Analysis
-
max time kernel
273s -
max time network
351s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
27-11-2022 16:32
Static task
static1
Behavioral task
behavioral1
Sample
telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe
Resource
win10v2004-20220901-en
General
-
Target
telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe
-
Size
156KB
-
MD5
aca8bdbd8e79201892f8b46a3005744b
-
SHA1
284fbc4f8265e1125f6ffc16d50a5144676ced2a
-
SHA256
836228366d9edc7e8be6321ce1ce18204e50e6cb36ddcb4ec9c3cdb079998083
-
SHA512
1699ea7e18f13ca5f615773d8b278a78df9536c95684dedf5e5fcdc003cc6bb5bce73702d7d3c8bbb22459161f57e3fd85709068c8a628eeed78295dc6bdcab1
-
SSDEEP
3072:LdLBregqjNDitrqIwDIJFkcbS7iQrG6PsiYyQEHzdKc4gWEybV5:LdLCNar4ELZbS7iQrG6dYyxdKcje5
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 536 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\engtvbbi.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\engtvbbi.exe\"" Explorer.EXE -
Suspicious use of SetThreadContext 1 IoCs
Processes:
telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exedescription pid process target process PID 772 set thread context of 940 772 telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exetelekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exeExplorer.EXEpid process 772 telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe 940 telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe 940 telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe 1312 Explorer.EXE 1312 Explorer.EXE 1312 Explorer.EXE 1312 Explorer.EXE 1312 Explorer.EXE 1312 Explorer.EXE 1312 Explorer.EXE 1312 Explorer.EXE 1312 Explorer.EXE 1312 Explorer.EXE 1312 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1312 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 940 telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe Token: SeDebugPrivilege 1312 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1312 Explorer.EXE 1312 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1312 Explorer.EXE 1312 Explorer.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exepid process 772 telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 1312 Explorer.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exetelekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exeExplorer.EXEdescription pid process target process PID 772 wrote to memory of 940 772 telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe PID 772 wrote to memory of 940 772 telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe PID 772 wrote to memory of 940 772 telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe PID 772 wrote to memory of 940 772 telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe PID 772 wrote to memory of 940 772 telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe PID 772 wrote to memory of 940 772 telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe PID 772 wrote to memory of 940 772 telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe PID 772 wrote to memory of 940 772 telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe PID 772 wrote to memory of 940 772 telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe PID 772 wrote to memory of 940 772 telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe PID 940 wrote to memory of 536 940 telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe cmd.exe PID 940 wrote to memory of 536 940 telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe cmd.exe PID 940 wrote to memory of 536 940 telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe cmd.exe PID 940 wrote to memory of 536 940 telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe cmd.exe PID 940 wrote to memory of 1312 940 telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe Explorer.EXE PID 1312 wrote to memory of 1152 1312 Explorer.EXE taskhost.exe PID 1312 wrote to memory of 1252 1312 Explorer.EXE Dwm.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe"C:\Users\Admin\AppData\Local\Temp\telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exeC:\Users\Admin\AppData\Local\Temp\telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS5967~1.BAT"4⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\ms5967899.batFilesize
201B
MD5a36b46d5ea23784be576b047f59bd2f6
SHA1ebe43300db7ff96aed861a1ccb9d941016fbf74c
SHA256749c4d1ad6cfc9d8825ad8ba9f597a1d80c98fee235f932c056bc1336de51e7c
SHA51280a0d8094e37b412a8892401dbd01741e0ade6a7ac412d0d55ee13fbb89bd7dc94a74b38f994edabc1eaaf946f875f23c1653c51b532de77cf74dbb05ebe921b
-
memory/536-72-0x0000000000000000-mapping.dmp
-
memory/772-54-0x0000000076201000-0x0000000076203000-memory.dmpFilesize
8KB
-
memory/772-65-0x00000000002F0000-0x00000000002F4000-memory.dmpFilesize
16KB
-
memory/940-62-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/940-75-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/940-64-0x00000000004010C0-mapping.dmp
-
memory/940-63-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/940-67-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/940-58-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/940-69-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/940-56-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/940-55-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/940-60-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1152-82-0x0000000037930000-0x0000000037940000-memory.dmpFilesize
64KB
-
memory/1152-84-0x00000000004A0000-0x00000000004B7000-memory.dmpFilesize
92KB
-
memory/1252-83-0x0000000037930000-0x0000000037940000-memory.dmpFilesize
64KB
-
memory/1252-86-0x0000000000120000-0x0000000000137000-memory.dmpFilesize
92KB
-
memory/1312-76-0x0000000037930000-0x0000000037940000-memory.dmpFilesize
64KB
-
memory/1312-73-0x0000000002980000-0x0000000002997000-memory.dmpFilesize
92KB
-
memory/1312-85-0x0000000002980000-0x0000000002997000-memory.dmpFilesize
92KB