99ec9ec4d65a908e4154d6e961389117b535eb8179fd671941f912f317741aba

General

Target

2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe
Size

306KB
MD5

756fae3b80bf129ce578006534c1413f
SHA1

00ec3c18110067acd9014a27c366160f2ea18ab3
SHA256

69b81b054100dc55fa61aa0edb9acdecccb84ab84fa37177b33e5d9814067633
SHA512

10274e2d15f6c7990acee9dd6b8e4d3b30c5dc810321198257671862f125baecede3cb5193468f8361d3289fb4623cb3ab6a9f0caceb780eaa6e0e4ef4d1626e
SSDEEP

6144:Ci37LbbWiaYUpwXV9RIKWn/TUVs8oL48N8lqFzc+tRJShtvUdJk:CO/izXrN8UbtPShoJk

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\metlqowx.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\metlqowx.exe\""	Explorer.EXE

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3740 3288 WerFault.exe DllHost.exe

pid	pid_target	process	target process
3740	3288	WerFault.exe	DllHost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exeExplorer.EXE

pid	process
4824	2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe
4824	2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2640 Explorer.EXE

pid	process
2640	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exeExplorer.EXERuntimeBroker.exe

description	pid	process
Token: SeDebugPrivilege	4824	2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe
Token: SeDebugPrivilege	2640	Explorer.EXE
Token: SeShutdownPrivilege	2640	Explorer.EXE
Token: SeCreatePagefilePrivilege	2640	Explorer.EXE
Token: SeShutdownPrivilege	3508	RuntimeBroker.exe
Token: SeShutdownPrivilege	3508	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exeExplorer.EXE

description	pid	process	target process
PID 4824 wrote to memory of 4764	4824	2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe	cmd.exe
PID 4824 wrote to memory of 4764	4824	2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe	cmd.exe
PID 4824 wrote to memory of 4764	4824	2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe	cmd.exe
PID 4824 wrote to memory of 2640	4824	2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe	Explorer.EXE
PID 2640 wrote to memory of 2356	2640	Explorer.EXE	sihost.exe
PID 2640 wrote to memory of 2388	2640	Explorer.EXE	svchost.exe
PID 2640 wrote to memory of 2468	2640	Explorer.EXE	taskhostw.exe
PID 2640 wrote to memory of 3096	2640	Explorer.EXE	svchost.exe
PID 2640 wrote to memory of 3288	2640	Explorer.EXE	DllHost.exe
PID 2640 wrote to memory of 3420	2640	Explorer.EXE	StartMenuExperienceHost.exe
PID 2640 wrote to memory of 3508	2640	Explorer.EXE	RuntimeBroker.exe
PID 2640 wrote to memory of 3616	2640	Explorer.EXE	SearchApp.exe
PID 2640 wrote to memory of 3808	2640	Explorer.EXE	RuntimeBroker.exe
PID 2640 wrote to memory of 4692	2640	Explorer.EXE	RuntimeBroker.exe
PID 2640 wrote to memory of 4824	2640	Explorer.EXE	2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe
PID 2640 wrote to memory of 4764	2640	Explorer.EXE	cmd.exe
PID 2640 wrote to memory of 2028	2640	Explorer.EXE	Conhost.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3508

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3616

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4692

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3808

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3420

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3288

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3288 -s 928
2⤵
- Program crash
PID:3740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3096

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640

C:\Users\Admin\AppData\Local\Temp\2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe
"C:\Users\Admin\AppData\Local\Temp\2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4824

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS2367~1.BAT"
3⤵
PID:4764

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:2028

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2388

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2356

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 200 -p 3288 -ip 3288
1⤵
PID:1800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Network Service Scanning

1

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms2367742.bat

Filesize
201B

MD5
b30ceb13ac4e06e45a72bb95b33b39de

SHA1
1ea75b8d78dc2c9ee609e6ab656762ac5c1e7e98

SHA256
fbdd499cc1aea0327f15818fd185925fd56e6a9407215c3444b6df36333d504c

SHA512
23ddbd1cf0985cd032cc72d68d6be38b37cef64f02dc061245a78dc091a18aee3270db0d676cc486de9bc4fb65d4f59aefce099d51331ebf86c244f88957ed09

Download Submit
memory/2028-146-0x00007FFAC2970000-0x00007FFAC2980000-memory.dmp

Filesize
64KB

Download
memory/2028-150-0x00000122D4C70000-0x00000122D4C87000-memory.dmp

Filesize
92KB

Download
memory/2356-151-0x0000027F6C460000-0x0000027F6C477000-memory.dmp

Filesize
92KB

Download
memory/2356-137-0x00007FFAC2970000-0x00007FFAC2980000-memory.dmp

Filesize
64KB

Download
memory/2388-138-0x00007FFAC2970000-0x00007FFAC2980000-memory.dmp

Filesize
64KB

Download
memory/2388-152-0x000001B332150000-0x000001B332167000-memory.dmp

Filesize
92KB

Download
memory/2468-139-0x00007FFAC2970000-0x00007FFAC2980000-memory.dmp

Filesize
64KB

Download
memory/2468-153-0x0000028303C60000-0x0000028303C77000-memory.dmp

Filesize
92KB

Download
memory/2640-135-0x00007FFAC2970000-0x00007FFAC2980000-memory.dmp

Filesize
64KB

Download
memory/2640-136-0x0000000003210000-0x0000000003227000-memory.dmp

Filesize
92KB

Download
memory/2640-159-0x0000000003210000-0x0000000003227000-memory.dmp

Filesize
92KB

Download
memory/3096-141-0x00007FFAC2970000-0x00007FFAC2980000-memory.dmp

Filesize
64KB

Download
memory/3096-154-0x0000020DE3FE0000-0x0000020DE3FF7000-memory.dmp

Filesize
92KB

Download
memory/3420-142-0x00007FFAC2970000-0x00007FFAC2980000-memory.dmp

Filesize
64KB

Download
memory/3420-155-0x000001E14B9D0000-0x000001E14B9E7000-memory.dmp

Filesize
92KB

Download
memory/3508-156-0x0000017B3D050000-0x0000017B3D067000-memory.dmp

Filesize
92KB

Download
memory/3508-143-0x00007FFAC2970000-0x00007FFAC2980000-memory.dmp

Filesize
64KB

Download
memory/3808-144-0x00007FFAC2970000-0x00007FFAC2980000-memory.dmp

Filesize
64KB

Download
memory/3808-157-0x00000225C5C80000-0x00000225C5C97000-memory.dmp

Filesize
92KB

Download
memory/4692-145-0x00007FFAC2970000-0x00007FFAC2980000-memory.dmp

Filesize
64KB

Download
memory/4692-158-0x00000215C3540000-0x00000215C3557000-memory.dmp

Filesize
92KB

Download
memory/4764-147-0x00000000370F0000-0x0000000037100000-memory.dmp

Filesize
64KB

Download
memory/4764-134-0x0000000000000000-mapping.dmp

Download
memory/4764-149-0x0000000000FE0000-0x0000000000FF4000-memory.dmp

Filesize
80KB

Download
memory/4824-132-0x0000000002BC0000-0x0000000002BCE000-memory.dmp

Filesize
56KB

Download
memory/4824-148-0x00000000001A0000-0x00000000001F4000-memory.dmp

Filesize
336KB

Download
memory/4824-133-0x00000000001A0000-0x00000000001F4000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads