f1676ba743731126cff0192f1b3a6eb22967edfe7e5fe1272c8ec3363cdf7367

General

Target

bestätigung_zahlungseingang_2014_11_55_02_277_001_033_927_0983900005_0000009127_01_20.exe
Size

148KB
MD5

bcb1747fdc21c114f48ecbc0517c1547
SHA1

d792f0cd1e98a2e2780aa8596ccc3c76a0ff9db1
SHA256

ed43bc8b2920590aa03eedec001f08263ff1fe4a75cb9d4af26441a1429c6acc
SHA512

fdc10682ecee6101f36bd00e53d6e19dcaf838d63e5ed5565d569cd2e2705f044b9426da0e98dc4dfa752c4388d2ce55a8aa70e0232c91bbcf502e220941415f
SSDEEP

3072:r9JfByH1wmLNzdcDNRyMAMKWdRkkBnuz4N7/gFT:ryyKqvtAWRkdcN7/MT

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\engtvbbi.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\engtvbbi.exe\""	Explorer.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 908 set thread context of 768	908	bestätigung_zahlungseingang_2014_11_55_02_277_001_033_927_0983900005_0000009127_01_20.exe	28

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
908	bestätigung_zahlungseingang_2014_11_55_02_277_001_033_927_0983900005_0000009127_01_20.exe
768	bestätigung_zahlungseingang_2014_11_55_02_277_001_033_927_0983900005_0000009127_01_20.exe
768	bestätigung_zahlungseingang_2014_11_55_02_277_001_033_927_0983900005_0000009127_01_20.exe
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1232	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	768	bestätigung_zahlungseingang_2014_11_55_02_277_001_033_927_0983900005_0000009127_01_20.exe
Token: SeDebugPrivilege	1232	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1232	Explorer.EXE
1232	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1232	Explorer.EXE
1232	Explorer.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
908	bestätigung_zahlungseingang_2014_11_55_02_277_001_033_927_0983900005_0000009127_01_20.exe
908	bestätigung_zahlungseingang_2014_11_55_02_277_001_033_927_0983900005_0000009127_01_20.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1232	Explorer.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 908 wrote to memory of 768	908	bestätigung_zahlungseingang_2014_11_55_02_277_001_033_927_0983900005_0000009127_01_20.exe	28
PID 908 wrote to memory of 768	908	bestätigung_zahlungseingang_2014_11_55_02_277_001_033_927_0983900005_0000009127_01_20.exe	28
PID 908 wrote to memory of 768	908	bestätigung_zahlungseingang_2014_11_55_02_277_001_033_927_0983900005_0000009127_01_20.exe	28
PID 908 wrote to memory of 768	908	bestätigung_zahlungseingang_2014_11_55_02_277_001_033_927_0983900005_0000009127_01_20.exe	28
PID 908 wrote to memory of 768	908	bestätigung_zahlungseingang_2014_11_55_02_277_001_033_927_0983900005_0000009127_01_20.exe	28
PID 908 wrote to memory of 768	908	bestätigung_zahlungseingang_2014_11_55_02_277_001_033_927_0983900005_0000009127_01_20.exe	28
PID 908 wrote to memory of 768	908	bestätigung_zahlungseingang_2014_11_55_02_277_001_033_927_0983900005_0000009127_01_20.exe	28
PID 908 wrote to memory of 768	908	bestätigung_zahlungseingang_2014_11_55_02_277_001_033_927_0983900005_0000009127_01_20.exe	28
PID 908 wrote to memory of 768	908	bestätigung_zahlungseingang_2014_11_55_02_277_001_033_927_0983900005_0000009127_01_20.exe	28
PID 908 wrote to memory of 768	908	bestätigung_zahlungseingang_2014_11_55_02_277_001_033_927_0983900005_0000009127_01_20.exe	28
PID 768 wrote to memory of 1884	768	bestätigung_zahlungseingang_2014_11_55_02_277_001_033_927_0983900005_0000009127_01_20.exe	29
PID 768 wrote to memory of 1884	768	bestätigung_zahlungseingang_2014_11_55_02_277_001_033_927_0983900005_0000009127_01_20.exe	29
PID 768 wrote to memory of 1884	768	bestätigung_zahlungseingang_2014_11_55_02_277_001_033_927_0983900005_0000009127_01_20.exe	29
PID 768 wrote to memory of 1884	768	bestätigung_zahlungseingang_2014_11_55_02_277_001_033_927_0983900005_0000009127_01_20.exe	29
PID 768 wrote to memory of 1232	768	bestätigung_zahlungseingang_2014_11_55_02_277_001_033_927_0983900005_0000009127_01_20.exe	14
PID 1232 wrote to memory of 1128	1232	Explorer.EXE	16
PID 1232 wrote to memory of 1184	1232	Explorer.EXE	15
PID 1232 wrote to memory of 1184	1232	Explorer.EXE	15
PID 1232 wrote to memory of 908	1232	Explorer.EXE	17
PID 1232 wrote to memory of 1884	1232	Explorer.EXE	29
PID 1232 wrote to memory of 1496	1232	Explorer.EXE	30

