Overview

overview

7

Static

static

telekom_de...38.exe

windows7-x64

7

telekom_de...38.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    150s
  • max time network
    159s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    27-11-2022 16:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe

  • Size

    156KB

  • MD5

    aca8bdbd8e79201892f8b46a3005744b

  • SHA1

    284fbc4f8265e1125f6ffc16d50a5144676ced2a

  • SHA256

    836228366d9edc7e8be6321ce1ce18204e50e6cb36ddcb4ec9c3cdb079998083

  • SHA512

    1699ea7e18f13ca5f615773d8b278a78df9536c95684dedf5e5fcdc003cc6bb5bce73702d7d3c8bbb22459161f57e3fd85709068c8a628eeed78295dc6bdcab1

  • SSDEEP

    3072:LdLBregqjNDitrqIwDIJFkcbS7iQrG6PsiYyQEHzdKc4gWEybV5:LdLCNar4ELZbS7iQrG6dYyxdKcje5

Score
7/10
persistence

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1120
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1164
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:1196
        • C:\Users\Admin\AppData\Local\Temp\telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe
          "C:\Users\Admin\AppData\Local\Temp\telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe"
          2⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1780
          • C:\Users\Admin\AppData\Local\Temp\telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe
            C:\Users\Admin\AppData\Local\Temp\telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2040
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS3907~1.BAT"
              4⤵
              • Deletes itself
              PID:1500
      • C:\Windows\system32\conhost.exe
        \??\C:\Windows\system32\conhost.exe "525894199-8784050752104368582354203914-2135414366-482009578-1575706309406367765"
        1⤵
          PID:852

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\ms3907252.bat
          Filesize

          201B

          MD5

          236130fe4062b2da95c79b9ad9eb810a

          SHA1

          ff50e72e689f673bef4b361aedfd61fc9e4a4942

          SHA256

          cd7bd206ebde97ab151126ee0a0ae811a831b17366faf1f5f451db0905aa1d11

          SHA512

          2ca3200c2bd2dd86d40af051ba2aa9f091a6dce01a3fc215f7451f0e56943be2aa4b156139f9e4a9ca1cf032dc065f18cd2333e630e452f778864f114fb54087

          Download Submit
        • memory/852-94-0x00000000000D0000-0x00000000000E7000-memory.dmp
          Filesize

          92KB

          Download
        • memory/852-91-0x0000000037BE0000-0x0000000037BF0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/852-90-0x0000000037BE0000-0x0000000037BF0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/852-93-0x00000000000F0000-0x0000000000107000-memory.dmp
          Filesize

          92KB

          Download
        • memory/1120-95-0x0000000001B40000-0x0000000001B57000-memory.dmp
          Filesize

          92KB

          Download
        • memory/1120-79-0x0000000037BE0000-0x0000000037BF0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/1164-88-0x0000000037BE0000-0x0000000037BF0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/1164-97-0x00000000001A0000-0x00000000001B7000-memory.dmp
          Filesize

          92KB

          Download
        • memory/1196-96-0x0000000001DD0000-0x0000000001DE7000-memory.dmp
          Filesize

          92KB

          Download
        • memory/1196-72-0x0000000001DD0000-0x0000000001DE7000-memory.dmp
          Filesize

          92KB

          Download
        • memory/1196-75-0x0000000037BE0000-0x0000000037BF0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/1500-71-0x0000000000000000-mapping.dmp
          Download
        • memory/1500-81-0x00000000000F0000-0x0000000000104000-memory.dmp
          Filesize

          80KB

          Download
        • memory/1780-54-0x00000000762F1000-0x00000000762F3000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1780-65-0x0000000000370000-0x0000000000374000-memory.dmp
          Filesize

          16KB

          Download
        • memory/2040-63-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/2040-74-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/2040-67-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/2040-64-0x00000000004010C0-mapping.dmp
          Download
        • memory/2040-62-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/2040-60-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/2040-58-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/2040-56-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/2040-55-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download