008460f704c58a278474228e4a894a2bc324a710a563afb950f84023dcdb4ff5

General

Target

E-Card_zu_Weichnachten_scan_foto_2834792347_12_2014_21093812_000129_001_004_002910.exe
Size

156KB
MD5

8e9111802bf368404c2a18222b3eb986
SHA1

6a744fd5cab051d4f115a172e45d7bcb9c14c276
SHA256

2c4ca41292c07252bb043dae7697a91c140ba9be82fac5cd62c9f9c802959e0d
SHA512

67a24d236ccf08b55a0f83338f11022da506ae9c89920162e2e6ab7a79545839f3fe118adaf4d5602ce452f9192e81d380364519beb040767b9d11ed05322832
SSDEEP

3072:N2VpC7emUS2JQM2bPcmdeXTQ+LuV0/9HQZl3a12+sq:kVpC6mUVJ3IpY9x1vh

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

580 cmd.exe

pid	process
580	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\loibgjiv.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\loibgjiv.exe\""	Explorer.EXE

Suspicious use of SetThreadContext 1 IoCs

Processes:

E-Card_zu_Weichnachten_scan_foto_2834792347_12_2014_21093812_000129_001_004_002910.exe

description	pid	process	target process
PID 1348 set thread context of 1032	1348	E-Card_zu_Weichnachten_scan_foto_2834792347_12_2014_21093812_000129_001_004_002910.exe	E-Card_zu_Weichnachten_scan_foto_2834792347_12_2014_21093812_000129_001_004_002910.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

E-Card_zu_Weichnachten_scan_foto_2834792347_12_2014_21093812_000129_001_004_002910.exeE-Card_zu_Weichnachten_scan_foto_2834792347_12_2014_21093812_000129_001_004_002910.exeExplorer.EXE

pid	process
1348	E-Card_zu_Weichnachten_scan_foto_2834792347_12_2014_21093812_000129_001_004_002910.exe
1032	E-Card_zu_Weichnachten_scan_foto_2834792347_12_2014_21093812_000129_001_004_002910.exe
1032	E-Card_zu_Weichnachten_scan_foto_2834792347_12_2014_21093812_000129_001_004_002910.exe
1336	Explorer.EXE
1336	Explorer.EXE
1336	Explorer.EXE
1336	Explorer.EXE
1336	Explorer.EXE
1336	Explorer.EXE
1336	Explorer.EXE
1336	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1336 Explorer.EXE

pid	process
1336	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

E-Card_zu_Weichnachten_scan_foto_2834792347_12_2014_21093812_000129_001_004_002910.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1032	E-Card_zu_Weichnachten_scan_foto_2834792347_12_2014_21093812_000129_001_004_002910.exe
Token: SeDebugPrivilege	1336	Explorer.EXE
Token: SeShutdownPrivilege	1336	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1336 Explorer.EXE
1336 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1336 Explorer.EXE
1336 Explorer.EXE

pid	process
1336	Explorer.EXE
1336	Explorer.EXE

pid	process
1336	Explorer.EXE
1336	Explorer.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

E-Card_zu_Weichnachten_scan_foto_2834792347_12_2014_21093812_000129_001_004_002910.exe

pid	process
1348	E-Card_zu_Weichnachten_scan_foto_2834792347_12_2014_21093812_000129_001_004_002910.exe
1348	E-Card_zu_Weichnachten_scan_foto_2834792347_12_2014_21093812_000129_001_004_002910.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

1336 Explorer.EXE

pid	process
1336	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

E-Card_zu_Weichnachten_scan_foto_2834792347_12_2014_21093812_000129_001_004_002910.exeE-Card_zu_Weichnachten_scan_foto_2834792347_12_2014_21093812_000129_001_004_002910.exeExplorer.EXE

description	pid	process	target process
PID 1348 wrote to memory of 1032	1348	E-Card_zu_Weichnachten_scan_foto_2834792347_12_2014_21093812_000129_001_004_002910.exe	E-Card_zu_Weichnachten_scan_foto_2834792347_12_2014_21093812_000129_001_004_002910.exe
PID 1348 wrote to memory of 1032	1348	E-Card_zu_Weichnachten_scan_foto_2834792347_12_2014_21093812_000129_001_004_002910.exe	E-Card_zu_Weichnachten_scan_foto_2834792347_12_2014_21093812_000129_001_004_002910.exe
PID 1348 wrote to memory of 1032	1348	E-Card_zu_Weichnachten_scan_foto_2834792347_12_2014_21093812_000129_001_004_002910.exe	E-Card_zu_Weichnachten_scan_foto_2834792347_12_2014_21093812_000129_001_004_002910.exe
PID 1348 wrote to memory of 1032	1348	E-Card_zu_Weichnachten_scan_foto_2834792347_12_2014_21093812_000129_001_004_002910.exe	E-Card_zu_Weichnachten_scan_foto_2834792347_12_2014_21093812_000129_001_004_002910.exe
PID 1348 wrote to memory of 1032	1348	E-Card_zu_Weichnachten_scan_foto_2834792347_12_2014_21093812_000129_001_004_002910.exe	E-Card_zu_Weichnachten_scan_foto_2834792347_12_2014_21093812_000129_001_004_002910.exe
PID 1348 wrote to memory of 1032	1348	E-Card_zu_Weichnachten_scan_foto_2834792347_12_2014_21093812_000129_001_004_002910.exe	E-Card_zu_Weichnachten_scan_foto_2834792347_12_2014_21093812_000129_001_004_002910.exe
PID 1348 wrote to memory of 1032	1348	E-Card_zu_Weichnachten_scan_foto_2834792347_12_2014_21093812_000129_001_004_002910.exe	E-Card_zu_Weichnachten_scan_foto_2834792347_12_2014_21093812_000129_001_004_002910.exe
PID 1348 wrote to memory of 1032	1348	E-Card_zu_Weichnachten_scan_foto_2834792347_12_2014_21093812_000129_001_004_002910.exe	E-Card_zu_Weichnachten_scan_foto_2834792347_12_2014_21093812_000129_001_004_002910.exe
PID 1348 wrote to memory of 1032	1348	E-Card_zu_Weichnachten_scan_foto_2834792347_12_2014_21093812_000129_001_004_002910.exe	E-Card_zu_Weichnachten_scan_foto_2834792347_12_2014_21093812_000129_001_004_002910.exe
PID 1348 wrote to memory of 1032	1348	E-Card_zu_Weichnachten_scan_foto_2834792347_12_2014_21093812_000129_001_004_002910.exe	E-Card_zu_Weichnachten_scan_foto_2834792347_12_2014_21093812_000129_001_004_002910.exe
PID 1032 wrote to memory of 580	1032	E-Card_zu_Weichnachten_scan_foto_2834792347_12_2014_21093812_000129_001_004_002910.exe	cmd.exe
PID 1032 wrote to memory of 580	1032	E-Card_zu_Weichnachten_scan_foto_2834792347_12_2014_21093812_000129_001_004_002910.exe	cmd.exe
PID 1032 wrote to memory of 580	1032	E-Card_zu_Weichnachten_scan_foto_2834792347_12_2014_21093812_000129_001_004_002910.exe	cmd.exe
PID 1032 wrote to memory of 580	1032	E-Card_zu_Weichnachten_scan_foto_2834792347_12_2014_21093812_000129_001_004_002910.exe	cmd.exe
PID 1032 wrote to memory of 1336	1032	E-Card_zu_Weichnachten_scan_foto_2834792347_12_2014_21093812_000129_001_004_002910.exe	Explorer.EXE
PID 1336 wrote to memory of 1152	1336	Explorer.EXE	taskhost.exe
PID 1336 wrote to memory of 1152	1336	Explorer.EXE	taskhost.exe
PID 1336 wrote to memory of 1252	1336	Explorer.EXE	Dwm.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1336

C:\Users\Admin\AppData\Local\Temp\E-Card_zu_Weichnachten_scan_foto_2834792347_12_2014_21093812_000129_001_004_002910.exe
"C:\Users\Admin\AppData\Local\Temp\E-Card_zu_Weichnachten_scan_foto_2834792347_12_2014_21093812_000129_001_004_002910.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1348

C:\Users\Admin\AppData\Local\Temp\E-Card_zu_Weichnachten_scan_foto_2834792347_12_2014_21093812_000129_001_004_002910.exe
C:\Users\Admin\AppData\Local\Temp\E-Card_zu_Weichnachten_scan_foto_2834792347_12_2014_21093812_000129_001_004_002910.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS9502~1.BAT"
4⤵
- Deletes itself
PID:580

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1252

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1152

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms9502267.bat
Filesize
201B

MD5
7d70db2f4431d984d854a3fb5abf00ac

SHA1
f3d838da10fc16517e68b1aa64f46116208b4e08

SHA256
dbd4f7494f7f82ab625c0f046fb8d0b93bff7486ccda7f585753ac83560519be

SHA512
54e3e14aede414c5f4fd88569918c8b29e74807e4337d55e7f438d10c68a47b582dc44269604656b2e62c8a4d75a24e84e2fd57f86afc474444e7cc9664eccaa

Download Submit
memory/580-71-0x0000000000000000-mapping.dmp

Download
memory/1032-58-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1032-55-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1032-56-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1032-67-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1032-63-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1032-74-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1032-60-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1032-64-0x00000000004010C0-mapping.dmp

Download
memory/1032-62-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1152-87-0x0000000000310000-0x0000000000327000-memory.dmp

Filesize
92KB

Download
memory/1152-88-0x00000000001E0000-0x00000000001F7000-memory.dmp

Filesize
92KB

Download
memory/1152-85-0x0000000037750000-0x0000000037760000-memory.dmp

Filesize
64KB

Download
memory/1152-84-0x0000000037750000-0x0000000037760000-memory.dmp

Filesize
64KB

Download
memory/1252-86-0x0000000037750000-0x0000000037760000-memory.dmp

Filesize
64KB

Download
memory/1252-89-0x0000000000120000-0x0000000000137000-memory.dmp

Filesize
92KB

Download
memory/1336-90-0x0000000002740000-0x0000000002757000-memory.dmp

Filesize
92KB

Download
memory/1336-75-0x0000000037750000-0x0000000037760000-memory.dmp

Filesize
64KB

Download
memory/1336-79-0x0000000002740000-0x0000000002757000-memory.dmp

Filesize
92KB

Download
memory/1336-72-0x0000000002740000-0x0000000002757000-memory.dmp

Filesize
92KB

Download
memory/1348-54-0x0000000075C31000-0x0000000075C33000-memory.dmp

Filesize
8KB

Download
memory/1348-65-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads