Overview

overview

7

Static

static

telekom_de...38.exe

windows7-x64

7

telekom_de...38.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    273s
  • max time network
    351s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    27-11-2022 16:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe

  • Size

    156KB

  • MD5

    aca8bdbd8e79201892f8b46a3005744b

  • SHA1

    284fbc4f8265e1125f6ffc16d50a5144676ced2a

  • SHA256

    836228366d9edc7e8be6321ce1ce18204e50e6cb36ddcb4ec9c3cdb079998083

  • SHA512

    1699ea7e18f13ca5f615773d8b278a78df9536c95684dedf5e5fcdc003cc6bb5bce73702d7d3c8bbb22459161f57e3fd85709068c8a628eeed78295dc6bdcab1

  • SSDEEP

    3072:LdLBregqjNDitrqIwDIJFkcbS7iQrG6PsiYyQEHzdKc4gWEybV5:LdLCNar4ELZbS7iQrG6dYyxdKcje5

Score
7/10
persistence

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1152
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1252
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:1312
        • C:\Users\Admin\AppData\Local\Temp\telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe
          "C:\Users\Admin\AppData\Local\Temp\telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe"
          2⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:772
          • C:\Users\Admin\AppData\Local\Temp\telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe
            C:\Users\Admin\AppData\Local\Temp\telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:940
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS5967~1.BAT"
              4⤵
              • Deletes itself
              PID:536

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\ms5967899.bat
        Filesize

        201B

        MD5

        a36b46d5ea23784be576b047f59bd2f6

        SHA1

        ebe43300db7ff96aed861a1ccb9d941016fbf74c

        SHA256

        749c4d1ad6cfc9d8825ad8ba9f597a1d80c98fee235f932c056bc1336de51e7c

        SHA512

        80a0d8094e37b412a8892401dbd01741e0ade6a7ac412d0d55ee13fbb89bd7dc94a74b38f994edabc1eaaf946f875f23c1653c51b532de77cf74dbb05ebe921b

        Download Submit
      • memory/536-72-0x0000000000000000-mapping.dmp
        Download
      • memory/772-54-0x0000000076201000-0x0000000076203000-memory.dmp
        Filesize

        8KB

        Download
      • memory/772-65-0x00000000002F0000-0x00000000002F4000-memory.dmp
        Filesize

        16KB

        Download
      • memory/940-62-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/940-75-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/940-64-0x00000000004010C0-mapping.dmp
        Download
      • memory/940-63-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/940-67-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/940-58-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/940-69-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/940-56-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/940-55-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/940-60-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1152-82-0x0000000037930000-0x0000000037940000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1152-84-0x00000000004A0000-0x00000000004B7000-memory.dmp
        Filesize

        92KB

        Download
      • memory/1252-83-0x0000000037930000-0x0000000037940000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1252-86-0x0000000000120000-0x0000000000137000-memory.dmp
        Filesize

        92KB

        Download
      • memory/1312-76-0x0000000037930000-0x0000000037940000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1312-73-0x0000000002980000-0x0000000002997000-memory.dmp
        Filesize

        92KB

        Download
      • memory/1312-85-0x0000000002980000-0x0000000002997000-memory.dmp
        Filesize

        92KB

        Download