5a329f2f54b25ab980ad6a9f8c962547864e77c4d9516bcff8e444af2cdd529c

General

Target

2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe
Size

176KB
MD5

8e9f821390b3affa596053cbadc4e824
SHA1

cd2fc0abfa71caf23bd71debad20a4715c6f9edf
SHA256

d0eba3801e3a1aa54315098cdc246086b51c6a5818377c9521a968c8fcf31dac
SHA512

13e5aa6db26fb086f9ee191cf7306b4e1db884a6746d74901ecb81c9c0ebc905d4022c38e7f608c2f8c3dc15e439e64c873e638b908406537e94ffb0fe672030
SSDEEP

3072:T9fHcmI+0MEJRSDOWHQKjEukcqRiGl7ITMsvDWhjWxB50G2eaNLw1hKeW8SaP3/1:TpH8DNJwOxvukJHl0TTvDWcB50tNLwX9

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1088	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\ianvmjrr.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\ianvmjrr.exe\""	Explorer.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2032 set thread context of 1232	2032	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe	28

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2032	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe
2032	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe
2032	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe
1232	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe
1232	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1220	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1232	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe
Token: SeDebugPrivilege	1220	Explorer.EXE
Token: SeShutdownPrivilege	1220	Explorer.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2032	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe
2032	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1220	Explorer.EXE

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 1232	2032	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe	28
PID 2032 wrote to memory of 1232	2032	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe	28
PID 2032 wrote to memory of 1232	2032	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe	28
PID 2032 wrote to memory of 1232	2032	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe	28
PID 2032 wrote to memory of 1232	2032	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe	28
PID 2032 wrote to memory of 1232	2032	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe	28
PID 2032 wrote to memory of 1232	2032	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe	28
PID 2032 wrote to memory of 1232	2032	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe	28
PID 2032 wrote to memory of 1232	2032	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe	28
PID 2032 wrote to memory of 1232	2032	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe	28
PID 1232 wrote to memory of 1088	1232	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe	29
PID 1232 wrote to memory of 1088	1232	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe	29
PID 1232 wrote to memory of 1088	1232	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe	29
PID 1232 wrote to memory of 1088	1232	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe	29
PID 1232 wrote to memory of 1220	1232	2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe	16
PID 1220 wrote to memory of 1116	1220	Explorer.EXE	17
PID 1220 wrote to memory of 1172	1220	Explorer.EXE	9
PID 1220 wrote to memory of 1088	1220	Explorer.EXE	29
PID 1220 wrote to memory of 1088	1220	Explorer.EXE	29

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1172

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Users\Admin\AppData\Local\Temp\2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe
  "C:\Users\Admin\AppData\Local\Temp\2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Users\Admin\AppData\Local\Temp\2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe
    C:\Users\Admin\AppData\Local\Temp\2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1232
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS2660~1.BAT"
      4⤵
      Deletes itself
      PID:1088

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms2660629.bat

Filesize
201B

MD5
a0e48e90c0d6d8b32df9b8eb9dc9146e

SHA1
754c081534f0a12da8f2cc5139ede91e72d090de

SHA256
2de9fa5982cfe1b5f519fa11861549bbaad917fd07e88e377905a08c997b9f24

SHA512
7f41aa0ed4f6f5c0cad7e9b95fa00ac433b41753c35a0757d71ae06852dccde068cca86cebdd88dde5f2671a0f4ab0334b0e02348d47ac12caafd7befbac5478

Download Submit
memory/1088-80-0x0000000000180000-0x0000000000194000-memory.dmp

Filesize
80KB

Download
memory/1116-89-0x0000000001B40000-0x0000000001B57000-memory.dmp

Filesize
92KB

Download
memory/1116-86-0x0000000036F80000-0x0000000036F90000-memory.dmp

Filesize
64KB

Download
memory/1116-83-0x0000000001B40000-0x0000000001B57000-memory.dmp

Filesize
92KB

Download
memory/1172-87-0x0000000036F80000-0x0000000036F90000-memory.dmp

Filesize
64KB

Download
memory/1172-88-0x00000000001A0000-0x00000000001B7000-memory.dmp

Filesize
92KB

Download
memory/1220-90-0x0000000002A60000-0x0000000002A77000-memory.dmp

Filesize
92KB

Download
memory/1220-85-0x0000000002A60000-0x0000000002A77000-memory.dmp

Filesize
92KB

Download
memory/1220-72-0x0000000002A60000-0x0000000002A77000-memory.dmp

Filesize
92KB

Download
memory/1220-75-0x0000000036F80000-0x0000000036F90000-memory.dmp

Filesize
64KB

Download
memory/1232-55-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1232-74-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1232-62-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1232-60-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1232-67-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1232-56-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1232-58-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1232-63-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2032-54-0x0000000075991000-0x0000000075993000-memory.dmp

Filesize
8KB

Download
memory/2032-65-0x0000000000300000-0x0000000000304000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing