12af7ec4de8feedf4ca60adb38c0acd6ef1a6f798f2403d0b2b4699003f56320

General

Target

RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe
Size

176KB
MD5

5095f22cbdd7c59303fb7d670c97afa5
SHA1

35712036e76c5215b512f9ddb73321617387a98c
SHA256

79e4ffae8c0d0abd80d090d5f3465855b25955509e78d0ced3eab4cfa6d43015
SHA512

9c4815c773a1b57c1178056fec3063894869b51af02cca52baf94a8ee1644d90a2b7444951979f15ecf90f718ad920353cf21927e754158580e479ea5106c0fc
SSDEEP

3072:5KzHNmI+9MEJRuOmz1C+cSQStd3jUQdW6OTHeOO16ogZrssN6wc+ga0Mhze:5qHByNJGBC+Cqz14TE6dZr5PQ

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\metlqowx.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\metlqowx.exe\""	Explorer.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4200 set thread context of 4876	4200	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe	80

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1788	3356	WerFault.exe	50

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4200	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe
4200	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe
4200	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe
4200	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe
4200	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe
4200	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe
4876	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe
4876	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe
3000	Explorer.EXE
3000	Explorer.EXE
3000	Explorer.EXE
3000	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3000	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4876	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe
Token: SeDebugPrivilege	3000	Explorer.EXE
Token: SeShutdownPrivilege	3000	Explorer.EXE
Token: SeCreatePagefilePrivilege	3000	Explorer.EXE
Token: SeShutdownPrivilege	3520	RuntimeBroker.exe
Token: SeShutdownPrivilege	3520	RuntimeBroker.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4200	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe
4200	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4200 wrote to memory of 4876	4200	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe	80
PID 4200 wrote to memory of 4876	4200	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe	80
PID 4200 wrote to memory of 4876	4200	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe	80
PID 4200 wrote to memory of 4876	4200	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe	80
PID 4200 wrote to memory of 4876	4200	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe	80
PID 4200 wrote to memory of 4876	4200	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe	80
PID 4200 wrote to memory of 4876	4200	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe	80
PID 4200 wrote to memory of 4876	4200	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe	80
PID 4200 wrote to memory of 4876	4200	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe	80
PID 4876 wrote to memory of 4856	4876	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe	81
PID 4876 wrote to memory of 4856	4876	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe	81
PID 4876 wrote to memory of 4856	4876	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe	81
PID 4876 wrote to memory of 3000	4876	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe	52
PID 3000 wrote to memory of 2300	3000	Explorer.EXE	61
PID 3000 wrote to memory of 2320	3000	Explorer.EXE	60
PID 3000 wrote to memory of 2428	3000	Explorer.EXE	26
PID 3000 wrote to memory of 3156	3000	Explorer.EXE	51
PID 3000 wrote to memory of 3356	3000	Explorer.EXE	50
PID 3000 wrote to memory of 3444	3000	Explorer.EXE	29
PID 3000 wrote to memory of 3520	3000	Explorer.EXE	28
PID 3000 wrote to memory of 3600	3000	Explorer.EXE	49
PID 3000 wrote to memory of 3876	3000	Explorer.EXE	48
PID 3000 wrote to memory of 4728	3000	Explorer.EXE	46
PID 3000 wrote to memory of 4856	3000	Explorer.EXE	81
PID 3000 wrote to memory of 3708	3000	Explorer.EXE	82

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2428

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3520

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3444

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4728

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3876

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3600

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3356
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3356 -s 392
  2⤵
  - Program crash
  PID:1788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3156

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Users\Admin\AppData\Local\Temp\RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe
  "C:\Users\Admin\AppData\Local\Temp\RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4200
- - C:\Users\Admin\AppData\Local\Temp\RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe
    C:\Users\Admin\AppData\Local\Temp\RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4876
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS2852~1.BAT"
      4⤵
      PID:4856
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2320

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2300

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 420 -p 3356 -ip 3356
1⤵
PID:3776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms2852742.bat

Filesize
201B

MD5
f9008b6b085b517f1aaa86a106e445cb

SHA1
68bd7655f030b0d05c014b01c948b8f0b8d7550d

SHA256
01121c396511d8573936a880df47197268933d7d3f65fa179b44249a8dbcf251

SHA512
8a95ee54c231009767611815ff4cdbac4eb70eff77b304550be4b2e10cf92f2dcdd33a3702069ee7fb71f4797ff0d7f6fa2b2e0ec40f41bd19aa8ce94b4892e2

Download Submit
memory/2300-154-0x000001A735E90000-0x000001A735EA7000-memory.dmp

Filesize
92KB

Download
memory/2300-141-0x00007FFBCA370000-0x00007FFBCA380000-memory.dmp

Filesize
64KB

Download
memory/2320-142-0x00007FFBCA370000-0x00007FFBCA380000-memory.dmp

Filesize
64KB

Download
memory/2320-156-0x000001EA75FA0000-0x000001EA75FB7000-memory.dmp

Filesize
92KB

Download
memory/2428-143-0x00007FFBCA370000-0x00007FFBCA380000-memory.dmp

Filesize
64KB

Download
memory/2428-157-0x000002100C8A0000-0x000002100C8B7000-memory.dmp

Filesize
92KB

Download
memory/3000-163-0x0000000000800000-0x0000000000817000-memory.dmp

Filesize
92KB

Download
memory/3000-139-0x00007FFBCA370000-0x00007FFBCA380000-memory.dmp

Filesize
64KB

Download
memory/3000-155-0x0000000000800000-0x0000000000817000-memory.dmp

Filesize
92KB

Download
memory/3156-144-0x00007FFBCA370000-0x00007FFBCA380000-memory.dmp

Filesize
64KB

Download
memory/3156-158-0x000001EEAB5B0000-0x000001EEAB5C7000-memory.dmp

Filesize
92KB

Download
memory/3444-145-0x00007FFBCA370000-0x00007FFBCA380000-memory.dmp

Filesize
64KB

Download
memory/3444-159-0x00000196E97A0000-0x00000196E97B7000-memory.dmp

Filesize
92KB

Download
memory/3520-160-0x000001E042F50000-0x000001E042F67000-memory.dmp

Filesize
92KB

Download
memory/3520-147-0x00007FFBCA370000-0x00007FFBCA380000-memory.dmp

Filesize
64KB

Download
memory/3708-153-0x000001F812CA0000-0x000001F812CB7000-memory.dmp

Filesize
92KB

Download
memory/3708-149-0x00007FFBCA370000-0x00007FFBCA380000-memory.dmp

Filesize
64KB

Download
memory/3876-146-0x00007FFBCA370000-0x00007FFBCA380000-memory.dmp

Filesize
64KB

Download
memory/3876-161-0x000001EBD2260000-0x000001EBD2277000-memory.dmp

Filesize
92KB

Download
memory/4200-136-0x0000000000AD0000-0x0000000000AD4000-memory.dmp

Filesize
16KB

Download
memory/4728-148-0x00007FFBCA370000-0x00007FFBCA380000-memory.dmp

Filesize
64KB

Download
memory/4728-162-0x0000021B207B0000-0x0000021B207C7000-memory.dmp

Filesize
92KB

Download
memory/4856-152-0x0000000000FB0000-0x0000000000FC4000-memory.dmp

Filesize
80KB

Download
memory/4856-150-0x0000000037050000-0x0000000037060000-memory.dmp

Filesize
64KB

Download
memory/4876-135-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4876-137-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4876-133-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4876-140-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing