8bc07d3bc4d08f9285dc01583e9608bc1460560d4918a938d58f9c5033034c93

General

Target

telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe
Size

156KB
MD5

2dec40d7b7933f41203fc40ff5f9f6a2
SHA1

e9bf4aa0dfd58f51fb49553e6c0ac7e305039c7e
SHA256

27c298c77e16bbc3f056653034c2d918418f877bb0193a9ca533b5527d830a94
SHA512

6c04dd52b99ff919797ff1851aaa45f3953643157f4d522b4b11336ec7d49a105e2274175a6932f4acefd1dcba4b8f4864d9eec71da8ab317ad937d2d2354322
SSDEEP

3072:m2V3A7emadat92PH48GLnCo0dXjxTsuGb+j3FRvtVFVlD2Pq:xV3A6mkat98LdzxwuGWJ7V1D

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
872	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\loibgjiv.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\loibgjiv.exe\""	Explorer.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1232 set thread context of 1396	1232	telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe	28

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1232	telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe
1396	telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe
1396	telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe
1336	Explorer.EXE
1336	Explorer.EXE
1336	Explorer.EXE
1336	Explorer.EXE
1336	Explorer.EXE
1336	Explorer.EXE
1336	Explorer.EXE
1336	Explorer.EXE
1336	Explorer.EXE
1336	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1336	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1396	telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe
Token: SeDebugPrivilege	1336	Explorer.EXE
Token: SeShutdownPrivilege	1336	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1336	Explorer.EXE
1336	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1336	Explorer.EXE
1336	Explorer.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1232	telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe
1232	telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1336	Explorer.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1232 wrote to memory of 1396	1232	telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe	28
PID 1232 wrote to memory of 1396	1232	telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe	28
PID 1232 wrote to memory of 1396	1232	telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe	28
PID 1232 wrote to memory of 1396	1232	telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe	28
PID 1232 wrote to memory of 1396	1232	telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe	28
PID 1232 wrote to memory of 1396	1232	telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe	28
PID 1232 wrote to memory of 1396	1232	telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe	28
PID 1232 wrote to memory of 1396	1232	telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe	28
PID 1232 wrote to memory of 1396	1232	telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe	28
PID 1232 wrote to memory of 1396	1232	telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe	28
PID 1396 wrote to memory of 872	1396	telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe	29
PID 1396 wrote to memory of 872	1396	telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe	29
PID 1396 wrote to memory of 872	1396	telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe	29
PID 1396 wrote to memory of 872	1396	telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe	29
PID 1396 wrote to memory of 1336	1396	telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe	17
PID 1336 wrote to memory of 1152	1336	Explorer.EXE	10
PID 1336 wrote to memory of 1152	1336	Explorer.EXE	10
PID 1336 wrote to memory of 1252	1336	Explorer.EXE	18
PID 1336 wrote to memory of 872	1336	Explorer.EXE	29
PID 1336 wrote to memory of 524	1336	Explorer.EXE	30

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1152

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Users\Admin\AppData\Local\Temp\telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe
  "C:\Users\Admin\AppData\Local\Temp\telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1232
- - C:\Users\Admin\AppData\Local\Temp\telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe
    C:\Users\Admin\AppData\Local\Temp\telekom_deutschland_dezember_2014_de_0001_3029400_92_928_02020_0_7_293489_0038.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1396
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS9082~1.BAT"
      4⤵
      Deletes itself
      PID:872

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1252

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-26074374015983462434309544951997289432-16090413141178790911-86014814260823022"
1⤵
PID:524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms9082233.bat

Filesize
201B

MD5
1b6ae1f26589b90f7cf1175d547fa655

SHA1
fe4c796af3f2462afcac1061dacf7c5d18f5fe2a

SHA256
34dc77fbe27f862560a219ba196f1da2bbc6455e132133997f867fc3dd0dbcee

SHA512
4e211a0981a7dbc1181ed5c4068282b82e6e7dba7dc26cbf23adea25bcd98cc0e147d266a71350575390169e77b8e5608895452f72f31e47591cbd3612ac1fcf

Download Submit
memory/872-82-0x0000000000080000-0x0000000000094000-memory.dmp

Filesize
80KB

Download
memory/1152-85-0x0000000037750000-0x0000000037760000-memory.dmp

Filesize
64KB

Download
memory/1152-90-0x0000000000310000-0x0000000000327000-memory.dmp

Filesize
92KB

Download
memory/1152-93-0x00000000001E0000-0x00000000001F7000-memory.dmp

Filesize
92KB

Download
memory/1152-87-0x0000000037750000-0x0000000037760000-memory.dmp

Filesize
64KB

Download
memory/1232-54-0x0000000075C31000-0x0000000075C33000-memory.dmp

Filesize
8KB

Download
memory/1232-66-0x0000000001C50000-0x0000000001C54000-memory.dmp

Filesize
16KB

Download
memory/1252-86-0x0000000037750000-0x0000000037760000-memory.dmp

Filesize
64KB

Download
memory/1252-92-0x0000000000120000-0x0000000000137000-memory.dmp

Filesize
92KB

Download
memory/1336-75-0x0000000037750000-0x0000000037760000-memory.dmp

Filesize
64KB

Download
memory/1336-72-0x0000000001C80000-0x0000000001C97000-memory.dmp

Filesize
92KB

Download
memory/1336-91-0x0000000001C80000-0x0000000001C97000-memory.dmp

Filesize
92KB

Download
memory/1396-74-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1396-58-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1396-56-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1396-67-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1396-60-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1396-63-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1396-55-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1396-62-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing