5f7a7924e445d2f77382fb783658871b170c21c5c43fa9c8f789549fd9792d36

General

Target

2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe
Size

176KB
MD5

0bdbb242c3d65c99b0c4b3bdad19a793
SHA1

1b2a37b64b1a7ca71b801125faca273408bb7e67
SHA256

942b643d07c0cb4ac1593dccd846fe4bcda402f5f74fa4ba1437248e7c89e0c3
SHA512

387c6455dc286989d0de8b418505b5453ce82c262132eba2975006b59057a698bb5fe33bfa428690d0db30b3396ba6b699a1ad2b68482bc04df27975ca19206e
SSDEEP

3072:bBfHcmI+fMEJRvGGs4Edlb9kMv0UNLp+CSYnzyZyvBwwQlF9KwrrznF19AaROhze:blH80NJ5ZEdT8UlpaYzyZeBzQJPrrjFt

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1168	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\ianvmjrr.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\ianvmjrr.exe\""	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1416 set thread context of 1348	1416	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe	28

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1416	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe
1416	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe
1416	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe
1348	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe
1348	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1264	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1348	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe
Token: SeDebugPrivilege	1264	Explorer.EXE
Token: SeShutdownPrivilege	1264	Explorer.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1416	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe
1416	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1264	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1416 wrote to memory of 1348	1416	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe	28
PID 1416 wrote to memory of 1348	1416	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe	28
PID 1416 wrote to memory of 1348	1416	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe	28
PID 1416 wrote to memory of 1348	1416	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe	28
PID 1416 wrote to memory of 1348	1416	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe	28
PID 1416 wrote to memory of 1348	1416	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe	28
PID 1416 wrote to memory of 1348	1416	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe	28
PID 1416 wrote to memory of 1348	1416	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe	28
PID 1416 wrote to memory of 1348	1416	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe	28
PID 1416 wrote to memory of 1348	1416	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe	28
PID 1348 wrote to memory of 1168	1348	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe	29
PID 1348 wrote to memory of 1168	1348	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe	29
PID 1348 wrote to memory of 1168	1348	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe	29
PID 1348 wrote to memory of 1168	1348	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe	29
PID 1348 wrote to memory of 1264	1348	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe	20
PID 1264 wrote to memory of 1120	1264	Explorer.EXE	18
PID 1264 wrote to memory of 1184	1264	Explorer.EXE	19
PID 1264 wrote to memory of 1168	1264	Explorer.EXE	29

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1184

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Users\Admin\AppData\Local\Temp\2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe
  "C:\Users\Admin\AppData\Local\Temp\2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1416
- - C:\Users\Admin\AppData\Local\Temp\2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe
    C:\Users\Admin\AppData\Local\Temp\2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1348
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS9082~1.BAT"
      4⤵
      Deletes itself
      PID:1168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms9082233.bat

Filesize
201B

MD5
920a448d32448d086d206c37288cc71b

SHA1
247deaa929e8229a4c543e985b1a9a125688ed14

SHA256
8fcf472fda4e76d771eccd3b515558b76e7513da7e013e95b8214bb4e3fc883f

SHA512
71034a7141d83b5fbca9fc1ed2221a17a1ba99096713bef6fc778991b2fd2a73b8e5f22f4030d0792ae495f34c37fc511821e0d7662750b18ee8f108137aa96a

Download Submit
memory/1120-85-0x0000000001B40000-0x0000000001B57000-memory.dmp

Filesize
92KB

Download
memory/1120-82-0x0000000037600000-0x0000000037610000-memory.dmp

Filesize
64KB

Download
memory/1168-80-0x00000000000F0000-0x0000000000104000-memory.dmp

Filesize
80KB

Download
memory/1184-84-0x0000000037600000-0x0000000037610000-memory.dmp

Filesize
64KB

Download
memory/1184-87-0x0000000000130000-0x0000000000147000-memory.dmp

Filesize
92KB

Download
memory/1264-75-0x0000000037600000-0x0000000037610000-memory.dmp

Filesize
64KB

Download
memory/1264-89-0x000007FF07130000-0x000007FF0713A000-memory.dmp

Filesize
40KB

Download
memory/1264-88-0x000007FEF61E0000-0x000007FEF6323000-memory.dmp

Filesize
1.3MB

Download
memory/1264-86-0x0000000002150000-0x0000000002167000-memory.dmp

Filesize
92KB

Download
memory/1264-72-0x0000000002150000-0x0000000002167000-memory.dmp

Filesize
92KB

Download
memory/1348-56-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1348-74-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1348-60-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1348-62-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1348-58-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1348-55-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1348-67-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1348-63-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1416-54-0x0000000075F01000-0x0000000075F03000-memory.dmp

Filesize
8KB

Download
memory/1416-65-0x0000000000300000-0x0000000000304000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing