ee235aa7704ce597d7aaf3248dca105f1754e410041b5be3e83bc5d86529fd87

General

Target

rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe
Size

188KB
MD5

e3ace455382fa7708264257983339263
SHA1

ab979cc544c46903d41fe773c568e2fa54a9bc44
SHA256

f2d682b9bd2857603944471a9baf4a8d83a897d7be57dbf473c8f07fd8f5ed1a
SHA512

be4a8e0770d30eb888a27490954b6109353673234f3b30b3c384d624ff79f3171a3ffff310883cb2f0930f0c64edb716171a78b3a166b44d855c08a0742c46ff
SSDEEP

3072:gudusODvGZVHhS1drkr3k1hsz3F8ol/Lg7Qir8B/xjcbfMrRPyczWIqT9tYhOddx:k9+phSzOFUs/F08PLWIqT2M

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\metlqowx.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\metlqowx.exe\""	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE

Suspicious use of SetThreadContext 1 IoCs

Processes:

rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe

description	pid	process	target process
PID 4984 set thread context of 2028	4984	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3460 3288 WerFault.exe DllHost.exe

pid	pid_target	process	target process
3460	3288	WerFault.exe	DllHost.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exerechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exeExplorer.EXE

pid	process
4984	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe
4984	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe
2028	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe
2028	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2640 Explorer.EXE

pid	process
2640	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exeExplorer.EXERuntimeBroker.exe

description	pid	process
Token: SeDebugPrivilege	2028	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe
Token: SeDebugPrivilege	2640	Explorer.EXE
Token: SeShutdownPrivilege	2640	Explorer.EXE
Token: SeCreatePagefilePrivilege	2640	Explorer.EXE
Token: SeShutdownPrivilege	3508	RuntimeBroker.exe
Token: SeShutdownPrivilege	3508	RuntimeBroker.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe

pid	process
4984	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe
4984	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exerechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exeExplorer.EXE

description	pid	process	target process
PID 4984 wrote to memory of 2028	4984	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe
PID 4984 wrote to memory of 2028	4984	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe
PID 4984 wrote to memory of 2028	4984	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe
PID 4984 wrote to memory of 2028	4984	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe
PID 4984 wrote to memory of 2028	4984	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe
PID 4984 wrote to memory of 2028	4984	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe
PID 4984 wrote to memory of 2028	4984	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe
PID 4984 wrote to memory of 2028	4984	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe
PID 4984 wrote to memory of 2028	4984	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe
PID 2028 wrote to memory of 4208	2028	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe	cmd.exe
PID 2028 wrote to memory of 4208	2028	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe	cmd.exe
PID 2028 wrote to memory of 4208	2028	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe	cmd.exe
PID 2028 wrote to memory of 2640	2028	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe	Explorer.EXE
PID 2640 wrote to memory of 2356	2640	Explorer.EXE	sihost.exe
PID 2640 wrote to memory of 2388	2640	Explorer.EXE	svchost.exe
PID 2640 wrote to memory of 2468	2640	Explorer.EXE	taskhostw.exe
PID 2640 wrote to memory of 3096	2640	Explorer.EXE	svchost.exe
PID 2640 wrote to memory of 3288	2640	Explorer.EXE	DllHost.exe
PID 2640 wrote to memory of 3420	2640	Explorer.EXE	StartMenuExperienceHost.exe
PID 2640 wrote to memory of 3508	2640	Explorer.EXE	RuntimeBroker.exe
PID 2640 wrote to memory of 3616	2640	Explorer.EXE	SearchApp.exe
PID 2640 wrote to memory of 3808	2640	Explorer.EXE	RuntimeBroker.exe
PID 2640 wrote to memory of 4692	2640	Explorer.EXE	RuntimeBroker.exe
PID 2640 wrote to memory of 2028	2640	Explorer.EXE	rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe
PID 2640 wrote to memory of 4208	2640	Explorer.EXE	cmd.exe
PID 2640 wrote to memory of 2752	2640	Explorer.EXE	Conhost.exe

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2468

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3508

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4692

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3808

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3616

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3420

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3288

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3288 -s 400
2⤵
- Program crash
PID:3460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3096

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640

C:\Users\Admin\AppData\Local\Temp\rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe
"C:\Users\Admin\AppData\Local\Temp\rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4984

C:\Users\Admin\AppData\Local\Temp\rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe
C:\Users\Admin\AppData\Local\Temp\rechnung_vodafone_team_0000399387201_0020398478002_0003_77352_192_0200002.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS2109~1.BAT"
4⤵
PID:4208

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:2752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2388

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2356

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 3288 -ip 3288
1⤵
PID:1296

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms2109353.bat
Filesize
201B

MD5
d3848c96a2a4bac85365ae652eb30015

SHA1
0c634304107071cb21bed6d5ea8e0ed313a368c1

SHA256
73e442197c692c56b88b2c5e7ee3955dcac87ed71fb63b468ed55eab2895f21e

SHA512
1ec41980bd2f707a740ac3c37d10601dd3eceea3401962f2d057f0b7c3cab81256a008e22ad70e0ac6f181f2360105b76ed9b678580df86f224e9e44c7983580

Download Submit
memory/2028-140-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2028-133-0x0000000000000000-mapping.dmp

Download
memory/2028-134-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2028-137-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2028-136-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2356-154-0x0000027F6C460000-0x0000027F6C477000-memory.dmp

Filesize
92KB

Download
memory/2356-141-0x00007FFAC2970000-0x00007FFAC2980000-memory.dmp

Filesize
64KB

Download
memory/2388-156-0x000001B332150000-0x000001B332167000-memory.dmp

Filesize
92KB

Download
memory/2388-142-0x00007FFAC2970000-0x00007FFAC2980000-memory.dmp

Filesize
64KB

Download
memory/2468-157-0x0000028303C60000-0x0000028303C77000-memory.dmp

Filesize
92KB

Download
memory/2468-143-0x00007FFAC2970000-0x00007FFAC2980000-memory.dmp

Filesize
64KB

Download
memory/2640-155-0x00000000011B0000-0x00000000011C7000-memory.dmp

Filesize
92KB

Download
memory/2640-163-0x00000000011B0000-0x00000000011C7000-memory.dmp

Filesize
92KB

Download
memory/2640-139-0x00007FFAC2970000-0x00007FFAC2980000-memory.dmp

Filesize
64KB

Download
memory/2752-153-0x000001FA51780000-0x000001FA51797000-memory.dmp

Filesize
92KB

Download
memory/2752-149-0x00007FFAC2970000-0x00007FFAC2980000-memory.dmp

Filesize
64KB

Download
memory/3096-158-0x0000020DE3FE0000-0x0000020DE3FF7000-memory.dmp

Filesize
92KB

Download
memory/3096-144-0x00007FFAC2970000-0x00007FFAC2980000-memory.dmp

Filesize
64KB

Download
memory/3420-159-0x000001E14B9D0000-0x000001E14B9E7000-memory.dmp

Filesize
92KB

Download
memory/3420-146-0x00007FFAC2970000-0x00007FFAC2980000-memory.dmp

Filesize
64KB

Download
memory/3508-145-0x00007FFAC2970000-0x00007FFAC2980000-memory.dmp

Filesize
64KB

Download
memory/3508-160-0x0000017B3D050000-0x0000017B3D067000-memory.dmp

Filesize
92KB

Download
memory/3808-147-0x00007FFAC2970000-0x00007FFAC2980000-memory.dmp

Filesize
64KB

Download
memory/3808-161-0x00000225C5C80000-0x00000225C5C97000-memory.dmp

Filesize
92KB

Download
memory/4208-152-0x00000000017C0000-0x00000000017D4000-memory.dmp

Filesize
80KB

Download
memory/4208-138-0x0000000000000000-mapping.dmp

Download
memory/4208-150-0x00000000370F0000-0x0000000037100000-memory.dmp

Filesize
64KB

Download
memory/4692-148-0x00007FFAC2970000-0x00007FFAC2980000-memory.dmp

Filesize
64KB

Download
memory/4692-162-0x00000215C3540000-0x00000215C3557000-memory.dmp

Filesize
92KB

Download
memory/4984-132-0x0000000002460000-0x0000000002464000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads