f8155e67dc4345d40d29e30e8d5196cabefc9817569f9786bff0ba2eddb58dda

General

Target

RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe
Size

180KB
MD5

f96874ad23fde2f0b3af2af1565beb73
SHA1

16e63fa7df0f2e8964d2e9cf2541b9ccd5c31106
SHA256

0ed91af7f5dd71ee724ef0bddaae43bdd10721fa21f2b226f69f3156085126fc
SHA512

e5c621a7bd62832ba331b2d0ee40d72e81d9a6892a662ded20c1c23e56b553b829f1691293728b1a8d190c6dd3c0dfdccfe77551ebe2bf7e3220d411c77e803d
SSDEEP

3072:t1ezQdDuZph4fWy6c3v40y+rzqVCr+YARsI6u2t4Y9sBG0hac0v2D+:t1eUNuFIdt3vTrz1r+R7F2t4pUO

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\metlqowx.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\metlqowx.exe\""	Explorer.EXE

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3000 3340 WerFault.exe DllHost.exe

pid	pid_target	process	target process
3000	3340	WerFault.exe	DllHost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exeExplorer.EXE

pid	process
2440	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe
2440	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe
3052	Explorer.EXE
3052	Explorer.EXE
3052	Explorer.EXE
3052	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3052 Explorer.EXE

pid	process
3052	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exeExplorer.EXERuntimeBroker.exe

description	pid	process
Token: SeDebugPrivilege	2440	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe
Token: SeDebugPrivilege	3052	Explorer.EXE
Token: SeShutdownPrivilege	3052	Explorer.EXE
Token: SeCreatePagefilePrivilege	3052	Explorer.EXE
Token: SeShutdownPrivilege	3500	RuntimeBroker.exe
Token: SeShutdownPrivilege	3500	RuntimeBroker.exe
Token: SeShutdownPrivilege	3500	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exeExplorer.EXE

description	pid	process	target process
PID 2440 wrote to memory of 2496	2440	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe	cmd.exe
PID 2440 wrote to memory of 2496	2440	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe	cmd.exe
PID 2440 wrote to memory of 2496	2440	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe	cmd.exe
PID 2440 wrote to memory of 3052	2440	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe	Explorer.EXE
PID 3052 wrote to memory of 2332	3052	Explorer.EXE	sihost.exe
PID 3052 wrote to memory of 2348	3052	Explorer.EXE	svchost.exe
PID 3052 wrote to memory of 2448	3052	Explorer.EXE	taskhostw.exe
PID 3052 wrote to memory of 3144	3052	Explorer.EXE	svchost.exe
PID 3052 wrote to memory of 3340	3052	Explorer.EXE	DllHost.exe
PID 3052 wrote to memory of 3424	3052	Explorer.EXE	StartMenuExperienceHost.exe
PID 3052 wrote to memory of 3500	3052	Explorer.EXE	RuntimeBroker.exe
PID 3052 wrote to memory of 3584	3052	Explorer.EXE	SearchApp.exe
PID 3052 wrote to memory of 3836	3052	Explorer.EXE	RuntimeBroker.exe
PID 3052 wrote to memory of 4988	3052	Explorer.EXE	RuntimeBroker.exe
PID 3052 wrote to memory of 2440	3052	Explorer.EXE	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe
PID 3052 wrote to memory of 2496	3052	Explorer.EXE	cmd.exe
PID 3052 wrote to memory of 3004	3052	Explorer.EXE	Conhost.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2332

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3500

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4988

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3836

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3584

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3424

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3340

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3340 -s 1008
2⤵
- Program crash
PID:3000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3144

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052

C:\Users\Admin\AppData\Local\Temp\RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe
"C:\Users\Admin\AppData\Local\Temp\RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\ms968961.bat"
3⤵
PID:2496

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:3004

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2348

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 404 -p 3340 -ip 3340
1⤵
PID:1284

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms968961.bat

Filesize
201B

MD5
89b68918880da2d47d0c41b118d87b12

SHA1
15376448f6a3044293f33ee1f7c63672fe923ba6

SHA256
afd84a79cc17b876083214ef3e4a5d7c67ddf47ff12228813aad0ecf665b7c4d

SHA512
c4b9ba2f2a9b3611b93dcc119cbde939018c899a60b18ebb34001956665111b3eb49f0ab290f6f3ec0cb4ce7da759b339ccaa3dcc8f53825dfed33af477f7ee8

Download Submit
memory/2332-150-0x00000229E0610000-0x00000229E0627000-memory.dmp

Filesize
92KB

Download
memory/2332-134-0x00007FFA8D5B0000-0x00007FFA8D5C0000-memory.dmp

Filesize
64KB

Download
memory/2348-135-0x00007FFA8D5B0000-0x00007FFA8D5C0000-memory.dmp

Filesize
64KB

Download
memory/2348-151-0x000001E5AF0F0000-0x000001E5AF107000-memory.dmp

Filesize
92KB

Download
memory/2440-143-0x00000000025C0000-0x00000000025CD000-memory.dmp

Filesize
52KB

Download
memory/2440-144-0x0000000000080000-0x00000000000B5000-memory.dmp

Filesize
212KB

Download
memory/2448-152-0x0000019670420000-0x0000019670437000-memory.dmp

Filesize
92KB

Download
memory/2448-136-0x00007FFA8D5B0000-0x00007FFA8D5C0000-memory.dmp

Filesize
64KB

Download
memory/2496-145-0x0000000037CB0000-0x0000000037CC0000-memory.dmp

Filesize
64KB

Download
memory/2496-147-0x00000000007D0000-0x00000000007E4000-memory.dmp

Filesize
80KB

Download
memory/2496-132-0x0000000000000000-mapping.dmp

Download
memory/3004-142-0x00007FFA8D5B0000-0x00007FFA8D5C0000-memory.dmp

Filesize
64KB

Download
memory/3004-148-0x00000181F8E50000-0x00000181F8E67000-memory.dmp

Filesize
92KB

Download
memory/3052-133-0x00007FFA8D5B0000-0x00007FFA8D5C0000-memory.dmp

Filesize
64KB

Download
memory/3052-149-0x0000000002CF0000-0x0000000002D07000-memory.dmp

Filesize
92KB

Download
memory/3052-158-0x0000000002CF0000-0x0000000002D07000-memory.dmp

Filesize
92KB

Download
memory/3144-153-0x000001A438BA0000-0x000001A438BB7000-memory.dmp

Filesize
92KB

Download
memory/3144-137-0x00007FFA8D5B0000-0x00007FFA8D5C0000-memory.dmp

Filesize
64KB

Download
memory/3424-154-0x00000223F65B0000-0x00000223F65C7000-memory.dmp

Filesize
92KB

Download
memory/3424-138-0x00007FFA8D5B0000-0x00007FFA8D5C0000-memory.dmp

Filesize
64KB

Download
memory/3500-139-0x00007FFA8D5B0000-0x00007FFA8D5C0000-memory.dmp

Filesize
64KB

Download
memory/3500-155-0x000002280D5A0000-0x000002280D5B7000-memory.dmp

Filesize
92KB

Download
memory/3836-156-0x0000028AED360000-0x0000028AED377000-memory.dmp

Filesize
92KB

Download
memory/3836-140-0x00007FFA8D5B0000-0x00007FFA8D5C0000-memory.dmp

Filesize
64KB

Download
memory/4988-141-0x00007FFA8D5B0000-0x00007FFA8D5C0000-memory.dmp

Filesize
64KB

Download
memory/4988-157-0x000001EBCCA60000-0x000001EBCCA77000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads