9b014c313cb7df1b9724168c06fe205203082bf646a8b15242d0c4b22cb276d3

General

Target

2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe
Size

176KB
MD5

0bdbb242c3d65c99b0c4b3bdad19a793
SHA1

1b2a37b64b1a7ca71b801125faca273408bb7e67
SHA256

942b643d07c0cb4ac1593dccd846fe4bcda402f5f74fa4ba1437248e7c89e0c3
SHA512

387c6455dc286989d0de8b418505b5453ce82c262132eba2975006b59057a698bb5fe33bfa428690d0db30b3396ba6b699a1ad2b68482bc04df27975ca19206e
SSDEEP

3072:bBfHcmI+fMEJRvGGs4Edlb9kMv0UNLp+CSYnzyZyvBwwQlF9KwrrznF19AaROhze:blH80NJ5ZEdT8UlpaYzyZeBzQJPrrjFt

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
896	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\ianvmjrr.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\ianvmjrr.exe\""	Explorer.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1888 set thread context of 1120	1888	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe	28

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
1888	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe
1888	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe
1888	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe
1120	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe
1120	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1280	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1120	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe
Token: SeDebugPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1888	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe
1888	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1280	Explorer.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 1120	1888	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe	28
PID 1888 wrote to memory of 1120	1888	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe	28
PID 1888 wrote to memory of 1120	1888	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe	28
PID 1888 wrote to memory of 1120	1888	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe	28
PID 1888 wrote to memory of 1120	1888	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe	28
PID 1888 wrote to memory of 1120	1888	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe	28
PID 1888 wrote to memory of 1120	1888	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe	28
PID 1888 wrote to memory of 1120	1888	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe	28
PID 1888 wrote to memory of 1120	1888	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe	28
PID 1888 wrote to memory of 1120	1888	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe	28
PID 1120 wrote to memory of 896	1120	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe	29
PID 1120 wrote to memory of 896	1120	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe	29
PID 1120 wrote to memory of 896	1120	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe	29
PID 1120 wrote to memory of 896	1120	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe	29
PID 1120 wrote to memory of 1280	1120	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe	11
PID 1280 wrote to memory of 1124	1280	Explorer.EXE	13
PID 1280 wrote to memory of 1204	1280	Explorer.EXE	12
PID 1280 wrote to memory of 896	1280	Explorer.EXE	29
PID 1280 wrote to memory of 896	1280	Explorer.EXE	29
PID 1280 wrote to memory of 1944	1280	Explorer.EXE	30

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Users\Admin\AppData\Local\Temp\2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe
  "C:\Users\Admin\AppData\Local\Temp\2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Users\Admin\AppData\Local\Temp\2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe
    C:\Users\Admin\AppData\Local\Temp\2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1120
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS5967~1.BAT"
      4⤵
      Deletes itself
      PID:896

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1204

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1124

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-817806355530126743-1531387615-1761259378-1714706643-923267797-1770385097-2065162202"
1⤵
PID:1944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms5967899.bat

Filesize
201B

MD5
61e4c2e3cb029b6b22030c26086d8faa

SHA1
ac81ac636fd9b76f052006fa5f6a79563a7692ad

SHA256
fd16dca53c6dc7a9b496a37f3f61eeb0a4141a69a2ef23b16e9a38301702b7c7

SHA512
55216374250f57a6539def67f47702902e1e4a075e0ca711f71515f9c32112bb6f0a5dea8fb66221fb975725d69ea2bf89a896fa3a4bd32964f8c8c571375927

Download Submit
memory/896-90-0x0000000000190000-0x00000000001A4000-memory.dmp

Filesize
80KB

Download
memory/896-89-0x0000000036F40000-0x0000000036F50000-memory.dmp

Filesize
64KB

Download
memory/896-82-0x0000000000170000-0x0000000000184000-memory.dmp

Filesize
80KB

Download
memory/1120-56-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1120-62-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1120-55-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1120-67-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1120-63-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1120-58-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1120-74-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1120-60-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1124-79-0x0000000036D90000-0x0000000036DA0000-memory.dmp

Filesize
64KB

Download
memory/1124-93-0x0000000000320000-0x0000000000337000-memory.dmp

Filesize
92KB

Download
memory/1204-88-0x0000000036D90000-0x0000000036DA0000-memory.dmp

Filesize
64KB

Download
memory/1204-95-0x00000000001A0000-0x00000000001B7000-memory.dmp

Filesize
92KB

Download
memory/1280-75-0x0000000036D90000-0x0000000036DA0000-memory.dmp

Filesize
64KB

Download
memory/1280-72-0x0000000001DA0000-0x0000000001DB7000-memory.dmp

Filesize
92KB

Download
memory/1280-94-0x0000000001DA0000-0x0000000001DB7000-memory.dmp

Filesize
92KB

Download
memory/1888-54-0x0000000075891000-0x0000000075893000-memory.dmp

Filesize
8KB

Download
memory/1888-65-0x0000000000380000-0x0000000000384000-memory.dmp

Filesize
16KB

Download
memory/1944-91-0x0000000036D90000-0x0000000036DA0000-memory.dmp

Filesize
64KB

Download
memory/1944-92-0x00000000001D0000-0x00000000001E7000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing