92c8bf75f6d2b453f57ac0463c98266e3cddf330b62723c7f3ed2ba26d7a0620

General

Target

rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
Size

172KB
MD5

b2967a3ca6cfebc2e66f4c69d19dc055
SHA1

8832ee55e68abeb97738f4a62063860686246474
SHA256

9c4853fb813000f747396db86faea3122e6f7395f600bef9b3bc5f6eea133a9b
SHA512

00be2036a0fae86686f5de9c86f861fa534b52357636618adfb80c8edaf4ac9110fd6cca76fd7d9774ad090e0e3b2bc2d2ed71e314a4c147be8dc64c888f6e6e
SSDEEP

3072:M5AvWhLGWKpp91HMGGCPwqMBV/oFPUNuG:QSWhLG5fBRPSyF

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\metlqowx.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\metlqowx.exe\""	Explorer.EXE

Suspicious use of SetThreadContext 1 IoCs

Processes:

rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe

description	pid	process	target process
PID 5104 set thread context of 3428	5104	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5044 3344 WerFault.exe DllHost.exe

pid	pid_target	process	target process
5044	3344	WerFault.exe	DllHost.exe

Modifies registry class 14 IoCs

Processes:

rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\shell\open	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\shell\print\command	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\shell\print	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\shell\printto\command	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\ = "Tif Document"	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\shell\open\command	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\shell\printto\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RECHNU~1.EXE /pt \"%1\" \"%2\" \"%3\" \"%4\""	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RECHNU~1.EXE,0"	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\shell	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\shell\printto	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RECHNU~1.EXE \"%1\""	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\shell\print\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RECHNU~1.EXE /p \"%1\""	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\DefaultIcon	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exerechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exeExplorer.EXE

pid	process
5104	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
5104	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
5104	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
5104	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
5104	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
5104	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
3428	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
3428	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
2824	Explorer.EXE
2824	Explorer.EXE
2824	Explorer.EXE
2824	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2824 Explorer.EXE

pid	process
2824	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exeExplorer.EXERuntimeBroker.exe

description	pid	process
Token: SeDebugPrivilege	3428	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
Token: SeDebugPrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	3564	RuntimeBroker.exe
Token: SeShutdownPrivilege	3564	RuntimeBroker.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe

pid	process
5104	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
5104	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exerechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exeExplorer.EXE

description	pid	process	target process
PID 5104 wrote to memory of 3428	5104	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
PID 5104 wrote to memory of 3428	5104	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
PID 5104 wrote to memory of 3428	5104	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
PID 5104 wrote to memory of 3428	5104	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
PID 5104 wrote to memory of 3428	5104	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
PID 5104 wrote to memory of 3428	5104	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
PID 5104 wrote to memory of 3428	5104	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
PID 5104 wrote to memory of 3428	5104	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
PID 5104 wrote to memory of 3428	5104	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
PID 3428 wrote to memory of 2484	3428	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe	cmd.exe
PID 3428 wrote to memory of 2484	3428	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe	cmd.exe
PID 3428 wrote to memory of 2484	3428	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe	cmd.exe
PID 3428 wrote to memory of 2824	3428	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe	Explorer.EXE
PID 2824 wrote to memory of 2320	2824	Explorer.EXE	sihost.exe
PID 2824 wrote to memory of 2352	2824	Explorer.EXE	svchost.exe
PID 2824 wrote to memory of 2420	2824	Explorer.EXE	taskhostw.exe
PID 2824 wrote to memory of 3140	2824	Explorer.EXE	svchost.exe
PID 2824 wrote to memory of 3344	2824	Explorer.EXE	DllHost.exe
PID 2824 wrote to memory of 3444	2824	Explorer.EXE	StartMenuExperienceHost.exe
PID 2824 wrote to memory of 3564	2824	Explorer.EXE	RuntimeBroker.exe
PID 2824 wrote to memory of 3664	2824	Explorer.EXE	SearchApp.exe
PID 2824 wrote to memory of 3876	2824	Explorer.EXE	RuntimeBroker.exe
PID 2824 wrote to memory of 4784	2824	Explorer.EXE	RuntimeBroker.exe
PID 2824 wrote to memory of 3428	2824	Explorer.EXE	rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
PID 2824 wrote to memory of 2484	2824	Explorer.EXE	cmd.exe
PID 2824 wrote to memory of 5068	2824	Explorer.EXE	Conhost.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2320

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2824

C:\Users\Admin\AppData\Local\Temp\rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
"C:\Users\Admin\AppData\Local\Temp\rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5104

C:\Users\Admin\AppData\Local\Temp\rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
C:\Users\Admin\AppData\Local\Temp\rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3428

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS3560~1.BAT"
4⤵
PID:2484

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:5068

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3564

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3876

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3664

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4784

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3444

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3344

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3344 -s 1008
2⤵
- Program crash
PID:5044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3140

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2352

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 428 -p 3344 -ip 3344
1⤵
PID:5048

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms3560039.bat

Filesize
201B

MD5
83d14ada94badba4c94fd0f4bc81bcef

SHA1
3d4ca57cdedb48f79bfeed09940a718f878a1e17

SHA256
f98a74818558ff7ae16aac68bb6ca0d0bd9c8bd19ce6b042a066152911cebd24

SHA512
ea25242fe8479ec7aecff5e04a57695a71415bd0794cd113b0b04249ff1effc3ec1387e8d7780a2d579df6c37ea94fb66dced362b3ddc481a3f40916a850aab2

Download Submit
memory/2320-153-0x000001C2D5D00000-0x000001C2D5D17000-memory.dmp

Filesize
92KB

Download
memory/2320-140-0x00007FFA96230000-0x00007FFA96240000-memory.dmp

Filesize
64KB

Download
memory/2352-155-0x0000026CF5340000-0x0000026CF5357000-memory.dmp

Filesize
92KB

Download
memory/2352-141-0x00007FFA96230000-0x00007FFA96240000-memory.dmp

Filesize
64KB

Download
memory/2420-142-0x00007FFA96230000-0x00007FFA96240000-memory.dmp

Filesize
64KB

Download
memory/2420-156-0x000001A93E6C0000-0x000001A93E6D7000-memory.dmp

Filesize
92KB

Download
memory/2484-137-0x0000000000000000-mapping.dmp

Download
memory/2484-151-0x0000000000090000-0x00000000000A4000-memory.dmp

Filesize
80KB

Download
memory/2484-149-0x00000000373E0000-0x00000000373F0000-memory.dmp

Filesize
64KB

Download
memory/2824-154-0x0000000001320000-0x0000000001337000-memory.dmp

Filesize
92KB

Download
memory/2824-162-0x0000000001320000-0x0000000001337000-memory.dmp

Filesize
92KB

Download
memory/2824-138-0x00007FFA96230000-0x00007FFA96240000-memory.dmp

Filesize
64KB

Download
memory/3140-157-0x000001BC553C0000-0x000001BC553D7000-memory.dmp

Filesize
92KB

Download
memory/3140-143-0x00007FFA96230000-0x00007FFA96240000-memory.dmp

Filesize
64KB

Download
memory/3428-132-0x0000000000000000-mapping.dmp

Download
memory/3428-133-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3428-139-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3428-136-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3444-144-0x00007FFA96230000-0x00007FFA96240000-memory.dmp

Filesize
64KB

Download
memory/3444-158-0x000001C182840000-0x000001C182857000-memory.dmp

Filesize
92KB

Download
memory/3564-159-0x00000250AFA90000-0x00000250AFAA7000-memory.dmp

Filesize
92KB

Download
memory/3564-145-0x00007FFA96230000-0x00007FFA96240000-memory.dmp

Filesize
64KB

Download
memory/3876-160-0x0000025401F30000-0x0000025401F47000-memory.dmp

Filesize
92KB

Download
memory/3876-146-0x00007FFA96230000-0x00007FFA96240000-memory.dmp

Filesize
64KB

Download
memory/4784-147-0x00007FFA96230000-0x00007FFA96240000-memory.dmp

Filesize
64KB

Download
memory/4784-161-0x0000017764740000-0x0000017764757000-memory.dmp

Filesize
92KB

Download
memory/5068-152-0x000002A6044E0000-0x000002A6044F7000-memory.dmp

Filesize
92KB

Download
memory/5068-148-0x00007FFA96230000-0x00007FFA96240000-memory.dmp

Filesize
64KB

Download
memory/5104-134-0x0000000000740000-0x0000000000744000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads