28335a64aa694d45965d4e2d9a1535247a6afe949b9382db69733bc071fe0e30

General

Target

rechnung_11_2014_vodafone_team_00200034994_00003999300067_11_0000002738.exe
Size

180KB
MD5

f96874ad23fde2f0b3af2af1565beb73
SHA1

16e63fa7df0f2e8964d2e9cf2541b9ccd5c31106
SHA256

0ed91af7f5dd71ee724ef0bddaae43bdd10721fa21f2b226f69f3156085126fc
SHA512

e5c621a7bd62832ba331b2d0ee40d72e81d9a6892a662ded20c1c23e56b553b829f1691293728b1a8d190c6dd3c0dfdccfe77551ebe2bf7e3220d411c77e803d
SSDEEP

3072:t1ezQdDuZph4fWy6c3v40y+rzqVCr+YARsI6u2t4Y9sBG0hac0v2D+:t1eUNuFIdt3vTrz1r+R7F2t4pUO

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\metlqowx.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\metlqowx.exe\""	Explorer.EXE

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5104 3284 WerFault.exe DllHost.exe

pid	pid_target	process	target process
5104	3284	WerFault.exe	DllHost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

rechnung_11_2014_vodafone_team_00200034994_00003999300067_11_0000002738.exeExplorer.EXE

pid	process
5036	rechnung_11_2014_vodafone_team_00200034994_00003999300067_11_0000002738.exe
5036	rechnung_11_2014_vodafone_team_00200034994_00003999300067_11_0000002738.exe
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE
3032	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3032 Explorer.EXE

pid	process
3032	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

rechnung_11_2014_vodafone_team_00200034994_00003999300067_11_0000002738.exeExplorer.EXERuntimeBroker.exe

description	pid	process
Token: SeDebugPrivilege	5036	rechnung_11_2014_vodafone_team_00200034994_00003999300067_11_0000002738.exe
Token: SeDebugPrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3436	RuntimeBroker.exe
Token: SeShutdownPrivilege	3436	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

rechnung_11_2014_vodafone_team_00200034994_00003999300067_11_0000002738.exeExplorer.EXE

description	pid	process	target process
PID 5036 wrote to memory of 5056	5036	rechnung_11_2014_vodafone_team_00200034994_00003999300067_11_0000002738.exe	cmd.exe
PID 5036 wrote to memory of 5056	5036	rechnung_11_2014_vodafone_team_00200034994_00003999300067_11_0000002738.exe	cmd.exe
PID 5036 wrote to memory of 5056	5036	rechnung_11_2014_vodafone_team_00200034994_00003999300067_11_0000002738.exe	cmd.exe
PID 5036 wrote to memory of 3032	5036	rechnung_11_2014_vodafone_team_00200034994_00003999300067_11_0000002738.exe	Explorer.EXE
PID 3032 wrote to memory of 2348	3032	Explorer.EXE	sihost.exe
PID 3032 wrote to memory of 2392	3032	Explorer.EXE	svchost.exe
PID 3032 wrote to memory of 2480	3032	Explorer.EXE	taskhostw.exe
PID 3032 wrote to memory of 2688	3032	Explorer.EXE	svchost.exe
PID 3032 wrote to memory of 3284	3032	Explorer.EXE	DllHost.exe
PID 3032 wrote to memory of 3372	3032	Explorer.EXE	StartMenuExperienceHost.exe
PID 3032 wrote to memory of 3436	3032	Explorer.EXE	RuntimeBroker.exe
PID 3032 wrote to memory of 3520	3032	Explorer.EXE	SearchApp.exe
PID 3032 wrote to memory of 3736	3032	Explorer.EXE	RuntimeBroker.exe
PID 3032 wrote to memory of 4700	3032	Explorer.EXE	RuntimeBroker.exe
PID 3032 wrote to memory of 4472	3032	Explorer.EXE	RuntimeBroker.exe
PID 3032 wrote to memory of 5036	3032	Explorer.EXE	rechnung_11_2014_vodafone_team_00200034994_00003999300067_11_0000002738.exe
PID 3032 wrote to memory of 5056	3032	Explorer.EXE	cmd.exe
PID 3032 wrote to memory of 5060	3032	Explorer.EXE	Conhost.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3372

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3436

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3520

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3284

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3284 -s 952
2⤵
- Program crash
PID:5104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:2688

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3736

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032

C:\Users\Admin\AppData\Local\Temp\rechnung_11_2014_vodafone_team_00200034994_00003999300067_11_0000002738.exe
"C:\Users\Admin\AppData\Local\Temp\rechnung_11_2014_vodafone_team_00200034994_00003999300067_11_0000002738.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5036

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS3766~1.BAT"
3⤵
PID:5056

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:5060

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4700

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2480

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2392

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2348

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 3284 -ip 3284
1⤵
PID:1928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms3766879.bat

Filesize
201B

MD5
1c491927406a8d38d1f380cb69169d2d

SHA1
7ef818d2aaeb21eff7b381a5464a8498f1c5711f

SHA256
ef6e3c267be8cc6f6060b2e1720ad1487c72b35a11aea5cecdb8f6994f06ace1

SHA512
390deac5f3d49fa2904043262485074c07df5b1c9cf41b59b2814bb7c729cac01d3d0a9404f62d0b703485aa636658dbd5e7137442e148e99ea9e96d962998f2

Download Submit
memory/2348-147-0x00000152B21C0000-0x00000152B21D7000-memory.dmp

Filesize
92KB

Download
memory/2348-136-0x00007FFF56550000-0x00007FFF56560000-memory.dmp

Filesize
64KB

Download
memory/2392-137-0x00007FFF56550000-0x00007FFF56560000-memory.dmp

Filesize
64KB

Download
memory/2392-148-0x000002C454BC0000-0x000002C454BD7000-memory.dmp

Filesize
92KB

Download
memory/2480-151-0x00000159A63F0000-0x00000159A6407000-memory.dmp

Filesize
92KB

Download
memory/2480-138-0x00007FFF56550000-0x00007FFF56560000-memory.dmp

Filesize
64KB

Download
memory/2688-152-0x000001DE34F60000-0x000001DE34F77000-memory.dmp

Filesize
92KB

Download
memory/2688-139-0x00007FFF56550000-0x00007FFF56560000-memory.dmp

Filesize
64KB

Download
memory/3032-133-0x00007FFF56550000-0x00007FFF56560000-memory.dmp

Filesize
64KB

Download
memory/3032-160-0x0000000000ED0000-0x0000000000EE7000-memory.dmp

Filesize
92KB

Download
memory/3032-149-0x0000000000ED0000-0x0000000000EE7000-memory.dmp

Filesize
92KB

Download
memory/3372-153-0x000001620ADC0000-0x000001620ADD7000-memory.dmp

Filesize
92KB

Download
memory/3372-140-0x00007FFF56550000-0x00007FFF56560000-memory.dmp

Filesize
64KB

Download
memory/3436-141-0x00007FFF56550000-0x00007FFF56560000-memory.dmp

Filesize
64KB

Download
memory/3436-154-0x000001BEC1790000-0x000001BEC17A7000-memory.dmp

Filesize
92KB

Download
memory/3736-142-0x00007FFF56550000-0x00007FFF56560000-memory.dmp

Filesize
64KB

Download
memory/3736-155-0x000001B4A3500000-0x000001B4A3517000-memory.dmp

Filesize
92KB

Download
memory/4472-144-0x00007FFF56550000-0x00007FFF56560000-memory.dmp

Filesize
64KB

Download
memory/4472-157-0x0000019ADD170000-0x0000019ADD187000-memory.dmp

Filesize
92KB

Download
memory/4700-143-0x00007FFF56550000-0x00007FFF56560000-memory.dmp

Filesize
64KB

Download
memory/4700-156-0x000001200C040000-0x000001200C057000-memory.dmp

Filesize
92KB

Download
memory/5036-135-0x00000000007B0000-0x00000000007E5000-memory.dmp

Filesize
212KB

Download
memory/5036-134-0x0000000003180000-0x000000000318D000-memory.dmp

Filesize
52KB

Download
memory/5056-146-0x0000000037850000-0x0000000037860000-memory.dmp

Filesize
64KB

Download
memory/5056-132-0x0000000000000000-mapping.dmp

Download
memory/5056-159-0x0000000000130000-0x0000000000144000-memory.dmp

Filesize
80KB

Download
memory/5060-145-0x00007FFF56550000-0x00007FFF56560000-memory.dmp

Filesize
64KB

Download
memory/5060-158-0x0000028DBE390000-0x0000028DBE3A7000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads