a3f078df60c9ad51d63f42751b9542eda8ca7849bfe33ad6692ac525c981c9b8

General

Target

2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe
Size

172KB
MD5

86a0f3a5a1b658da0b5a20350194be50
SHA1

7cfc8ca77840edde4dec7044a1d3a95e052065a8
SHA256

0dd2c369816a22c313067349a91f96770702abb0324b57445ee1e2dc535b3765
SHA512

acc3dd0ea21347764c2deb12ccf81661d6cbfff02e78996a0beb5bbaa4eb4650e449ff79efd6ee362dc8d579282868cfb4a2f5d6915a09f9028073944f57f225
SSDEEP

3072:z4X1iceabPJuZjbvpX2LLmZyT7HMoVe76qrbwuG:0FitjTpX2LaLos75H

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2164 set thread context of 5100	2164	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe	81

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\DefaultIcon	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\shell\print\command	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\shell\print\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2014_1~1.EXE /p \"%1\""	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\shell\printto\command	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\shell\open\command	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\shell	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\shell\open	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\ = "Tif Document"	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2014_1~1.EXE \"%1\""	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2014_1~1.EXE,0"	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\shell\print	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\shell\printto	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\shell\printto\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2014_1~1.EXE /pt \"%1\" \"%2\" \"%3\" \"%4\""	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2164	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe
2164	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe
2164	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe
2164	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe
2164	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe
2164	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe
5100	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe
5100	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5100	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2164	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe
2164	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 5100	2164	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe	81
PID 2164 wrote to memory of 5100	2164	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe	81
PID 2164 wrote to memory of 5100	2164	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe	81
PID 2164 wrote to memory of 5100	2164	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe	81
PID 2164 wrote to memory of 5100	2164	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe	81
PID 2164 wrote to memory of 5100	2164	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe	81
PID 2164 wrote to memory of 5100	2164	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe	81
PID 2164 wrote to memory of 5100	2164	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe	81
PID 2164 wrote to memory of 5100	2164	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe	81
PID 5100 wrote to memory of 3032	5100	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe	82
PID 5100 wrote to memory of 3032	5100	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe	82
PID 5100 wrote to memory of 3032	5100	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe	82
PID 5100 wrote to memory of 3060	5100	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe	45

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3060
- C:\Users\Admin\AppData\Local\Temp\2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe
  "C:\Users\Admin\AppData\Local\Temp\2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Users\Admin\AppData\Local\Temp\2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe
    C:\Users\Admin\AppData\Local\Temp\2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5100
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS9521~1.BAT"
      4⤵
      PID:3032

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2164-134-0x0000000002480000-0x0000000002484000-memory.dmp

Filesize
16KB

Download
memory/3060-138-0x00007FFA45370000-0x00007FFA45380000-memory.dmp

Filesize
64KB

Download
memory/5100-133-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/5100-136-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing