2ba4201e12c63ca14489202e424cbff4cfaec917cd59acd308b027b754c9f2e2

General

Target

rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
Size

180KB
MD5

f96874ad23fde2f0b3af2af1565beb73
SHA1

16e63fa7df0f2e8964d2e9cf2541b9ccd5c31106
SHA256

0ed91af7f5dd71ee724ef0bddaae43bdd10721fa21f2b226f69f3156085126fc
SHA512

e5c621a7bd62832ba331b2d0ee40d72e81d9a6892a662ded20c1c23e56b553b829f1691293728b1a8d190c6dd3c0dfdccfe77551ebe2bf7e3220d411c77e803d
SSDEEP

3072:t1ezQdDuZph4fWy6c3v40y+rzqVCr+YARsI6u2t4Y9sBG0hac0v2D+:t1eUNuFIdt3vTrz1r+R7F2t4pUO

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\metlqowx.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\metlqowx.exe\""	Explorer.EXE

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4304	3284	WerFault.exe	64

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3140	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
3140	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
3052	Explorer.EXE
3052	Explorer.EXE
3052	Explorer.EXE
3052	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3052	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3140	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
Token: SeDebugPrivilege	3052	Explorer.EXE
Token: SeShutdownPrivilege	3052	Explorer.EXE
Token: SeCreatePagefilePrivilege	3052	Explorer.EXE
Token: SeShutdownPrivilege	3444	RuntimeBroker.exe
Token: SeShutdownPrivilege	3444	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3140 wrote to memory of 4180	3140	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe	79
PID 3140 wrote to memory of 4180	3140	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe	79
PID 3140 wrote to memory of 4180	3140	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe	79
PID 3140 wrote to memory of 3052	3140	rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe	66
PID 3052 wrote to memory of 2324	3052	Explorer.EXE	30
PID 3052 wrote to memory of 2332	3052	Explorer.EXE	32
PID 3052 wrote to memory of 2456	3052	Explorer.EXE	31
PID 3052 wrote to memory of 2360	3052	Explorer.EXE	65
PID 3052 wrote to memory of 3284	3052	Explorer.EXE	64
PID 3052 wrote to memory of 3372	3052	Explorer.EXE	63
PID 3052 wrote to memory of 3444	3052	Explorer.EXE	45
PID 3052 wrote to memory of 3528	3052	Explorer.EXE	43
PID 3052 wrote to memory of 3720	3052	Explorer.EXE	44
PID 3052 wrote to memory of 4704	3052	Explorer.EXE	49
PID 3052 wrote to memory of 3140	3052	Explorer.EXE	78
PID 3052 wrote to memory of 4180	3052	Explorer.EXE	79

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2324

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2456

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2332

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3528

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3720

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3444

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4704

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3372

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3284
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3284 -s 860
  2⤵
  - Program crash
  PID:4304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:2360

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Users\Admin\AppData\Local\Temp\rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
  "C:\Users\Admin\AppData\Local\Temp\rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3140
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS3598~1.BAT"
    3⤵
    PID:4180

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 3284 -ip 3284
1⤵
PID:2924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms3598974.bat

Filesize
201B

MD5
4d075cb1203c3034833401ba0c3edfd3

SHA1
7199deb5fb7737cfb0f398d595b977638b7ffd77

SHA256
77679d7fac8ec770ed03352145295439414d520a48e4dde3416730ad89956b3b

SHA512
1bd952e854c17670fbfc4b7154f35d922c7ac11d118c2bd7ffa7f47870970450a403cf3cc925c2275af406db138ab8a59f74911339e5afcafaf3414e9bd73052

Download Submit
memory/2324-148-0x0000020B22C90000-0x0000020B22CA7000-memory.dmp

Filesize
92KB

Download
memory/2324-134-0x00007FF83C790000-0x00007FF83C7A0000-memory.dmp

Filesize
64KB

Download
memory/2332-135-0x00007FF83C790000-0x00007FF83C7A0000-memory.dmp

Filesize
64KB

Download
memory/2332-149-0x000001EC471D0000-0x000001EC471E7000-memory.dmp

Filesize
92KB

Download
memory/2360-137-0x00007FF83C790000-0x00007FF83C7A0000-memory.dmp

Filesize
64KB

Download
memory/2360-151-0x00000296029D0000-0x00000296029E7000-memory.dmp

Filesize
92KB

Download
memory/2456-150-0x00000256ADA50000-0x00000256ADA67000-memory.dmp

Filesize
92KB

Download
memory/2456-136-0x00007FF83C790000-0x00007FF83C7A0000-memory.dmp

Filesize
64KB

Download
memory/3052-156-0x00000000006F0000-0x0000000000707000-memory.dmp

Filesize
92KB

Download
memory/3052-147-0x00000000006F0000-0x0000000000707000-memory.dmp

Filesize
92KB

Download
memory/3052-133-0x00007FF83C790000-0x00007FF83C7A0000-memory.dmp

Filesize
64KB

Download
memory/3140-143-0x0000000002FC0000-0x0000000002FCD000-memory.dmp

Filesize
52KB

Download
memory/3140-144-0x0000000000170000-0x00000000001A5000-memory.dmp

Filesize
212KB

Download
memory/3372-139-0x00007FF83C790000-0x00007FF83C7A0000-memory.dmp

Filesize
64KB

Download
memory/3372-153-0x000001BA551A0000-0x000001BA551B7000-memory.dmp

Filesize
92KB

Download
memory/3444-138-0x00007FF83C790000-0x00007FF83C7A0000-memory.dmp

Filesize
64KB

Download
memory/3444-152-0x0000017D275D0000-0x0000017D275E7000-memory.dmp

Filesize
92KB

Download
memory/3720-140-0x00007FF83C790000-0x00007FF83C7A0000-memory.dmp

Filesize
64KB

Download
memory/3720-154-0x0000025987270000-0x0000025987287000-memory.dmp

Filesize
92KB

Download
memory/4180-142-0x0000000037AB0000-0x0000000037AC0000-memory.dmp

Filesize
64KB

Download
memory/4180-146-0x0000000000FC0000-0x0000000000FD4000-memory.dmp

Filesize
80KB

Download
memory/4704-141-0x00007FF83C790000-0x00007FF83C7A0000-memory.dmp

Filesize
64KB

Download
memory/4704-155-0x0000026423970000-0x0000026423987000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing