f01e419980f703e05d31efdca2d58ebda0ca38cafd22900b5221bc89bc2a7176

General

Target

f01e419980f703e05d31efdca2d58ebda0ca38cafd22900b5221bc89bc2a7176.exe
Size

196KB
MD5

fbc0d92f2f004428671631c74da80b4a
SHA1

f3f2933db39c9368885854fe522105414d73bc97
SHA256

f01e419980f703e05d31efdca2d58ebda0ca38cafd22900b5221bc89bc2a7176
SHA512

114c95ba4fc8823dfa9fbfa48eea0a8fc82edbafded6d29e2dbf4e77fd1328150db1541d6bc75df218a0e1ed70c5068930ccdc73dd95dba153151174178c4268
SSDEEP

3072:9udusODvGZVHhXwdrkr3k17awTtgXOahnEhHP+2lqKA8ZQ2VwDNNK8N58Tbntd+z:59+phXUHTS/hEhHW8G8ZpGhNzSuz

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\metlqowx.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\metlqowx.exe\""	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE

Suspicious use of SetThreadContext 1 IoCs

Processes:

f01e419980f703e05d31efdca2d58ebda0ca38cafd22900b5221bc89bc2a7176.exe

description	pid	process	target process
PID 4948 set thread context of 4408	4948	f01e419980f703e05d31efdca2d58ebda0ca38cafd22900b5221bc89bc2a7176.exe	f01e419980f703e05d31efdca2d58ebda0ca38cafd22900b5221bc89bc2a7176.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1056 3280 WerFault.exe DllHost.exe

pid	pid_target	process	target process
1056	3280	WerFault.exe	DllHost.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

f01e419980f703e05d31efdca2d58ebda0ca38cafd22900b5221bc89bc2a7176.exef01e419980f703e05d31efdca2d58ebda0ca38cafd22900b5221bc89bc2a7176.exeExplorer.EXE

pid	process
4948	f01e419980f703e05d31efdca2d58ebda0ca38cafd22900b5221bc89bc2a7176.exe
4948	f01e419980f703e05d31efdca2d58ebda0ca38cafd22900b5221bc89bc2a7176.exe
4408	f01e419980f703e05d31efdca2d58ebda0ca38cafd22900b5221bc89bc2a7176.exe
4408	f01e419980f703e05d31efdca2d58ebda0ca38cafd22900b5221bc89bc2a7176.exe
2520	Explorer.EXE
2520	Explorer.EXE
2520	Explorer.EXE
2520	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2520 Explorer.EXE

pid	process
2520	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

f01e419980f703e05d31efdca2d58ebda0ca38cafd22900b5221bc89bc2a7176.exeExplorer.EXERuntimeBroker.exe

description	pid	process
Token: SeDebugPrivilege	4408	f01e419980f703e05d31efdca2d58ebda0ca38cafd22900b5221bc89bc2a7176.exe
Token: SeDebugPrivilege	2520	Explorer.EXE
Token: SeShutdownPrivilege	2520	Explorer.EXE
Token: SeCreatePagefilePrivilege	2520	Explorer.EXE
Token: SeShutdownPrivilege	3516	RuntimeBroker.exe
Token: SeShutdownPrivilege	3516	RuntimeBroker.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

f01e419980f703e05d31efdca2d58ebda0ca38cafd22900b5221bc89bc2a7176.exe

pid	process
4948	f01e419980f703e05d31efdca2d58ebda0ca38cafd22900b5221bc89bc2a7176.exe
4948	f01e419980f703e05d31efdca2d58ebda0ca38cafd22900b5221bc89bc2a7176.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

f01e419980f703e05d31efdca2d58ebda0ca38cafd22900b5221bc89bc2a7176.exef01e419980f703e05d31efdca2d58ebda0ca38cafd22900b5221bc89bc2a7176.exeExplorer.EXE

description	pid	process	target process
PID 4948 wrote to memory of 4408	4948	f01e419980f703e05d31efdca2d58ebda0ca38cafd22900b5221bc89bc2a7176.exe	f01e419980f703e05d31efdca2d58ebda0ca38cafd22900b5221bc89bc2a7176.exe
PID 4948 wrote to memory of 4408	4948	f01e419980f703e05d31efdca2d58ebda0ca38cafd22900b5221bc89bc2a7176.exe	f01e419980f703e05d31efdca2d58ebda0ca38cafd22900b5221bc89bc2a7176.exe
PID 4948 wrote to memory of 4408	4948	f01e419980f703e05d31efdca2d58ebda0ca38cafd22900b5221bc89bc2a7176.exe	f01e419980f703e05d31efdca2d58ebda0ca38cafd22900b5221bc89bc2a7176.exe
PID 4948 wrote to memory of 4408	4948	f01e419980f703e05d31efdca2d58ebda0ca38cafd22900b5221bc89bc2a7176.exe	f01e419980f703e05d31efdca2d58ebda0ca38cafd22900b5221bc89bc2a7176.exe
PID 4948 wrote to memory of 4408	4948	f01e419980f703e05d31efdca2d58ebda0ca38cafd22900b5221bc89bc2a7176.exe	f01e419980f703e05d31efdca2d58ebda0ca38cafd22900b5221bc89bc2a7176.exe
PID 4948 wrote to memory of 4408	4948	f01e419980f703e05d31efdca2d58ebda0ca38cafd22900b5221bc89bc2a7176.exe	f01e419980f703e05d31efdca2d58ebda0ca38cafd22900b5221bc89bc2a7176.exe
PID 4948 wrote to memory of 4408	4948	f01e419980f703e05d31efdca2d58ebda0ca38cafd22900b5221bc89bc2a7176.exe	f01e419980f703e05d31efdca2d58ebda0ca38cafd22900b5221bc89bc2a7176.exe
PID 4948 wrote to memory of 4408	4948	f01e419980f703e05d31efdca2d58ebda0ca38cafd22900b5221bc89bc2a7176.exe	f01e419980f703e05d31efdca2d58ebda0ca38cafd22900b5221bc89bc2a7176.exe
PID 4948 wrote to memory of 4408	4948	f01e419980f703e05d31efdca2d58ebda0ca38cafd22900b5221bc89bc2a7176.exe	f01e419980f703e05d31efdca2d58ebda0ca38cafd22900b5221bc89bc2a7176.exe
PID 4408 wrote to memory of 5084	4408	f01e419980f703e05d31efdca2d58ebda0ca38cafd22900b5221bc89bc2a7176.exe	cmd.exe
PID 4408 wrote to memory of 5084	4408	f01e419980f703e05d31efdca2d58ebda0ca38cafd22900b5221bc89bc2a7176.exe	cmd.exe
PID 4408 wrote to memory of 5084	4408	f01e419980f703e05d31efdca2d58ebda0ca38cafd22900b5221bc89bc2a7176.exe	cmd.exe
PID 4408 wrote to memory of 2520	4408	f01e419980f703e05d31efdca2d58ebda0ca38cafd22900b5221bc89bc2a7176.exe	Explorer.EXE
PID 2520 wrote to memory of 2348	2520	Explorer.EXE	sihost.exe
PID 2520 wrote to memory of 2388	2520	Explorer.EXE	svchost.exe
PID 2520 wrote to memory of 2492	2520	Explorer.EXE	taskhostw.exe
PID 2520 wrote to memory of 3080	2520	Explorer.EXE	svchost.exe
PID 2520 wrote to memory of 3280	2520	Explorer.EXE	DllHost.exe
PID 2520 wrote to memory of 3376	2520	Explorer.EXE	StartMenuExperienceHost.exe
PID 2520 wrote to memory of 3516	2520	Explorer.EXE	RuntimeBroker.exe
PID 2520 wrote to memory of 3596	2520	Explorer.EXE	SearchApp.exe
PID 2520 wrote to memory of 3808	2520	Explorer.EXE	RuntimeBroker.exe
PID 2520 wrote to memory of 4736	2520	Explorer.EXE	RuntimeBroker.exe
PID 2520 wrote to memory of 456	2520	Explorer.EXE	backgroundTaskHost.exe
PID 2520 wrote to memory of 4408	2520	Explorer.EXE	f01e419980f703e05d31efdca2d58ebda0ca38cafd22900b5221bc89bc2a7176.exe
PID 2520 wrote to memory of 5084	2520	Explorer.EXE	cmd.exe
PID 2520 wrote to memory of 1480	2520	Explorer.EXE	Conhost.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2348

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3516

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
1⤵
PID:456

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4736

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3808

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3596

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3376

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3280

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3280 -s 984
2⤵
- Program crash
PID:1056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3080

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2520

C:\Users\Admin\AppData\Local\Temp\f01e419980f703e05d31efdca2d58ebda0ca38cafd22900b5221bc89bc2a7176.exe
"C:\Users\Admin\AppData\Local\Temp\f01e419980f703e05d31efdca2d58ebda0ca38cafd22900b5221bc89bc2a7176.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4948

C:\Users\Admin\AppData\Local\Temp\f01e419980f703e05d31efdca2d58ebda0ca38cafd22900b5221bc89bc2a7176.exe
C:\Users\Admin\AppData\Local\Temp\f01e419980f703e05d31efdca2d58ebda0ca38cafd22900b5221bc89bc2a7176.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4408

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS8709~1.BAT"
4⤵
PID:5084

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:1480

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2492

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2388

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 3280 -ip 3280
1⤵
PID:1348

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms8709382.bat
Filesize
201B

MD5
b4e4e9a9937528e5e65b57fcb0967343

SHA1
77750cc71df701c0b5a0edfe2596e3c03080c288

SHA256
fc9368f2a1634fabac9819ab0681c82670b0f60047e9a97b6d43f26568505d11

SHA512
94dfb6a70e0ee0906bea2224edbdade5d5a945fcb00315d12c9820e80af548c68c3f7be73eb1616a40839555f3ebbd313b1ac850a5dc3ec5cfe7deca5883ad27

Download Submit
memory/1480-158-0x000001CA3D380000-0x000001CA3D397000-memory.dmp

Filesize
92KB

Download
memory/1480-147-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/2348-140-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/2348-149-0x0000028618B30000-0x0000028618B47000-memory.dmp

Filesize
92KB

Download
memory/2388-151-0x000002844A900000-0x000002844A917000-memory.dmp

Filesize
92KB

Download
memory/2388-141-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/2492-143-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/2492-152-0x0000022B74A70000-0x0000022B74A87000-memory.dmp

Filesize
92KB

Download
memory/2520-162-0x0000000001060000-0x0000000001077000-memory.dmp

Filesize
92KB

Download
memory/2520-138-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/2520-150-0x0000000001060000-0x0000000001077000-memory.dmp

Filesize
92KB

Download
memory/3080-153-0x0000022A7BD40000-0x0000022A7BD57000-memory.dmp

Filesize
92KB

Download
memory/3080-142-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/3376-144-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/3376-154-0x0000025C551A0000-0x0000025C551B7000-memory.dmp

Filesize
92KB

Download
memory/3516-145-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/3516-155-0x000001A750800000-0x000001A750817000-memory.dmp

Filesize
92KB

Download
memory/3808-157-0x0000020EA0130000-0x0000020EA0147000-memory.dmp

Filesize
92KB

Download
memory/3808-148-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/4408-139-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4408-133-0x0000000000000000-mapping.dmp

Download
memory/4408-136-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4408-134-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4736-146-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/4736-156-0x00000267BE740000-0x00000267BE757000-memory.dmp

Filesize
92KB

Download
memory/4948-132-0x0000000000CA0000-0x0000000000CA4000-memory.dmp

Filesize
16KB

Download
memory/5084-159-0x0000000037250000-0x0000000037260000-memory.dmp

Filesize
64KB

Download
memory/5084-161-0x00000000001D0000-0x00000000001E4000-memory.dmp

Filesize
80KB

Download
memory/5084-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads