e6eeb6b7a72652c25dba983b47bf7cc1b28518e2f21affd57bf1d74d48b43f90

General

Target

2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.exe
Size

278KB
MD5

47cab2df770bfb3b5e4e741229d029fd
SHA1

7484bee01b8e41999c69e56aea0f5f9eda25279e
SHA256

5c8c2e8e87cd3cdf48883cc6e702b29e9db16e80972c7c4c8d7049d6a3475e2f
SHA512

51df63231c430c17e84dd40034e212182db17325fd49c391eef2f35c62344130f761138bdb4cb2d8ab4628a99158f03a1d77241d33accc98bd1c94be277501df
SSDEEP

6144:3bw0Oxjh1imhqrI4geQo6A7CQe+04FwKg2zM8bT7/:3fkhqR6Abr

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

996 cmd.exe

pid	process
996	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\gtntglna.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\gtntglna.exe\""	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.exeExplorer.EXE

pid	process
1388	2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.exe
1388	2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.exe
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1388	2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.exe
Token: SeDebugPrivilege	1244	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1244 Explorer.EXE
1244 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1244 Explorer.EXE
1244 Explorer.EXE

pid	process
1244	Explorer.EXE
1244	Explorer.EXE

pid	process
1244	Explorer.EXE
1244	Explorer.EXE

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.exeExplorer.EXE

description	pid	process	target process
PID 1388 wrote to memory of 996	1388	2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.exe	cmd.exe
PID 1388 wrote to memory of 996	1388	2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.exe	cmd.exe
PID 1388 wrote to memory of 996	1388	2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.exe	cmd.exe
PID 1388 wrote to memory of 996	1388	2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.exe	cmd.exe
PID 1388 wrote to memory of 1244	1388	2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.exe	Explorer.EXE
PID 1244 wrote to memory of 1124	1244	Explorer.EXE	taskhost.exe
PID 1244 wrote to memory of 1184	1244	Explorer.EXE	Dwm.exe
PID 1244 wrote to memory of 996	1244	Explorer.EXE	cmd.exe
PID 1244 wrote to memory of 1516	1244	Explorer.EXE	conhost.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1124

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1244

C:\Users\Admin\AppData\Local\Temp\2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.exe
"C:\Users\Admin\AppData\Local\Temp\2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1388

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS6747~1.BAT"
3⤵
- Deletes itself
PID:996

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1184

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-8507891141412526556111359436-605434253-1397646828-1780463213-5057499271296773842"
1⤵
PID:1516

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms6747145.bat
Filesize
201B

MD5
a1ce5ea6fb8844f6afa9f53fdb249137

SHA1
30b9262bef1ccf644c90d17feef8f400459c6ccd

SHA256
e487bd688cba034e3cd096c837f77726a5472014ff629c599c38efbdf2b28840

SHA512
7c6dd71cbdd1ab4e4ac88a65f31cdc3ddf6b152aadc8639de39870b48dfa1fafc2f59bccf075f713637876a053de4689a9a22e87ee6c40004f2ba278f39c59af

Download Submit
memory/996-69-0x0000000000280000-0x0000000000294000-memory.dmp

Filesize
80KB

Download
memory/996-57-0x0000000000000000-mapping.dmp

Download
memory/1124-74-0x0000000001C50000-0x0000000001C67000-memory.dmp

Filesize
92KB

Download
memory/1124-68-0x0000000037740000-0x0000000037750000-memory.dmp

Filesize
64KB

Download
memory/1184-71-0x0000000037740000-0x0000000037750000-memory.dmp

Filesize
64KB

Download
memory/1184-75-0x0000000000130000-0x0000000000147000-memory.dmp

Filesize
92KB

Download
memory/1244-62-0x0000000037740000-0x0000000037750000-memory.dmp

Filesize
64KB

Download
memory/1244-73-0x0000000002A90000-0x0000000002AA7000-memory.dmp

Filesize
92KB

Download
memory/1244-58-0x0000000002A90000-0x0000000002AA7000-memory.dmp

Filesize
92KB

Download
memory/1388-60-0x0000000000090000-0x000000000009E000-memory.dmp

Filesize
56KB

Download
memory/1388-61-0x0000000000DB0000-0x0000000000DFE000-memory.dmp

Filesize
312KB

Download
memory/1388-54-0x0000000075E11000-0x0000000075E13000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads