Analysis
-
max time kernel
152s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 04:24
Static task
static1
Behavioral task
behavioral1
Sample
rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
Resource
win10v2004-20220812-en
General
-
Target
rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
-
Size
176KB
-
MD5
13997ebf7af8d37dda6697ac03f76cc3
-
SHA1
9be2bcd498406bdfb05f860ad726273c4a7b4f3a
-
SHA256
11ecf58db103eb2ded5b942f303d48b5d77e336b8edfe335fa7b81264d1f50ef
-
SHA512
2894ef41ec784fb39ec663ff8ca5fa8c0ebbd875f95f6e2b843c8bca59d63cc7c43f64df43898290cef31c4b32478819f437fcc4656606d0f7cd4721c735ffee
-
SSDEEP
3072:rGwR1qmB1TQgHtMF5a6I4Ya5Tlrjmvl3XymSPTyAAwoc9+IkMd+zr3/1C:7KLa6I4x3mdnCNAwo42M
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Explorer.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\metlqowx.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\metlqowx.exe\"" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run Explorer.EXE -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exedescription pid process target process PID 2292 set thread context of 4900 2292 rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3964 3288 WerFault.exe DllHost.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exerechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exeExplorer.EXEpid process 2292 rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe 2292 rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe 4900 rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe 4900 rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe 900 Explorer.EXE 900 Explorer.EXE 900 Explorer.EXE 900 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 900 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exeExplorer.EXERuntimeBroker.exedescription pid process Token: SeDebugPrivilege 4900 rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe Token: SeDebugPrivilege 900 Explorer.EXE Token: SeShutdownPrivilege 900 Explorer.EXE Token: SeCreatePagefilePrivilege 900 Explorer.EXE Token: SeShutdownPrivilege 3444 RuntimeBroker.exe Token: SeShutdownPrivilege 3444 RuntimeBroker.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exepid process 2292 rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe 2292 rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exerechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exeExplorer.EXEdescription pid process target process PID 2292 wrote to memory of 4900 2292 rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe PID 2292 wrote to memory of 4900 2292 rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe PID 2292 wrote to memory of 4900 2292 rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe PID 2292 wrote to memory of 4900 2292 rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe PID 2292 wrote to memory of 4900 2292 rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe PID 2292 wrote to memory of 4900 2292 rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe PID 2292 wrote to memory of 4900 2292 rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe PID 2292 wrote to memory of 4900 2292 rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe PID 2292 wrote to memory of 4900 2292 rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe PID 4900 wrote to memory of 4176 4900 rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe cmd.exe PID 4900 wrote to memory of 4176 4900 rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe cmd.exe PID 4900 wrote to memory of 4176 4900 rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe cmd.exe PID 4900 wrote to memory of 900 4900 rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe Explorer.EXE PID 900 wrote to memory of 2484 900 Explorer.EXE sihost.exe PID 900 wrote to memory of 2504 900 Explorer.EXE svchost.exe PID 900 wrote to memory of 2768 900 Explorer.EXE taskhostw.exe PID 900 wrote to memory of 3080 900 Explorer.EXE svchost.exe PID 900 wrote to memory of 3288 900 Explorer.EXE DllHost.exe PID 900 wrote to memory of 3376 900 Explorer.EXE StartMenuExperienceHost.exe PID 900 wrote to memory of 3444 900 Explorer.EXE RuntimeBroker.exe PID 900 wrote to memory of 3548 900 Explorer.EXE SearchApp.exe PID 900 wrote to memory of 3704 900 Explorer.EXE RuntimeBroker.exe PID 900 wrote to memory of 4652 900 Explorer.EXE RuntimeBroker.exe PID 900 wrote to memory of 4176 900 Explorer.EXE cmd.exe PID 900 wrote to memory of 4904 900 Explorer.EXE Conhost.exe
Processes
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4652
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3704
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3548
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3444
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3376
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3288
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3288 -s 7562⤵
- Program crash
PID:3964
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3080
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Users\Admin\AppData\Local\Temp\rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe"C:\Users\Admin\AppData\Local\Temp\rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Users\Admin\AppData\Local\Temp\rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exeC:\Users\Admin\AppData\Local\Temp\rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS9503~1.BAT"4⤵PID:4176
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:4904
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2768
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2504
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2484
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 432 -p 3288 -ip 32881⤵PID:2568
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
201B
MD5a07cdf553dd9ee62bbf6e31d357fd2a2
SHA17259dfad138c1a9cf668a13c0101afbca81191af
SHA2562e2b1875bad77cdcb315016b6711a50db1e54917599cfd1be419bb1c3a96d016
SHA512d5aa7d040950120771bc20c46639a556e78ee8667d99d4897edae357825dac9e8280bb5fdaaede7f817b18753669c66aea93179af4c59998728110ba6c45dbad