memory of 1124 1632 2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.pdf.exe 2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.pdf.exe PID 1632 wrote to memory of 1124 1632 2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.pdf.exe 2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.pdf.exe PID 1632 wrote to memory of 1124 1632 2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.pdf.exe 2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.pdf.exe PID 1632 wrote to memory of 1124 1632 2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.pdf.exe 2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.pdf.exe PID 1632 wrote to memory of 1124 1632 2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.pdf.exe 2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.pdf.exe PID 1632 wrote to memory of 1124 1632 2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.pdf.exe 2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.pdf.exe PID 1632 wrote to memory of 1124 1632 2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.pdf.exe 2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.pdf.exe PID 1632 wrote to memory of 1124 1632 2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.pdf.exe 2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.pdf.exe PID 1632 wrote to memory of 1124 1632 2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.pdf.exe 2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.pdf.exe PID 1124 wrote to memory of 560 1124 2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.pdf.exe cmd.exe PID 1124 wrote to memory of 560 1124 2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.pdf.exe cmd.exe PID 1124 wrote to memory of 560 1124 2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.pdf.exe cmd.exe PID 1124 wrote to memory of 560 1124 2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.pdf.exe cmd.exe PID 1124 wrote to memory of 1208 1124 2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.pdf.exe Explorer.EXE PID 1208 wrote to memory of 1112 1208 Explorer.EXE taskhost.exe PID 1208 wrote to memory of 1180 1208 Explorer.EXE Dwm.exe PID 1208 wrote to memory of 560 1208 Explorer.EXE cmd.exe PID 1208 wrote to memory of 452 1208 Explorer.EXE conhost.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.pdf.exe"C:\Users\Admin\AppData\Local\Temp\2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.pdf.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.pdf.exeC:\Users\Admin\AppData\Local\Temp\2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.pdf.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS2476~1.BAT"4⤵
- Deletes itself
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-14757942331268539520-1848283280-1740054079-2001849876-14926487421213257092-405629242"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\ms2476501.batFilesize
201B
MD589e657c512fbc5aa47308b1bcc3ad2e8
SHA1f87f4e9a8dd1d615aba678a5af2ad39764148356
SHA256e7290d4108cf67eabd8188c4932a906372952ab71af91dd0d492ed9c6f5d9f67
SHA512568ec87e014cc664110ba309e54f422d0af89e66256ed98b00bbfd18157f9a3e76411a8e7e6f78f7bf50273afe5f38d98d974a05fdbdcec8b6e14a12988d0f92
-
memory/560-71-0x0000000000000000-mapping.dmp
-
memory/560-80-0x0000000000150000-0x0000000000164000-memory.dmpFilesize
80KB
-
memory/1112-83-0x0000000037C30000-0x0000000037C40000-memory.dmpFilesize
64KB
-
memory/1112-86-0x0000000001BC0000-0x0000000001BD7000-memory.dmpFilesize
92KB
-
memory/1124-55-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/1124-62-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/1124-63-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/1124-64-0x00000000004010C0-mapping.dmp
-
memory/1124-67-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/1124-58-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/1124-60-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/1124-74-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/1124-56-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/1180-88-0x0000000001AC0000-0x0000000001AD7000-memory.dmpFilesize
92KB
-
memory/1180-85-0x0000000037C30000-0x0000000037C40000-memory.dmpFilesize
64KB
-
memory/1208-75-0x0000000037C30000-0x0000000037C40000-memory.dmpFilesize
64KB
-
memory/1208-72-0x00000000025E0000-0x00000000025F7000-memory.dmpFilesize
92KB
-
memory/1208-87-0x00000000025E0000-0x00000000025F7000-memory.dmpFilesize
92KB
-
memory/1632-54-0x0000000076BA1000-0x0000000076BA3000-memory.dmpFilesize
8KB
-
memory/1632-65-0x00000000003D0000-0x00000000003D4000-memory.dmpFilesize
16KB