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Users\Admin\AppData\Local\Temp\bestätigung_zahlungseingang_2014_11_55_02_277_001_033_927_0983900005_0000009127_01_20.exe
  "C:\Users\Admin\AppData\Local\Temp\bestätigung_zahlungseingang_2014_11_55_02_277_001_033_927_0983900005_0000009127_01_20.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:908
- - C:\Users\Admin\AppData\Local\Temp\bestätigung_zahlungseingang_2014_11_55_02_277_001_033_927_0983900005_0000009127_01_20.exe
    C:\Users\Admin\AppData\Local\Temp\bestätigung_zahlungseingang_2014_11_55_02_277_001_033_927_0983900005_0000009127_01_20.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:768
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\ms284298.bat"
      4⤵
      PID:1884

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1184

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1128

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1234205573253017771225065131676294885-6460276631267846863-774175025-404896195"
1⤵
PID:1496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms284298.bat

Filesize
201B

MD5
8d2f614009f1866ec60ebe4141352c97

SHA1
ded374d3e7a67858440b28aebdcc1b597daa7b90

SHA256
0d030f2842eb8a65a253a7d0bcd5c40efa9db689b3b2c793647e3127e6edddcb

SHA512
cbb1f40dd21696aab437fb2c98f96cb2d73687b43c7a48896a5ef112d4083954eecf0039e36b8df8758a6c3c6946b35c63966d00360862e0b1cfce61a624260e

Download Submit
memory/768-63-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/768-60-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/768-58-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/768-55-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/768-71-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/768-62-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/768-56-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/768-67-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/908-83-0x0000000000410000-0x0000000000424000-memory.dmp

Filesize
80KB

Download
memory/908-65-0x0000000000380000-0x0000000000384000-memory.dmp

Filesize
16KB

Download
memory/908-54-0x0000000075441000-0x0000000075443000-memory.dmp

Filesize
8KB

Download
memory/1128-92-0x0000000000210000-0x0000000000227000-memory.dmp

Filesize
92KB

Download
memory/1128-81-0x0000000036D20000-0x0000000036D30000-memory.dmp

Filesize
64KB

Download
memory/1184-88-0x0000000036D20000-0x0000000036D30000-memory.dmp

Filesize
64KB

Download
memory/1184-85-0x0000000036D20000-0x0000000036D30000-memory.dmp

Filesize
64KB

Download
memory/1184-95-0x00000000001A0000-0x00000000001B7000-memory.dmp

Filesize
92KB

Download
memory/1184-93-0x0000000000250000-0x0000000000267000-memory.dmp

Filesize
92KB

Download
memory/1232-90-0x0000000002730000-0x0000000002747000-memory.dmp

Filesize
92KB

Download
memory/1232-75-0x0000000036D20000-0x0000000036D30000-memory.dmp

Filesize
64KB

Download
memory/1232-73-0x0000000002730000-0x0000000002747000-memory.dmp

Filesize
92KB

Download
memory/1496-97-0x0000000036D20000-0x0000000036D30000-memory.dmp

Filesize
64KB

Download
memory/1496-99-0x00000000000D0000-0x00000000000E7000-memory.dmp

Filesize
92KB

Download
memory/1884-96-0x0000000036ED0000-0x0000000036EE0000-memory.dmp

Filesize
64KB

Download
memory/1884-98-0x0000000000260000-0x0000000000274000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing