b78fda9e5e1378e550718f2e5a429941d661441164db279024ff87acf5c1c82f

General

Target

zahlung_in_auftrag_2014_12_2_000002_000039_900002_0_1_6_928_29873565001_0003.exe
Size

144KB
MD5

738dd7cf1133cc2813a10813859e6e61
SHA1

dcfca6a60b767a64058e3d653a43789c1461e997
SHA256

74e86d70cb60b9ca846a892d99570500ddf7f5d376f70cd0c3346edd29680d57
SHA512

64edf119f1ee78f63deb5b41fe978cf57a05e09ce9f9597c12e29d21e718bdd8bdc717d5049c38cdb607e4d9db33a69df4c0f2aa06c3839043685d1be7b71389
SSDEEP

3072:UD6NN25bPpA3chmH/qB8WJwy/mMeUbusnZCwzPAzswF1De7iyc:JfMTpR4/JWJJ/K3sn4Q4BaOv

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\metlqowx.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\metlqowx.exe\""	Explorer.EXE

Suspicious use of SetThreadContext 1 IoCs

Processes:

zahlung_in_auftrag_2014_12_2_000002_000039_900002_0_1_6_928_29873565001_0003.exe

description	pid	process	target process
PID 3096 set thread context of 3580	3096	zahlung_in_auftrag_2014_12_2_000002_000039_900002_0_1_6_928_29873565001_0003.exe	zahlung_in_auftrag_2014_12_2_000002_000039_900002_0_1_6_928_29873565001_0003.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

112 3340 WerFault.exe DllHost.exe

pid	pid_target	process	target process
112	3340	WerFault.exe	DllHost.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

zahlung_in_auftrag_2014_12_2_000002_000039_900002_0_1_6_928_29873565001_0003.exezahlung_in_auftrag_2014_12_2_000002_000039_900002_0_1_6_928_29873565001_0003.exeExplorer.EXE

pid	process
3096	zahlung_in_auftrag_2014_12_2_000002_000039_900002_0_1_6_928_29873565001_0003.exe
3096	zahlung_in_auftrag_2014_12_2_000002_000039_900002_0_1_6_928_29873565001_0003.exe
3580	zahlung_in_auftrag_2014_12_2_000002_000039_900002_0_1_6_928_29873565001_0003.exe
3580	zahlung_in_auftrag_2014_12_2_000002_000039_900002_0_1_6_928_29873565001_0003.exe
3052	Explorer.EXE
3052	Explorer.EXE
3052	Explorer.EXE
3052	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3052 Explorer.EXE

pid	process
3052	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

zahlung_in_auftrag_2014_12_2_000002_000039_900002_0_1_6_928_29873565001_0003.exeExplorer.EXERuntimeBroker.exe

description	pid	process
Token: SeDebugPrivilege	3580	zahlung_in_auftrag_2014_12_2_000002_000039_900002_0_1_6_928_29873565001_0003.exe
Token: SeDebugPrivilege	3052	Explorer.EXE
Token: SeShutdownPrivilege	3052	Explorer.EXE
Token: SeCreatePagefilePrivilege	3052	Explorer.EXE
Token: SeShutdownPrivilege	3500	RuntimeBroker.exe
Token: SeShutdownPrivilege	3500	RuntimeBroker.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

zahlung_in_auftrag_2014_12_2_000002_000039_900002_0_1_6_928_29873565001_0003.exe

pid	process
3096	zahlung_in_auftrag_2014_12_2_000002_000039_900002_0_1_6_928_29873565001_0003.exe
3096	zahlung_in_auftrag_2014_12_2_000002_000039_900002_0_1_6_928_29873565001_0003.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

zahlung_in_auftrag_2014_12_2_000002_000039_900002_0_1_6_928_29873565001_0003.exezahlung_in_auftrag_2014_12_2_000002_000039_900002_0_1_6_928_29873565001_0003.exeExplorer.EXE

description	pid	process	target process
PID 3096 wrote to memory of 3580	3096	zahlung_in_auftrag_2014_12_2_000002_000039_900002_0_1_6_928_29873565001_0003.exe	zahlung_in_auftrag_2014_12_2_000002_000039_900002_0_1_6_928_29873565001_0003.exe
PID 3096 wrote to memory of 3580	3096	zahlung_in_auftrag_2014_12_2_000002_000039_900002_0_1_6_928_29873565001_0003.exe	zahlung_in_auftrag_2014_12_2_000002_000039_900002_0_1_6_928_29873565001_0003.exe
PID 3096 wrote to memory of 3580	3096	zahlung_in_auftrag_2014_12_2_000002_000039_900002_0_1_6_928_29873565001_0003.exe	zahlung_in_auftrag_2014_12_2_000002_000039_900002_0_1_6_928_29873565001_0003.exe
PID 3096 wrote to memory of 3580	3096	zahlung_in_auftrag_2014_12_2_000002_000039_900002_0_1_6_928_29873565001_0003.exe	zahlung_in_auftrag_2014_12_2_000002_000039_900002_0_1_6_928_29873565001_0003.exe
PID 3096 wrote to memory of 3580	3096	zahlung_in_auftrag_2014_12_2_000002_000039_900002_0_1_6_928_29873565001_0003.exe	zahlung_in_auftrag_2014_12_2_000002_000039_900002_0_1_6_928_29873565001_0003.exe
PID 3096 wrote to memory of 3580	3096	zahlung_in_auftrag_2014_12_2_000002_000039_900002_0_1_6_928_29873565001_0003.exe	zahlung_in_auftrag_2014_12_2_000002_000039_900002_0_1_6_928_29873565001_0003.exe
PID 3096 wrote to memory of 3580	3096	zahlung_in_auftrag_2014_12_2_000002_000039_900002_0_1_6_928_29873565001_0003.exe	zahlung_in_auftrag_2014_12_2_000002_000039_900002_0_1_6_928_29873565001_0003.exe
PID 3096 wrote to memory of 3580	3096	zahlung_in_auftrag_2014_12_2_000002_000039_900002_0_1_6_928_29873565001_0003.exe	zahlung_in_auftrag_2014_12_2_000002_000039_900002_0_1_6_928_29873565001_0003.exe
PID 3096 wrote to memory of 3580	3096	zahlung_in_auftrag_2014_12_2_000002_000039_900002_0_1_6_928_29873565001_0003.exe	zahlung_in_auftrag_2014_12_2_000002_000039_900002_0_1_6_928_29873565001_0003.exe
PID 3580 wrote to memory of 4632	3580	zahlung_in_auftrag_2014_12_2_000002_000039_900002_0_1_6_928_29873565001_0003.exe	cmd.exe
PID 3580 wrote to memory of 4632	3580	zahlung_in_auftrag_2014_12_2_000002_000039_900002_0_1_6_928_29873565001_0003.exe	cmd.exe
PID 3580 wrote to memory of 4632	3580	zahlung_in_auftrag_2014_12_2_000002_000039_900002_0_1_6_928_29873565001_0003.exe	cmd.exe
PID 3580 wrote to memory of 3052	3580	zahlung_in_auftrag_2014_12_2_000002_000039_900002_0_1_6_928_29873565001_0003.exe	Explorer.EXE
PID 3052 wrote to memory of 2332	3052	Explorer.EXE	sihost.exe
PID 3052 wrote to memory of 2348	3052	Explorer.EXE	svchost.exe
PID 3052 wrote to memory of 2448	3052	Explorer.EXE	taskhostw.exe
PID 3052 wrote to memory of 3144	3052	Explorer.EXE	svchost.exe
PID 3052 wrote to memory of 3340	3052	Explorer.EXE	DllHost.exe
PID 3052 wrote to memory of 3424	3052	Explorer.EXE	StartMenuExperienceHost.exe
PID 3052 wrote to memory of 3500	3052	Explorer.EXE	RuntimeBroker.exe
PID 3052 wrote to memory of 3584	3052	Explorer.EXE	SearchApp.exe
PID 3052 wrote to memory of 3836	3052	Explorer.EXE	RuntimeBroker.exe
PID 3052 wrote to memory of 4988	3052	Explorer.EXE	RuntimeBroker.exe
PID 3052 wrote to memory of 4632	3052	Explorer.EXE	cmd.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2332

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2348

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052

C:\Users\Admin\AppData\Local\Temp\zahlung_in_auftrag_2014_12_2_000002_000039_900002_0_1_6_928_29873565001_0003.exe
"C:\Users\Admin\AppData\Local\Temp\zahlung_in_auftrag_2014_12_2_000002_000039_900002_0_1_6_928_29873565001_0003.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3096

C:\Users\Admin\AppData\Local\Temp\zahlung_in_auftrag_2014_12_2_000002_000039_900002_0_1_6_928_29873565001_0003.exe
C:\Users\Admin\AppData\Local\Temp\zahlung_in_auftrag_2014_12_2_000002_000039_900002_0_1_6_928_29873565001_0003.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3580

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS6556~1.BAT"
4⤵
PID:4632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3144

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3424

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3500

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4988

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3836

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3584

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3340

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3340 -s 1056
2⤵
- Program crash
PID:112

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 428 -p 3340 -ip 3340
1⤵
PID:3452

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms6556698.bat

Filesize
201B

MD5
c6b93eb1d424dcaeca0383c36d24c86d

SHA1
ca5e8a0bd55a02a59c88303be51cd7795c345222

SHA256
741863f6baef216b48c407d612871f20888c54ed7d683c970f9828a41f486d66

SHA512
d1fc23340a3383b8bdf1d0034e23217081c74ccac46f7622ec09125ce38c89f6100254cb4f29797bb5d6fccf1dd990c734f67ac98e68257e9c4ce3558ec6620a

Download Submit
memory/2332-141-0x00007FFA8D5B0000-0x00007FFA8D5C0000-memory.dmp

Filesize
64KB

Download
memory/2332-152-0x00000229E0610000-0x00000229E0627000-memory.dmp

Filesize
92KB

Download
memory/2348-154-0x000001E5AF0F0000-0x000001E5AF107000-memory.dmp

Filesize
92KB

Download
memory/2348-142-0x00007FFA8D5B0000-0x00007FFA8D5C0000-memory.dmp

Filesize
64KB

Download
memory/2448-155-0x0000019670420000-0x0000019670437000-memory.dmp

Filesize
92KB

Download
memory/2448-143-0x00007FFA8D5B0000-0x00007FFA8D5C0000-memory.dmp

Filesize
64KB

Download
memory/3052-139-0x00007FFA8D5B0000-0x00007FFA8D5C0000-memory.dmp

Filesize
64KB

Download
memory/3052-161-0x0000000002CE0000-0x0000000002CF7000-memory.dmp

Filesize
92KB

Download
memory/3052-153-0x0000000002CE0000-0x0000000002CF7000-memory.dmp

Filesize
92KB

Download
memory/3096-132-0x0000000001420000-0x0000000001424000-memory.dmp

Filesize
16KB

Download
memory/3144-144-0x00007FFA8D5B0000-0x00007FFA8D5C0000-memory.dmp

Filesize
64KB

Download
memory/3144-156-0x000001A438BA0000-0x000001A438BB7000-memory.dmp

Filesize
92KB

Download
memory/3424-157-0x00000223F65B0000-0x00000223F65C7000-memory.dmp

Filesize
92KB

Download
memory/3424-145-0x00007FFA8D5B0000-0x00007FFA8D5C0000-memory.dmp

Filesize
64KB

Download
memory/3500-146-0x00007FFA8D5B0000-0x00007FFA8D5C0000-memory.dmp

Filesize
64KB

Download
memory/3500-158-0x000002280D220000-0x000002280D237000-memory.dmp

Filesize
92KB

Download
memory/3580-136-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3580-134-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3580-133-0x0000000000000000-mapping.dmp

Download
memory/3580-137-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3580-140-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3836-147-0x00007FFA8D5B0000-0x00007FFA8D5C0000-memory.dmp

Filesize
64KB

Download
memory/3836-159-0x0000028AED360000-0x0000028AED377000-memory.dmp

Filesize
92KB

Download
memory/4632-151-0x00000000009A0000-0x00000000009B4000-memory.dmp

Filesize
80KB

Download
memory/4632-149-0x0000000037CB0000-0x0000000037CC0000-memory.dmp

Filesize
64KB

Download
memory/4632-138-0x0000000000000000-mapping.dmp

Download
memory/4988-148-0x00007FFA8D5B0000-0x00007FFA8D5C0000-memory.dmp

Filesize
64KB

Download
memory/4988-160-0x000001EBCCA60000-0x000001EBCCA77000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads