eed862ab8e60beeef9f63f298e397d51908074a3ba92f298df4f0858276c7ded

General

Target

rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
Size

176KB
MD5

13997ebf7af8d37dda6697ac03f76cc3
SHA1

9be2bcd498406bdfb05f860ad726273c4a7b4f3a
SHA256

11ecf58db103eb2ded5b942f303d48b5d77e336b8edfe335fa7b81264d1f50ef
SHA512

2894ef41ec784fb39ec663ff8ca5fa8c0ebbd875f95f6e2b843c8bca59d63cc7c43f64df43898290cef31c4b32478819f437fcc4656606d0f7cd4721c735ffee
SSDEEP

3072:rGwR1qmB1TQgHtMF5a6I4Ya5Tlrjmvl3XymSPTyAAwoc9+IkMd+zr3/1C:7KLa6I4x3mdnCNAwo42M

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\metlqowx.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\metlqowx.exe\""	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE

Suspicious use of SetThreadContext 1 IoCs

Processes:

rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe

description	pid	process	target process
PID 2292 set thread context of 4900	2292	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3964 3288 WerFault.exe DllHost.exe

pid	pid_target	process	target process
3964	3288	WerFault.exe	DllHost.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exerechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exeExplorer.EXE

pid	process
2292	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
2292	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
4900	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
4900	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
900	Explorer.EXE
900	Explorer.EXE
900	Explorer.EXE
900	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

900 Explorer.EXE

pid	process
900	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exeExplorer.EXERuntimeBroker.exe

description	pid	process
Token: SeDebugPrivilege	4900	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
Token: SeDebugPrivilege	900	Explorer.EXE
Token: SeShutdownPrivilege	900	Explorer.EXE
Token: SeCreatePagefilePrivilege	900	Explorer.EXE
Token: SeShutdownPrivilege	3444	RuntimeBroker.exe
Token: SeShutdownPrivilege	3444	RuntimeBroker.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe

pid	process
2292	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
2292	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exerechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exeExplorer.EXE

description	pid	process	target process
PID 2292 wrote to memory of 4900	2292	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
PID 2292 wrote to memory of 4900	2292	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
PID 2292 wrote to memory of 4900	2292	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
PID 2292 wrote to memory of 4900	2292	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
PID 2292 wrote to memory of 4900	2292	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
PID 2292 wrote to memory of 4900	2292	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
PID 2292 wrote to memory of 4900	2292	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
PID 2292 wrote to memory of 4900	2292	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
PID 2292 wrote to memory of 4900	2292	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
PID 4900 wrote to memory of 4176	4900	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe	cmd.exe
PID 4900 wrote to memory of 4176	4900	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe	cmd.exe
PID 4900 wrote to memory of 4176	4900	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe	cmd.exe
PID 4900 wrote to memory of 900	4900	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe	Explorer.EXE
PID 900 wrote to memory of 2484	900	Explorer.EXE	sihost.exe
PID 900 wrote to memory of 2504	900	Explorer.EXE	svchost.exe
PID 900 wrote to memory of 2768	900	Explorer.EXE	taskhostw.exe
PID 900 wrote to memory of 3080	900	Explorer.EXE	svchost.exe
PID 900 wrote to memory of 3288	900	Explorer.EXE	DllHost.exe
PID 900 wrote to memory of 3376	900	Explorer.EXE	StartMenuExperienceHost.exe
PID 900 wrote to memory of 3444	900	Explorer.EXE	RuntimeBroker.exe
PID 900 wrote to memory of 3548	900	Explorer.EXE	SearchApp.exe
PID 900 wrote to memory of 3704	900	Explorer.EXE	RuntimeBroker.exe
PID 900 wrote to memory of 4652	900	Explorer.EXE	RuntimeBroker.exe
PID 900 wrote to memory of 4176	900	Explorer.EXE	cmd.exe
PID 900 wrote to memory of 4904	900	Explorer.EXE	Conhost.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4652

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3704

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3548

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3444

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3376

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3288

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3288 -s 756
2⤵
- Program crash
PID:3964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3080

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:900

C:\Users\Admin\AppData\Local\Temp\rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
"C:\Users\Admin\AppData\Local\Temp\rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2292

C:\Users\Admin\AppData\Local\Temp\rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
C:\Users\Admin\AppData\Local\Temp\rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4900

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS9503~1.BAT"
4⤵
PID:4176

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:4904

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2768

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2504

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2484

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 432 -p 3288 -ip 3288
1⤵
PID:2568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms9503297.bat

Filesize
201B

MD5
a07cdf553dd9ee62bbf6e31d357fd2a2

SHA1
7259dfad138c1a9cf668a13c0101afbca81191af

SHA256
2e2b1875bad77cdcb315016b6711a50db1e54917599cfd1be419bb1c3a96d016

SHA512
d5aa7d040950120771bc20c46639a556e78ee8667d99d4897edae357825dac9e8280bb5fdaaede7f817b18753669c66aea93179af4c59998728110ba6c45dbad

Download Submit
memory/900-165-0x0000000001190000-0x00000000011A7000-memory.dmp

Filesize
92KB

Download
memory/900-154-0x0000000001190000-0x00000000011A7000-memory.dmp

Filesize
92KB

Download
memory/900-142-0x00007FFA72110000-0x00007FFA72120000-memory.dmp

Filesize
64KB

Download
memory/2292-133-0x0000000002450000-0x0000000002454000-memory.dmp

Filesize
16KB

Download
memory/2292-132-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/2292-137-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/2484-155-0x0000025E7A430000-0x0000025E7A447000-memory.dmp

Filesize
92KB

Download
memory/2484-143-0x00007FFA72110000-0x00007FFA72120000-memory.dmp

Filesize
64KB

Download
memory/2504-144-0x00007FFA72110000-0x00007FFA72120000-memory.dmp

Filesize
64KB

Download
memory/2504-156-0x00000266FD940000-0x00000266FD957000-memory.dmp

Filesize
92KB

Download
memory/2768-157-0x0000022D17400000-0x0000022D17417000-memory.dmp

Filesize
92KB

Download
memory/2768-145-0x00007FFA72110000-0x00007FFA72120000-memory.dmp

Filesize
64KB

Download
memory/3080-158-0x0000020BF0CC0000-0x0000020BF0CD7000-memory.dmp

Filesize
92KB

Download
memory/3080-146-0x00007FFA72110000-0x00007FFA72120000-memory.dmp

Filesize
64KB

Download
memory/3376-148-0x00007FFA72110000-0x00007FFA72120000-memory.dmp

Filesize
64KB

Download
memory/3376-160-0x000001EC6AC80000-0x000001EC6AC97000-memory.dmp

Filesize
92KB

Download
memory/3444-147-0x00007FFA72110000-0x00007FFA72120000-memory.dmp

Filesize
64KB

Download
memory/3444-159-0x0000021FD3380000-0x0000021FD3397000-memory.dmp

Filesize
92KB

Download
memory/3704-149-0x00007FFA72110000-0x00007FFA72120000-memory.dmp

Filesize
64KB

Download
memory/3704-162-0x00000176C8430000-0x00000176C8447000-memory.dmp

Filesize
92KB

Download
memory/4176-161-0x0000000000550000-0x0000000000564000-memory.dmp

Filesize
80KB

Download
memory/4176-152-0x00000000373C0000-0x00000000373D0000-memory.dmp

Filesize
64KB

Download
memory/4176-140-0x0000000000000000-mapping.dmp

Download
memory/4652-150-0x00007FFA72110000-0x00007FFA72120000-memory.dmp

Filesize
64KB

Download
memory/4652-163-0x00000248A9570000-0x00000248A9587000-memory.dmp

Filesize
92KB

Download
memory/4900-139-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4900-138-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4900-135-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4900-141-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4900-134-0x0000000000000000-mapping.dmp

Download
memory/4904-151-0x00007FFA72110000-0x00007FFA72120000-memory.dmp

Filesize
64KB

Download
memory/4904-164-0x00000248AD120000-0x00000248AD137000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads