ae43ad6d622c5e47259775dda7fd7cb8cc81685c1ec76f1149f82abb7c01b1b9

General

Target

2014_11details_transaktion_379000200929_november_309083200059_11_0000000039.exe
Size

176KB
MD5

8e9f821390b3affa596053cbadc4e824
SHA1

cd2fc0abfa71caf23bd71debad20a4715c6f9edf
SHA256

d0eba3801e3a1aa54315098cdc246086b51c6a5818377c9521a968c8fcf31dac
SHA512

13e5aa6db26fb086f9ee191cf7306b4e1db884a6746d74901ecb81c9c0ebc905d4022c38e7f608c2f8c3dc15e439e64c873e638b908406537e94ffb0fe672030
SSDEEP

3072:T9fHcmI+0MEJRSDOWHQKjEukcqRiGl7ITMsvDWhjWxB50G2eaNLw1hKeW8SaP3/1:TpH8DNJwOxvukJHl0TTvDWcB50tNLwX9

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2028	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\gtntglna.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\gtntglna.exe\""	Explorer.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1952 set thread context of 1940	1952	2014_11details_transaktion_379000200929_november_309083200059_11_0000000039.exe	28

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
1952	2014_11details_transaktion_379000200929_november_309083200059_11_0000000039.exe
1952	2014_11details_transaktion_379000200929_november_309083200059_11_0000000039.exe
1952	2014_11details_transaktion_379000200929_november_309083200059_11_0000000039.exe
1940	2014_11details_transaktion_379000200929_november_309083200059_11_0000000039.exe
1940	2014_11details_transaktion_379000200929_november_309083200059_11_0000000039.exe
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1940	2014_11details_transaktion_379000200929_november_309083200059_11_0000000039.exe
Token: SeDebugPrivilege	1220	Explorer.EXE
Token: SeShutdownPrivilege	1220	Explorer.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1952	2014_11details_transaktion_379000200929_november_309083200059_11_0000000039.exe
1952	2014_11details_transaktion_379000200929_november_309083200059_11_0000000039.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1220	Explorer.EXE

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 1940	1952	2014_11details_transaktion_379000200929_november_309083200059_11_0000000039.exe	28
PID 1952 wrote to memory of 1940	1952	2014_11details_transaktion_379000200929_november_309083200059_11_0000000039.exe	28
PID 1952 wrote to memory of 1940	1952	2014_11details_transaktion_379000200929_november_309083200059_11_0000000039.exe	28
PID 1952 wrote to memory of 1940	1952	2014_11details_transaktion_379000200929_november_309083200059_11_0000000039.exe	28
PID 1952 wrote to memory of 1940	1952	2014_11details_transaktion_379000200929_november_309083200059_11_0000000039.exe	28
PID 1952 wrote to memory of 1940	1952	2014_11details_transaktion_379000200929_november_309083200059_11_0000000039.exe	28
PID 1952 wrote to memory of 1940	1952	2014_11details_transaktion_379000200929_november_309083200059_11_0000000039.exe	28
PID 1952 wrote to memory of 1940	1952	2014_11details_transaktion_379000200929_november_309083200059_11_0000000039.exe	28
PID 1952 wrote to memory of 1940	1952	2014_11details_transaktion_379000200929_november_309083200059_11_0000000039.exe	28
PID 1952 wrote to memory of 1940	1952	2014_11details_transaktion_379000200929_november_309083200059_11_0000000039.exe	28
PID 1940 wrote to memory of 2028	1940	2014_11details_transaktion_379000200929_november_309083200059_11_0000000039.exe	29
PID 1940 wrote to memory of 2028	1940	2014_11details_transaktion_379000200929_november_309083200059_11_0000000039.exe	29
PID 1940 wrote to memory of 2028	1940	2014_11details_transaktion_379000200929_november_309083200059_11_0000000039.exe	29
PID 1940 wrote to memory of 2028	1940	2014_11details_transaktion_379000200929_november_309083200059_11_0000000039.exe	29
PID 1940 wrote to memory of 1220	1940	2014_11details_transaktion_379000200929_november_309083200059_11_0000000039.exe	9
PID 1220 wrote to memory of 1124	1220	Explorer.EXE	17
PID 1220 wrote to memory of 1176	1220	Explorer.EXE	16
PID 1220 wrote to memory of 2028	1220	Explorer.EXE	29
PID 1220 wrote to memory of 1724	1220	Explorer.EXE	30

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Users\Admin\AppData\Local\Temp\2014_11details_transaktion_379000200929_november_309083200059_11_0000000039.exe
  "C:\Users\Admin\AppData\Local\Temp\2014_11details_transaktion_379000200929_november_309083200059_11_0000000039.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Users\Admin\AppData\Local\Temp\2014_11details_transaktion_379000200929_november_309083200059_11_0000000039.exe
    C:\Users\Admin\AppData\Local\Temp\2014_11details_transaktion_379000200929_november_309083200059_11_0000000039.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1940
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS3024~1.BAT"
      4⤵
      Deletes itself
      PID:2028

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1124

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-244751332-1020774505-453481727149593609514852378021243791664-921636160191703029"
1⤵
PID:1724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms3024091.bat

Filesize
201B

MD5
9c30c08ff702a4af3452b41f716bbf0a

SHA1
a9f08a97937fb85072640263f058d7423c284a17

SHA256
6e437ed21d2f9e34800cf199a0ebe3ea3645d515f536f6efc0b13c02afef160b

SHA512
cc5a1427ad792b0ff9726146c096c0623cb25ba30a2a3b91fff52f303293e575dd93c6a1cd6b2cab35051d1da970653abeecbb5186cca8b8248b2883cd76066d

Download Submit
memory/1124-88-0x0000000001CB0000-0x0000000001CC7000-memory.dmp

Filesize
92KB

Download
memory/1124-81-0x00000000371C0000-0x00000000371D0000-memory.dmp

Filesize
64KB

Download
memory/1176-83-0x00000000371C0000-0x00000000371D0000-memory.dmp

Filesize
64KB

Download
memory/1176-89-0x0000000000120000-0x0000000000137000-memory.dmp

Filesize
92KB

Download
memory/1220-87-0x00000000029B0000-0x00000000029C7000-memory.dmp

Filesize
92KB

Download
memory/1220-75-0x00000000371C0000-0x00000000371D0000-memory.dmp

Filesize
64KB

Download
memory/1220-72-0x00000000029B0000-0x00000000029C7000-memory.dmp

Filesize
92KB

Download
memory/1940-67-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1940-74-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1940-63-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1940-62-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1940-60-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1940-58-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1940-56-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1940-55-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1952-65-0x00000000001E0000-0x00000000001E4000-memory.dmp

Filesize
16KB

Download
memory/1952-54-0x00000000753C1000-0x00000000753C3000-memory.dmp

Filesize
8KB

Download
memory/2028-80-0x0000000000120000-0x0000000000134000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing