6d273bfaf4339e6d40c9b0ebfdc9818d746f62ce71c6e0a34d45e75408a4734e

General

Target

ihre_telekom_mobilfunk_december_2014_8320002103_12_01_910238002_1_9_3_7_001_002.exe
Size

144KB
MD5

165e0668c9007305f4335ff6ed4c9854
SHA1

b8ff03c73b8df5f9a840378b6862c39bd2b5eb5a
SHA256

9bfb04be2ce0a624be8edc3666d93686b73ead053644430876047c4a88862881
SHA512

a0232ea13fc9e30b9fbe89cd865a608ddb5137d03642ccb9674bfb8cd12590ac8560f6f6adc0ef2ee6040e50216f0abc1110d7d457b468534649eb2de8e5984b
SSDEEP

3072:UT6NN25fPi/Xaxa6keLTCYAo4RaHOP6AU59ZvHa3B:5fMXi/XaxBn3C3o4ROOybLCR

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
844	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\loibgjiv.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\loibgjiv.exe\""	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2040 set thread context of 1664	2040	ihre_telekom_mobilfunk_december_2014_8320002103_12_01_910238002_1_9_3_7_001_002.exe	28

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2040	ihre_telekom_mobilfunk_december_2014_8320002103_12_01_910238002_1_9_3_7_001_002.exe
1664	ihre_telekom_mobilfunk_december_2014_8320002103_12_01_910238002_1_9_3_7_001_002.exe
1664	ihre_telekom_mobilfunk_december_2014_8320002103_12_01_910238002_1_9_3_7_001_002.exe
1312	Explorer.EXE
1312	Explorer.EXE
1312	Explorer.EXE
1312	Explorer.EXE
1312	Explorer.EXE
1312	Explorer.EXE
1312	Explorer.EXE
1312	Explorer.EXE
1312	Explorer.EXE
1312	Explorer.EXE
1312	Explorer.EXE
1312	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1312	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1664	ihre_telekom_mobilfunk_december_2014_8320002103_12_01_910238002_1_9_3_7_001_002.exe
Token: SeDebugPrivilege	1312	Explorer.EXE
Token: SeShutdownPrivilege	1312	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1312	Explorer.EXE
1312	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1312	Explorer.EXE
1312	Explorer.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2040	ihre_telekom_mobilfunk_december_2014_8320002103_12_01_910238002_1_9_3_7_001_002.exe
2040	ihre_telekom_mobilfunk_december_2014_8320002103_12_01_910238002_1_9_3_7_001_002.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1312	Explorer.EXE

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 1664	2040	ihre_telekom_mobilfunk_december_2014_8320002103_12_01_910238002_1_9_3_7_001_002.exe	28
PID 2040 wrote to memory of 1664	2040	ihre_telekom_mobilfunk_december_2014_8320002103_12_01_910238002_1_9_3_7_001_002.exe	28
PID 2040 wrote to memory of 1664	2040	ihre_telekom_mobilfunk_december_2014_8320002103_12_01_910238002_1_9_3_7_001_002.exe	28
PID 2040 wrote to memory of 1664	2040	ihre_telekom_mobilfunk_december_2014_8320002103_12_01_910238002_1_9_3_7_001_002.exe	28
PID 2040 wrote to memory of 1664	2040	ihre_telekom_mobilfunk_december_2014_8320002103_12_01_910238002_1_9_3_7_001_002.exe	28
PID 2040 wrote to memory of 1664	2040	ihre_telekom_mobilfunk_december_2014_8320002103_12_01_910238002_1_9_3_7_001_002.exe	28
PID 2040 wrote to memory of 1664	2040	ihre_telekom_mobilfunk_december_2014_8320002103_12_01_910238002_1_9_3_7_001_002.exe	28
PID 2040 wrote to memory of 1664	2040	ihre_telekom_mobilfunk_december_2014_8320002103_12_01_910238002_1_9_3_7_001_002.exe	28
PID 2040 wrote to memory of 1664	2040	ihre_telekom_mobilfunk_december_2014_8320002103_12_01_910238002_1_9_3_7_001_002.exe	28
PID 2040 wrote to memory of 1664	2040	ihre_telekom_mobilfunk_december_2014_8320002103_12_01_910238002_1_9_3_7_001_002.exe	28
PID 1664 wrote to memory of 844	1664	ihre_telekom_mobilfunk_december_2014_8320002103_12_01_910238002_1_9_3_7_001_002.exe	29
PID 1664 wrote to memory of 844	1664	ihre_telekom_mobilfunk_december_2014_8320002103_12_01_910238002_1_9_3_7_001_002.exe	29
PID 1664 wrote to memory of 844	1664	ihre_telekom_mobilfunk_december_2014_8320002103_12_01_910238002_1_9_3_7_001_002.exe	29
PID 1664 wrote to memory of 844	1664	ihre_telekom_mobilfunk_december_2014_8320002103_12_01_910238002_1_9_3_7_001_002.exe	29
PID 1664 wrote to memory of 1312	1664	ihre_telekom_mobilfunk_december_2014_8320002103_12_01_910238002_1_9_3_7_001_002.exe	17
PID 1312 wrote to memory of 1176	1312	Explorer.EXE	19
PID 1312 wrote to memory of 1276	1312	Explorer.EXE	18
PID 1312 wrote to memory of 844	1312	Explorer.EXE	29
PID 1312 wrote to memory of 708	1312	Explorer.EXE	30

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Users\Admin\AppData\Local\Temp\ihre_telekom_mobilfunk_december_2014_8320002103_12_01_910238002_1_9_3_7_001_002.exe
  "C:\Users\Admin\AppData\Local\Temp\ihre_telekom_mobilfunk_december_2014_8320002103_12_01_910238002_1_9_3_7_001_002.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Users\Admin\AppData\Local\Temp\ihre_telekom_mobilfunk_december_2014_8320002103_12_01_910238002_1_9_3_7_001_002.exe
    C:\Users\Admin\AppData\Local\Temp\ihre_telekom_mobilfunk_december_2014_8320002103_12_01_910238002_1_9_3_7_001_002.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1664
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS2003~1.BAT"
      4⤵
      Deletes itself
      PID:844

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1276

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1176

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1934140490-6625278351248190404-20203295-12574983751843041061-14749818861261163745"
1⤵
PID:708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms2003330.bat

Filesize
201B

MD5
91e01e7d07b55d946cadfbc62f483f10

SHA1
9b9793f7bcff3310da977208fcc83cad09ad1122

SHA256
2bab08ca26689a2c75819bcc01f7a98036ef57f6b33e6a336ed2c440ff5a7c75

SHA512
0294cc8889a21f80d1d6597899731202901bb64992f100102ff4b8b8a110801fcd3ff1cc63eac93ef7ced96f96c108e709c1340f591ca50e74e0ee71a8f8dae8

Download Submit
memory/708-86-0x00000000372B0000-0x00000000372C0000-memory.dmp

Filesize
64KB

Download
memory/708-88-0x00000000000D0000-0x00000000000E7000-memory.dmp

Filesize
92KB

Download
memory/844-81-0x00000000000C0000-0x00000000000D4000-memory.dmp

Filesize
80KB

Download
memory/1176-90-0x0000000001CB0000-0x0000000001CC7000-memory.dmp

Filesize
92KB

Download
memory/1176-79-0x00000000372B0000-0x00000000372C0000-memory.dmp

Filesize
64KB

Download
memory/1276-91-0x00000000001A0000-0x00000000001B7000-memory.dmp

Filesize
92KB

Download
memory/1276-84-0x00000000372B0000-0x00000000372C0000-memory.dmp

Filesize
64KB

Download
memory/1312-75-0x00000000372B0000-0x00000000372C0000-memory.dmp

Filesize
64KB

Download
memory/1312-89-0x00000000029C0000-0x00000000029D7000-memory.dmp

Filesize
92KB

Download
memory/1312-72-0x00000000029C0000-0x00000000029D7000-memory.dmp

Filesize
92KB

Download
memory/1664-74-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1664-60-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1664-58-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1664-56-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1664-55-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1664-67-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1664-63-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1664-62-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2040-54-0x0000000075591000-0x0000000075593000-memory.dmp

Filesize
8KB

Download
memory/2040-65-0x0000000000310000-0x0000000000314000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing