e285e7aeea894cec584b5a63f2e59c7d76bcac5b02fa942b6f2b39e293e0b7c2

General

Target

2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe
Size

94KB
MD5

dbc35cd99daa5b3f3083e911a43b7c31
SHA1

dcbe9859542d22bc8684d798d9f5227624f5be97
SHA256

47063fabbef0d6759cc4076c988760f82ba0328e878431cce6a3691d052e7b06
SHA512

d8212148e1c5897e1c92b2eb054c9b158eafc49fb3047fe22dd01208c1384212ab388848e746f9c37e2b561975e300fe440fdc9877411f460b4cb7c9666ca641
SSDEEP

1536:CvSM+QtpWT1G9NS89i4XZ0wovNOinmYbGmjBtwiRAd6S9C5Qhkxolh+:Cv3I1G9NnH8vN0eGKBqLMS9cIkxolU

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\metlqowx.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\metlqowx.exe\""	Explorer.EXE

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4832 3292 WerFault.exe DllHost.exe

pid	pid_target	process	target process
4832	3292	WerFault.exe	DllHost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exeExplorer.EXE

pid	process
4624	2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe
4624	2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2792 Explorer.EXE

pid	process
2792	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exeExplorer.EXERuntimeBroker.exe

description	pid	process
Token: SeDebugPrivilege	4624	2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe
Token: SeDebugPrivilege	2792	Explorer.EXE
Token: SeShutdownPrivilege	2792	Explorer.EXE
Token: SeCreatePagefilePrivilege	2792	Explorer.EXE
Token: SeShutdownPrivilege	3524	RuntimeBroker.exe
Token: SeShutdownPrivilege	3524	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exeExplorer.EXE

description	pid	process	target process
PID 4624 wrote to memory of 4872	4624	2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe	cmd.exe
PID 4624 wrote to memory of 4872	4624	2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe	cmd.exe
PID 4624 wrote to memory of 4872	4624	2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe	cmd.exe
PID 4624 wrote to memory of 2792	4624	2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe	Explorer.EXE
PID 2792 wrote to memory of 2376	2792	Explorer.EXE	sihost.exe
PID 2792 wrote to memory of 2388	2792	Explorer.EXE	svchost.exe
PID 2792 wrote to memory of 2492	2792	Explorer.EXE	taskhostw.exe
PID 2792 wrote to memory of 3080	2792	Explorer.EXE	svchost.exe
PID 2792 wrote to memory of 3292	2792	Explorer.EXE	DllHost.exe
PID 2792 wrote to memory of 3436	2792	Explorer.EXE	StartMenuExperienceHost.exe
PID 2792 wrote to memory of 3524	2792	Explorer.EXE	RuntimeBroker.exe
PID 2792 wrote to memory of 3604	2792	Explorer.EXE	SearchApp.exe
PID 2792 wrote to memory of 3868	2792	Explorer.EXE	RuntimeBroker.exe
PID 2792 wrote to memory of 5116	2792	Explorer.EXE	RuntimeBroker.exe
PID 2792 wrote to memory of 4624	2792	Explorer.EXE	2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe
PID 2792 wrote to memory of 4872	2792	Explorer.EXE	cmd.exe
PID 2792 wrote to memory of 3808	2792	Explorer.EXE	Conhost.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2388

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2492

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3436

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3524

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3292

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3292 -s 900
2⤵
- Program crash
PID:4832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3080

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792

C:\Users\Admin\AppData\Local\Temp\2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4624

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS7087~1.BAT"
3⤵
PID:4872

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:3808

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:5116

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3868

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3604

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 3292 -ip 3292
1⤵
PID:3256

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Network Service Scanning

1

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms7087712.bat

Filesize
201B

MD5
0861a9f7d01f067a9bb69243cdf83796

SHA1
863cfc7b1e63d9ae47c40dfe0da6a772d2a7f17c

SHA256
a921dd0ce9933abbf14918d861d3c13032c3583b54d159a21d835e0fd107bedc

SHA512
856b4a4ae9cdecc84c00326712ccebcc4ded62c45b3a89213701b3b8968e69f107b0a7427948af9259343701cec7f052ef95938eba06cf2eb021dca780e1c359

Download Submit
memory/2376-136-0x00007FFDC3D50000-0x00007FFDC3D60000-memory.dmp

Filesize
64KB

Download
memory/2376-147-0x00000277B5B10000-0x00000277B5B27000-memory.dmp

Filesize
92KB

Download
memory/2388-138-0x00007FFDC3D50000-0x00007FFDC3D60000-memory.dmp

Filesize
64KB

Download
memory/2388-148-0x00000295C6470000-0x00000295C6487000-memory.dmp

Filesize
92KB

Download
memory/2492-149-0x0000029BA6A60000-0x0000029BA6A77000-memory.dmp

Filesize
92KB

Download
memory/2492-137-0x00007FFDC3D50000-0x00007FFDC3D60000-memory.dmp

Filesize
64KB

Download
memory/2792-159-0x0000000000DF0000-0x0000000000E07000-memory.dmp

Filesize
92KB

Download
memory/2792-135-0x00007FFDC3D50000-0x00007FFDC3D60000-memory.dmp

Filesize
64KB

Download
memory/2792-146-0x0000000000DF0000-0x0000000000E07000-memory.dmp

Filesize
92KB

Download
memory/3080-150-0x00000189B47D0000-0x00000189B47E7000-memory.dmp

Filesize
92KB

Download
memory/3080-139-0x00007FFDC3D50000-0x00007FFDC3D60000-memory.dmp

Filesize
64KB

Download
memory/3436-152-0x000002A92F180000-0x000002A92F197000-memory.dmp

Filesize
92KB

Download
memory/3436-140-0x00007FFDC3D50000-0x00007FFDC3D60000-memory.dmp

Filesize
64KB

Download
memory/3524-154-0x00000297EA610000-0x00000297EA627000-memory.dmp

Filesize
92KB

Download
memory/3524-141-0x00007FFDC3D50000-0x00007FFDC3D60000-memory.dmp

Filesize
64KB

Download
memory/3808-145-0x00007FFDC3D50000-0x00007FFDC3D60000-memory.dmp

Filesize
64KB

Download
memory/3808-157-0x0000021BF6F30000-0x0000021BF6F47000-memory.dmp

Filesize
92KB

Download
memory/3868-143-0x00007FFDC3D50000-0x00007FFDC3D60000-memory.dmp

Filesize
64KB

Download
memory/3868-155-0x000001E3159A0000-0x000001E3159B7000-memory.dmp

Filesize
92KB

Download
memory/4624-142-0x0000000000D20000-0x0000000000D3B000-memory.dmp

Filesize
108KB

Download
memory/4624-132-0x0000000000550000-0x000000000055E000-memory.dmp

Filesize
56KB

Download
memory/4624-133-0x0000000000D20000-0x0000000000D3B000-memory.dmp

Filesize
108KB

Download
memory/4872-151-0x0000000037160000-0x0000000037170000-memory.dmp

Filesize
64KB

Download
memory/4872-134-0x0000000000000000-mapping.dmp

Download
memory/4872-158-0x0000000000A50000-0x0000000000A64000-memory.dmp

Filesize
80KB

Download
memory/5116-144-0x00007FFDC3D50000-0x00007FFDC3D60000-memory.dmp

Filesize
64KB

Download
memory/5116-156-0x000002231B1C0000-0x000002231B1D7000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads