628731dd07078d28c01f1eff454bf31d8b3ea4235882c35cdd047226e9c12e0b

General

Target

2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe
Size

176KB
MD5

d33f661fae5b24ca9152f53eb3ba454f
SHA1

fe1eaae53e4633b71c24a3b1ea904e9a1577fbda
SHA256

a5aa85ab001ccdba52e68a873881687c5eb9c199abba2ed7c163124401240e55
SHA512

fa02c4c5e56ff4301b7e55592b40f6b07de742e3d8aad193db1b54a7e597c2fd3267bcfaff0d4bfd19a66a6f3d2fefe9f55c2b06db7aceab7c701e2c7a963cbf
SSDEEP

3072:YGwR1qmB1T0gHtMFLa6IKYa5Tlrjmvl3XymSPTyAAwoc9+IkMd+zr3/1C:sKla6IKx3mdnCNAwo42M

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1240	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ypbkryye.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\ypbkryye.exe\""	Explorer.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1976 set thread context of 1016	1976	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe	28

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
1976	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe
1016	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe
1016	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1016	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe
Token: SeDebugPrivilege	1264	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1264	Explorer.EXE
1264	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1264	Explorer.EXE
1264	Explorer.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1976	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe
1976	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1264	Explorer.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 1016	1976	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe	28
PID 1976 wrote to memory of 1016	1976	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe	28
PID 1976 wrote to memory of 1016	1976	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe	28
PID 1976 wrote to memory of 1016	1976	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe	28
PID 1976 wrote to memory of 1016	1976	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe	28
PID 1976 wrote to memory of 1016	1976	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe	28
PID 1976 wrote to memory of 1016	1976	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe	28
PID 1976 wrote to memory of 1016	1976	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe	28
PID 1976 wrote to memory of 1016	1976	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe	28
PID 1976 wrote to memory of 1016	1976	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe	28
PID 1016 wrote to memory of 1240	1016	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe	29
PID 1016 wrote to memory of 1240	1016	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe	29
PID 1016 wrote to memory of 1240	1016	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe	29
PID 1016 wrote to memory of 1240	1016	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe	29
PID 1016 wrote to memory of 1264	1016	2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe	12
PID 1264 wrote to memory of 1136	1264	Explorer.EXE	14
PID 1264 wrote to memory of 1188	1264	Explorer.EXE	13
PID 1264 wrote to memory of 1240	1264	Explorer.EXE	29
PID 1264 wrote to memory of 1516	1264	Explorer.EXE	30
PID 1264 wrote to memory of 1516	1264	Explorer.EXE	30

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Users\Admin\AppData\Local\Temp\2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe
  "C:\Users\Admin\AppData\Local\Temp\2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Users\Admin\AppData\Local\Temp\2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe
    C:\Users\Admin\AppData\Local\Temp\2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1016
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS5655~1.BAT"
      4⤵
      Deletes itself
      PID:1240

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1188

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1136

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1994850033-1082199181348126264-620254614-361745138-16143789911964410822-1954389339"
1⤵
PID:1516

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms5655697.bat

Filesize
201B

MD5
61b836ac4036a922c15dc35d2d35cb65

SHA1
51e5fc145d1f8d9cc99d59822d92e37c1671a63f

SHA256
5c7781b71ac685a1ab6881c6424f7662be21466cbabdc761c690ac57520d2275

SHA512
d412057618dd1129410f8a8c68aa30f2451aebccb63f173ed7fcefd5034fab50d14aadb258a131a7b05259e25878fbf7cd5cf87bd6a961e416a0c8cba2d532af

Download Submit
memory/1016-60-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1016-58-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1016-74-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1016-62-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1016-63-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1016-56-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1016-55-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1016-67-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1136-94-0x00000000004D0000-0x00000000004E7000-memory.dmp

Filesize
92KB

Download
memory/1136-79-0x0000000037460000-0x0000000037470000-memory.dmp

Filesize
64KB

Download
memory/1188-95-0x00000000001A0000-0x00000000001B7000-memory.dmp

Filesize
92KB

Download
memory/1188-83-0x0000000037460000-0x0000000037470000-memory.dmp

Filesize
64KB

Download
memory/1240-81-0x0000000000130000-0x0000000000144000-memory.dmp

Filesize
80KB

Download
memory/1264-75-0x0000000037460000-0x0000000037470000-memory.dmp

Filesize
64KB

Download
memory/1264-93-0x0000000002660000-0x0000000002677000-memory.dmp

Filesize
92KB

Download
memory/1264-72-0x0000000002660000-0x0000000002677000-memory.dmp

Filesize
92KB

Download
memory/1516-88-0x0000000037460000-0x0000000037470000-memory.dmp

Filesize
64KB

Download
memory/1516-89-0x0000000037460000-0x0000000037470000-memory.dmp

Filesize
64KB

Download
memory/1516-91-0x0000000000080000-0x0000000000097000-memory.dmp

Filesize
92KB

Download
memory/1516-92-0x0000000000060000-0x0000000000077000-memory.dmp

Filesize
92KB

Download
memory/1976-54-0x00000000764D1000-0x00000000764D3000-memory.dmp

Filesize
8KB

Download
memory/1976-65-0x00000000002C0000-0x00000000002C4000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing