1c71f683de6519775ba2973f11b22a7d4a4e4e94ad7073689ae7bcb57a6cbdd6

General

Target

2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe
Size

176KB
MD5

13997ebf7af8d37dda6697ac03f76cc3
SHA1

9be2bcd498406bdfb05f860ad726273c4a7b4f3a
SHA256

11ecf58db103eb2ded5b942f303d48b5d77e336b8edfe335fa7b81264d1f50ef
SHA512

2894ef41ec784fb39ec663ff8ca5fa8c0ebbd875f95f6e2b843c8bca59d63cc7c43f64df43898290cef31c4b32478819f437fcc4656606d0f7cd4721c735ffee
SSDEEP

3072:rGwR1qmB1TQgHtMF5a6I4Ya5Tlrjmvl3XymSPTyAAwoc9+IkMd+zr3/1C:7KLa6I4x3mdnCNAwo42M

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
268	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\ianvmjrr.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\ianvmjrr.exe\""	Explorer.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1228 set thread context of 2000	1228	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe	28

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
1228	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe
2000	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe
2000	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1268	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2000	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe
Token: SeDebugPrivilege	1268	Explorer.EXE
Token: SeShutdownPrivilege	1268	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1268	Explorer.EXE
1268	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1268	Explorer.EXE
1268	Explorer.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1228	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe
1228	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1268	Explorer.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 2000	1228	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe	28
PID 1228 wrote to memory of 2000	1228	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe	28
PID 1228 wrote to memory of 2000	1228	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe	28
PID 1228 wrote to memory of 2000	1228	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe	28
PID 1228 wrote to memory of 2000	1228	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe	28
PID 1228 wrote to memory of 2000	1228	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe	28
PID 1228 wrote to memory of 2000	1228	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe	28
PID 1228 wrote to memory of 2000	1228	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe	28
PID 1228 wrote to memory of 2000	1228	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe	28
PID 1228 wrote to memory of 2000	1228	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe	28
PID 2000 wrote to memory of 268	2000	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe	29
PID 2000 wrote to memory of 268	2000	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe	29
PID 2000 wrote to memory of 268	2000	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe	29
PID 2000 wrote to memory of 268	2000	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe	29
PID 2000 wrote to memory of 1268	2000	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe	9
PID 1268 wrote to memory of 1132	1268	Explorer.EXE	11
PID 1268 wrote to memory of 1192	1268	Explorer.EXE	10

C:\Users\Admin\AppData\Local\Temp\2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe
"C:\Users\Admin\AppData\Local\Temp\2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Users\Admin\AppData\Local\Temp\2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe
  C:\Users\Admin\AppData\Local\Temp\2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS6747~1.BAT"
    3⤵
    - Deletes itself
    PID:268

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1268

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1192

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1132

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms6747145.bat

Filesize
201B

MD5
a1ce5ea6fb8844f6afa9f53fdb249137

SHA1
30b9262bef1ccf644c90d17feef8f400459c6ccd

SHA256
e487bd688cba034e3cd096c837f77726a5472014ff629c599c38efbdf2b28840

SHA512
7c6dd71cbdd1ab4e4ac88a65f31cdc3ddf6b152aadc8639de39870b48dfa1fafc2f59bccf075f713637876a053de4689a9a22e87ee6c40004f2ba278f39c59af

Download Submit
memory/1132-85-0x00000000003A0000-0x00000000003B7000-memory.dmp

Filesize
92KB

Download
memory/1132-80-0x0000000037970000-0x0000000037980000-memory.dmp

Filesize
64KB

Download
memory/1192-83-0x0000000037970000-0x0000000037980000-memory.dmp

Filesize
64KB

Download
memory/1192-86-0x0000000001C30000-0x0000000001C47000-memory.dmp

Filesize
92KB

Download
memory/1228-68-0x0000000000240000-0x0000000000244000-memory.dmp

Filesize
16KB

Download
memory/1228-66-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/1228-54-0x00000000767F1000-0x00000000767F3000-memory.dmp

Filesize
8KB

Download
memory/1268-84-0x0000000002A80000-0x0000000002A97000-memory.dmp

Filesize
92KB

Download
memory/1268-77-0x0000000037970000-0x0000000037980000-memory.dmp

Filesize
64KB

Download
memory/1268-87-0x000007FEF6C90000-0x000007FEF6DD3000-memory.dmp

Filesize
1.3MB

Download
memory/1268-73-0x0000000002A80000-0x0000000002A97000-memory.dmp

Filesize
92KB

Download
memory/1268-88-0x000007FECA1E0000-0x000007FECA1EA000-memory.dmp

Filesize
40KB

Download
memory/2000-56-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2000-75-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2000-67-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2000-63-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2000-58-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2000-62-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2000-60-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2000-55-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing