Analysis
-
max time kernel
150s -
max time network
159s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
27-11-2022 16:16
Static task
static1
Behavioral task
behavioral1
Sample
telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe
Resource
win10v2004-20221111-en
General
-
Target
telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe
-
Size
156KB
-
MD5
aca8bdbd8e79201892f8b46a3005744b
-
SHA1
284fbc4f8265e1125f6ffc16d50a5144676ced2a
-
SHA256
836228366d9edc7e8be6321ce1ce18204e50e6cb36ddcb4ec9c3cdb079998083
-
SHA512
1699ea7e18f13ca5f615773d8b278a78df9536c95684dedf5e5fcdc003cc6bb5bce73702d7d3c8bbb22459161f57e3fd85709068c8a628eeed78295dc6bdcab1
-
SSDEEP
3072:LdLBregqjNDitrqIwDIJFkcbS7iQrG6PsiYyQEHzdKc4gWEybV5:LdLCNar4ELZbS7iQrG6dYyxdKcje5
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1500 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Explorer.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ypbkryye.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\ypbkryye.exe\"" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run Explorer.EXE -
Suspicious use of SetThreadContext 1 IoCs
Processes:
telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exedescription pid process target process PID 1780 set thread context of 2040 1780 telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exetelekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exeExplorer.EXEpid process 1780 telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe 2040 telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe 2040 telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe 1196 Explorer.EXE 1196 Explorer.EXE 1196 Explorer.EXE 1196 Explorer.EXE 1196 Explorer.EXE 1196 Explorer.EXE 1196 Explorer.EXE 1196 Explorer.EXE 1196 Explorer.EXE 1196 Explorer.EXE 1196 Explorer.EXE 1196 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 2040 telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe Token: SeDebugPrivilege 1196 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1196 Explorer.EXE 1196 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1196 Explorer.EXE 1196 Explorer.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exepid process 1780 telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 1196 Explorer.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exetelekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exeExplorer.EXEdescription pid process target process PID 1780 wrote to memory of 2040 1780 telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe PID 1780 wrote to memory of 2040 1780 telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe PID 1780 wrote to memory of 2040 1780 telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe PID 1780 wrote to memory of 2040 1780 telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe PID 1780 wrote to memory of 2040 1780 telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe PID 1780 wrote to memory of 2040 1780 telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe PID 1780 wrote to memory of 2040 1780 telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe PID 1780 wrote to memory of 2040 1780 telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe PID 1780 wrote to memory of 2040 1780 telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe PID 1780 wrote to memory of 2040 1780 telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe PID 2040 wrote to memory of 1500 2040 telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe cmd.exe PID 2040 wrote to memory of 1500 2040 telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe cmd.exe PID 2040 wrote to memory of 1500 2040 telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe cmd.exe PID 2040 wrote to memory of 1500 2040 telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe cmd.exe PID 2040 wrote to memory of 1196 2040 telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe Explorer.EXE PID 1196 wrote to memory of 1120 1196 Explorer.EXE taskhost.exe PID 1196 wrote to memory of 1164 1196 Explorer.EXE Dwm.exe PID 1196 wrote to memory of 1500 1196 Explorer.EXE cmd.exe PID 1196 wrote to memory of 1500 1196 Explorer.EXE cmd.exe PID 1196 wrote to memory of 852 1196 Explorer.EXE conhost.exe PID 1196 wrote to memory of 852 1196 Explorer.EXE conhost.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe"C:\Users\Admin\AppData\Local\Temp\telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exeC:\Users\Admin\AppData\Local\Temp\telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS3907~1.BAT"4⤵
- Deletes itself
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "525894199-8784050752104368582354203914-2135414366-482009578-1575706309406367765"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\ms3907252.batFilesize
201B
MD5236130fe4062b2da95c79b9ad9eb810a
SHA1ff50e72e689f673bef4b361aedfd61fc9e4a4942
SHA256cd7bd206ebde97ab151126ee0a0ae811a831b17366faf1f5f451db0905aa1d11
SHA5122ca3200c2bd2dd86d40af051ba2aa9f091a6dce01a3fc215f7451f0e56943be2aa4b156139f9e4a9ca1cf032dc065f18cd2333e630e452f778864f114fb54087
-
memory/852-94-0x00000000000D0000-0x00000000000E7000-memory.dmpFilesize
92KB
-
memory/852-91-0x0000000037BE0000-0x0000000037BF0000-memory.dmpFilesize
64KB
-
memory/852-90-0x0000000037BE0000-0x0000000037BF0000-memory.dmpFilesize
64KB
-
memory/852-93-0x00000000000F0000-0x0000000000107000-memory.dmpFilesize
92KB
-
memory/1120-95-0x0000000001B40000-0x0000000001B57000-memory.dmpFilesize
92KB
-
memory/1120-79-0x0000000037BE0000-0x0000000037BF0000-memory.dmpFilesize
64KB
-
memory/1164-88-0x0000000037BE0000-0x0000000037BF0000-memory.dmpFilesize
64KB
-
memory/1164-97-0x00000000001A0000-0x00000000001B7000-memory.dmpFilesize
92KB
-
memory/1196-96-0x0000000001DD0000-0x0000000001DE7000-memory.dmpFilesize
92KB
-
memory/1196-72-0x0000000001DD0000-0x0000000001DE7000-memory.dmpFilesize
92KB
-
memory/1196-75-0x0000000037BE0000-0x0000000037BF0000-memory.dmpFilesize
64KB
-
memory/1500-71-0x0000000000000000-mapping.dmp
-
memory/1500-81-0x00000000000F0000-0x0000000000104000-memory.dmpFilesize
80KB
-
memory/1780-54-0x00000000762F1000-0x00000000762F3000-memory.dmpFilesize
8KB
-
memory/1780-65-0x0000000000370000-0x0000000000374000-memory.dmpFilesize
16KB
-
memory/2040-63-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2040-74-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2040-67-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2040-64-0x00000000004010C0-mapping.dmp
-
memory/2040-62-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2040-60-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2040-58-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2040-56-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2040-55-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB