122288b0569c2eababca57d06c8c284292a8058961c9e987db60f3e7eb9c06d1

General

Target

2014_11rechnung_pdf_telekom_0000283882_november_00288273_11_0000000392_000005.exe
Size

148KB
MD5

719d4b8a24a98b938d0c393228e413f2
SHA1

9f55cdc8223b1ada8c7fdf678f605345442ce240
SHA256

29e65cd43000e27bb73556fce0dcbc2ec9a42a68dad623c251dc84a846651040
SHA512

e729442bc973b846cb07511c0654d65a425cc576f7a1847dc7800ac45fcaefaa0005327a779a7712017610130f47f4fbdf14f5b53ee812cfa725e09dca3d8d78
SSDEEP

3072:oykEWzxnWWEe+SuF1FZ01bzWQPg0qRfN2HOdUnylZ5MWz2M:drWzNWWEl1iiXpRfWOanyz5Rn

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2012	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\gtntglna.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\gtntglna.exe\""	Explorer.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 864 set thread context of 1932	864	2014_11rechnung_pdf_telekom_0000283882_november_00288273_11_0000000392_000005.exe	27

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
864	2014_11rechnung_pdf_telekom_0000283882_november_00288273_11_0000000392_000005.exe
1932	2014_11rechnung_pdf_telekom_0000283882_november_00288273_11_0000000392_000005.exe
1932	2014_11rechnung_pdf_telekom_0000283882_november_00288273_11_0000000392_000005.exe
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1932	2014_11rechnung_pdf_telekom_0000283882_november_00288273_11_0000000392_000005.exe
Token: SeDebugPrivilege	1380	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1380	Explorer.EXE
1380	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1380	Explorer.EXE
1380	Explorer.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
864	2014_11rechnung_pdf_telekom_0000283882_november_00288273_11_0000000392_000005.exe
864	2014_11rechnung_pdf_telekom_0000283882_november_00288273_11_0000000392_000005.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1380	Explorer.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 1932	864	2014_11rechnung_pdf_telekom_0000283882_november_00288273_11_0000000392_000005.exe	27
PID 864 wrote to memory of 1932	864	2014_11rechnung_pdf_telekom_0000283882_november_00288273_11_0000000392_000005.exe	27
PID 864 wrote to memory of 1932	864	2014_11rechnung_pdf_telekom_0000283882_november_00288273_11_0000000392_000005.exe	27
PID 864 wrote to memory of 1932	864	2014_11rechnung_pdf_telekom_0000283882_november_00288273_11_0000000392_000005.exe	27
PID 864 wrote to memory of 1932	864	2014_11rechnung_pdf_telekom_0000283882_november_00288273_11_0000000392_000005.exe	27
PID 864 wrote to memory of 1932	864	2014_11rechnung_pdf_telekom_0000283882_november_00288273_11_0000000392_000005.exe	27
PID 864 wrote to memory of 1932	864	2014_11rechnung_pdf_telekom_0000283882_november_00288273_11_0000000392_000005.exe	27
PID 864 wrote to memory of 1932	864	2014_11rechnung_pdf_telekom_0000283882_november_00288273_11_0000000392_000005.exe	27
PID 864 wrote to memory of 1932	864	2014_11rechnung_pdf_telekom_0000283882_november_00288273_11_0000000392_000005.exe	27
PID 864 wrote to memory of 1932	864	2014_11rechnung_pdf_telekom_0000283882_november_00288273_11_0000000392_000005.exe	27
PID 1932 wrote to memory of 2012	1932	2014_11rechnung_pdf_telekom_0000283882_november_00288273_11_0000000392_000005.exe	28
PID 1932 wrote to memory of 2012	1932	2014_11rechnung_pdf_telekom_0000283882_november_00288273_11_0000000392_000005.exe	28
PID 1932 wrote to memory of 2012	1932	2014_11rechnung_pdf_telekom_0000283882_november_00288273_11_0000000392_000005.exe	28
PID 1932 wrote to memory of 2012	1932	2014_11rechnung_pdf_telekom_0000283882_november_00288273_11_0000000392_000005.exe	28
PID 1932 wrote to memory of 1380	1932	2014_11rechnung_pdf_telekom_0000283882_november_00288273_11_0000000392_000005.exe	12
PID 1380 wrote to memory of 1224	1380	Explorer.EXE	14
PID 1380 wrote to memory of 1312	1380	Explorer.EXE	13
PID 1380 wrote to memory of 2012	1380	Explorer.EXE	28
PID 1380 wrote to memory of 2012	1380	Explorer.EXE	28
PID 1380 wrote to memory of 1696	1380	Explorer.EXE	29

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1380
- C:\Users\Admin\AppData\Local\Temp\2014_11rechnung_pdf_telekom_0000283882_november_00288273_11_0000000392_000005.exe
  "C:\Users\Admin\AppData\Local\Temp\2014_11rechnung_pdf_telekom_0000283882_november_00288273_11_0000000392_000005.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:864
- - C:\Users\Admin\AppData\Local\Temp\2014_11rechnung_pdf_telekom_0000283882_november_00288273_11_0000000392_000005.exe
    C:\Users\Admin\AppData\Local\Temp\2014_11rechnung_pdf_telekom_0000283882_november_00288273_11_0000000392_000005.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1932
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS7001~1.BAT"
      4⤵
      Deletes itself
      PID:2012

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1312

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1224

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "18030029191689121224-53587856411056271022452121551826211983-759266678-360416788"
1⤵
PID:1696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms7001333.bat

Filesize
201B

MD5
433abdbc6d6b6de8c36d7c15e6abcae4

SHA1
55b3e397bdf79e86f27490705fd94a9fb8daa5df

SHA256
4234feda6ef9c06ba5c5119890e8868d564c5260629faeb18ae264088cee423a

SHA512
3f9a4a76f946c191c6e4d810b96d1ae6345e7b82a7880b183073795cb11b2e0cfcb1ffcfca70cfaae4523c9eaeb085c03f80dd2c9cd54bc551a473f17b1e59c7

Download Submit
memory/864-55-0x0000000076831000-0x0000000076833000-memory.dmp

Filesize
8KB

Download
memory/864-66-0x0000000000300000-0x0000000000304000-memory.dmp

Filesize
16KB

Download
memory/864-54-0x0000000000220000-0x00000000002CC000-memory.dmp

Filesize
688KB

Download
memory/1224-92-0x0000000001B40000-0x0000000001B57000-memory.dmp

Filesize
92KB

Download
memory/1224-83-0x0000000037CA0000-0x0000000037CB0000-memory.dmp

Filesize
64KB

Download
memory/1312-93-0x0000000001BB0000-0x0000000001BC7000-memory.dmp

Filesize
92KB

Download
memory/1312-88-0x0000000037CA0000-0x0000000037CB0000-memory.dmp

Filesize
64KB

Download
memory/1380-73-0x0000000002250000-0x0000000002267000-memory.dmp

Filesize
92KB

Download
memory/1380-91-0x0000000002250000-0x0000000002267000-memory.dmp

Filesize
92KB

Download
memory/1380-76-0x0000000037CA0000-0x0000000037CB0000-memory.dmp

Filesize
64KB

Download
memory/1696-90-0x00000000000B0000-0x00000000000C7000-memory.dmp

Filesize
92KB

Download
memory/1932-68-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1932-75-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1932-65-0x00000000004010C0-mapping.dmp

Download
memory/1932-64-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1932-63-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1932-61-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1932-59-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1932-57-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1932-56-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2012-72-0x0000000000000000-mapping.dmp

Download
memory/2012-81-0x0000000000130000-0x0000000000144000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing