eb60e2897631d4cd8c6f4fc887d1337abdeb9d177fe136bc95b3b8e2ebfb6ed9

General

Target

rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
Size

172KB
MD5

c06b551f110824f92f7dd6e1e286338b
SHA1

b1451aabe43b20ddfe11ba08cda0716a47cf9fe6
SHA256

0fdc5af087744ec47f94d6d98b05c2f018a5b16bb097a7826f096bc6f7ffd92f
SHA512

4ae0cee0c75e61be40d33635b658d3ea0e074b7f4246a037da60ee6075906583b532236e41e1a3910684b9d8b71fecbcdadc1f9249bacf94b7726818cfbdc576
SSDEEP

3072:Lw0CwITzueTD9d0h06Up164tnYx82gGtjdkruyjn:LwYuzue/9+hpK8i4IGtj4

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bfbckpnl.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\bfbckpnl.exe\""	Explorer.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5008 set thread context of 2404	5008	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe	84

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
5008	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
5008	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
5008	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
5008	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
5008	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
5008	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
2404	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
2404	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
2940	Explorer.EXE
2940	Explorer.EXE
2940	Explorer.EXE
2940	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2404	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
Token: SeDebugPrivilege	2940	Explorer.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5008	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
5008	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 5008 wrote to memory of 2404	5008	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe	84
PID 5008 wrote to memory of 2404	5008	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe	84
PID 5008 wrote to memory of 2404	5008	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe	84
PID 5008 wrote to memory of 2404	5008	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe	84
PID 5008 wrote to memory of 2404	5008	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe	84
PID 5008 wrote to memory of 2404	5008	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe	84
PID 5008 wrote to memory of 2404	5008	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe	84
PID 5008 wrote to memory of 2404	5008	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe	84
PID 5008 wrote to memory of 2404	5008	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe	84
PID 2404 wrote to memory of 5004	2404	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe	85
PID 2404 wrote to memory of 5004	2404	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe	85
PID 2404 wrote to memory of 5004	2404	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe	85
PID 2404 wrote to memory of 2940	2404	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe	57
PID 2940 wrote to memory of 2340	2940	Explorer.EXE	18
PID 2940 wrote to memory of 2356	2940	Explorer.EXE	64
PID 2940 wrote to memory of 2496	2940	Explorer.EXE	63
PID 2940 wrote to memory of 760	2940	Explorer.EXE	56
PID 2940 wrote to memory of 3244	2940	Explorer.EXE	55

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2340

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:760

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Users\Admin\AppData\Local\Temp\rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
  "C:\Users\Admin\AppData\Local\Temp\rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Users\Admin\AppData\Local\Temp\rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
    C:\Users\Admin\AppData\Local\Temp\rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2404
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS3378~1.BAT"
      4⤵
      PID:5004

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2356

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2404-134-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2404-136-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2940-138-0x00007FFBDD8B0000-0x00007FFBDD8C0000-memory.dmp

Filesize
64KB

Download
memory/5008-132-0x00000000014B0000-0x00000000014B4000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing