a6c8410cf362d1b7fc2907f7bd6f1db7a925f131314967739631b568a046968c

General

Target

2014_11details_transaktion_37900000929_november_30908300059_11_0000000039.exe
Size

148KB
MD5

6d114c7a21aab94456d8e8d4aef88362
SHA1

1229f292c46ffa1bde2db69227c4e98c2e46ae3a
SHA256

0b577f76b08c5267eb5f2f8596127a28a6eaf5ff2089cff6be0b689f31850124
SHA512

828b656d5eeb4e225af9bc76fad68fd51f5bc6a867450f200e005782231cfd762ceef3d2341aa9e2dcfca9db656637dda71ee6b93083664a36e15f02a0342e03
SSDEEP

3072:5fSj3q4+o/mYSpVygq2xW+rQDuZz4AYOr8Hkv:xSusZSXRY+rBF4AYOr8

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\metlqowx.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\metlqowx.exe\""	Explorer.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1436 set thread context of 2444	1436	2014_11details_transaktion_37900000929_november_30908300059_11_0000000039.exe	78

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1940	3376	WerFault.exe	65

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1436	2014_11details_transaktion_37900000929_november_30908300059_11_0000000039.exe
1436	2014_11details_transaktion_37900000929_november_30908300059_11_0000000039.exe
1436	2014_11details_transaktion_37900000929_november_30908300059_11_0000000039.exe
1436	2014_11details_transaktion_37900000929_november_30908300059_11_0000000039.exe
1436	2014_11details_transaktion_37900000929_november_30908300059_11_0000000039.exe
1436	2014_11details_transaktion_37900000929_november_30908300059_11_0000000039.exe
2444	2014_11details_transaktion_37900000929_november_30908300059_11_0000000039.exe
2444	2014_11details_transaktion_37900000929_november_30908300059_11_0000000039.exe
2408	Explorer.EXE
2408	Explorer.EXE
2408	Explorer.EXE
2408	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2408	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2444	2014_11details_transaktion_37900000929_november_30908300059_11_0000000039.exe
Token: SeDebugPrivilege	2408	Explorer.EXE
Token: SeShutdownPrivilege	2408	Explorer.EXE
Token: SeCreatePagefilePrivilege	2408	Explorer.EXE
Token: SeShutdownPrivilege	3540	RuntimeBroker.exe
Token: SeShutdownPrivilege	3540	RuntimeBroker.exe
Token: SeShutdownPrivilege	3540	RuntimeBroker.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1436	2014_11details_transaktion_37900000929_november_30908300059_11_0000000039.exe
1436	2014_11details_transaktion_37900000929_november_30908300059_11_0000000039.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1436 wrote to memory of 2444	1436	2014_11details_transaktion_37900000929_november_30908300059_11_0000000039.exe	78
PID 1436 wrote to memory of 2444	1436	2014_11details_transaktion_37900000929_november_30908300059_11_0000000039.exe	78
PID 1436 wrote to memory of 2444	1436	2014_11details_transaktion_37900000929_november_30908300059_11_0000000039.exe	78
PID 1436 wrote to memory of 2444	1436	2014_11details_transaktion_37900000929_november_30908300059_11_0000000039.exe	78
PID 1436 wrote to memory of 2444	1436	2014_11details_transaktion_37900000929_november_30908300059_11_0000000039.exe	78
PID 1436 wrote to memory of 2444	1436	2014_11details_transaktion_37900000929_november_30908300059_11_0000000039.exe	78
PID 1436 wrote to memory of 2444	1436	2014_11details_transaktion_37900000929_november_30908300059_11_0000000039.exe	78
PID 1436 wrote to memory of 2444	1436	2014_11details_transaktion_37900000929_november_30908300059_11_0000000039.exe	78
PID 1436 wrote to memory of 2444	1436	2014_11details_transaktion_37900000929_november_30908300059_11_0000000039.exe	78
PID 2444 wrote to memory of 780	2444	2014_11details_transaktion_37900000929_november_30908300059_11_0000000039.exe	79
PID 2444 wrote to memory of 780	2444	2014_11details_transaktion_37900000929_november_30908300059_11_0000000039.exe	79
PID 2444 wrote to memory of 780	2444	2014_11details_transaktion_37900000929_november_30908300059_11_0000000039.exe	79
PID 2444 wrote to memory of 2408	2444	2014_11details_transaktion_37900000929_november_30908300059_11_0000000039.exe	66
PID 2408 wrote to memory of 2340	2408	Explorer.EXE	34
PID 2408 wrote to memory of 2376	2408	Explorer.EXE	76
PID 2408 wrote to memory of 2448	2408	Explorer.EXE	75
PID 2408 wrote to memory of 3164	2408	Explorer.EXE	44
PID 2408 wrote to memory of 3376	2408	Explorer.EXE	65
PID 2408 wrote to memory of 3464	2408	Explorer.EXE	45
PID 2408 wrote to memory of 3540	2408	Explorer.EXE	46
PID 2408 wrote to memory of 3620	2408	Explorer.EXE	64
PID 2408 wrote to memory of 3796	2408	Explorer.EXE	63
PID 2408 wrote to memory of 4676	2408	Explorer.EXE	61
PID 2408 wrote to memory of 780	2408	Explorer.EXE	79
PID 2408 wrote to memory of 808	2408	Explorer.EXE	80

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3164

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3464

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3540

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4676

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3796

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3620

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3376
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3376 -s 980
  2⤵
  - Program crash
  PID:1940

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Users\Admin\AppData\Local\Temp\2014_11details_transaktion_37900000929_november_30908300059_11_0000000039.exe
  "C:\Users\Admin\AppData\Local\Temp\2014_11details_transaktion_37900000929_november_30908300059_11_0000000039.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1436
- - C:\Users\Admin\AppData\Local\Temp\2014_11details_transaktion_37900000929_november_30908300059_11_0000000039.exe
    C:\Users\Admin\AppData\Local\Temp\2014_11details_transaktion_37900000929_november_30908300059_11_0000000039.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2444
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS8930~1.BAT"
      4⤵
      PID:780
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:808

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2376

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 412 -p 3376 -ip 3376
1⤵
PID:3720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms8930642.bat

Filesize
201B

MD5
85b11a262bdf13274cc5d5d8b7d33caf

SHA1
36ecf3167ecd987b5d253a54f14e48bf03741cf4

SHA256
b58af4baf980ab8570851c659b47b4a1e4c9fbebe292d46960d473151546fcee

SHA512
5f9c37eecf5cd325030f38a8308c707e7d19bfcd3ade955809629e693af7e50824c529676d43906d57ef526beac4d20857bec41a115cc0668c85398d39159c0f

Download Submit
memory/780-161-0x00000000002B0000-0x00000000002C4000-memory.dmp

Filesize
80KB

Download
memory/780-137-0x0000000000000000-mapping.dmp

Download
memory/780-153-0x00000000371B0000-0x00000000371C0000-memory.dmp

Filesize
64KB

Download
memory/808-160-0x0000019E0C2A0000-0x0000019E0C2B7000-memory.dmp

Filesize
92KB

Download
memory/808-149-0x00007FFFBFE70000-0x00007FFFBFE80000-memory.dmp

Filesize
64KB

Download
memory/1436-134-0x0000000002380000-0x0000000002384000-memory.dmp

Filesize
16KB

Download
memory/2340-151-0x0000026439F30000-0x0000026439F47000-memory.dmp

Filesize
92KB

Download
memory/2340-141-0x00007FFFBFE70000-0x00007FFFBFE80000-memory.dmp

Filesize
64KB

Download
memory/2376-150-0x00000214ED750000-0x00000214ED767000-memory.dmp

Filesize
92KB

Download
memory/2376-140-0x00007FFFBFE70000-0x00007FFFBFE80000-memory.dmp

Filesize
64KB

Download
memory/2408-146-0x0000000002930000-0x0000000002947000-memory.dmp

Filesize
92KB

Download
memory/2408-162-0x0000000002930000-0x0000000002947000-memory.dmp

Filesize
92KB

Download
memory/2408-139-0x00007FFFBFE70000-0x00007FFFBFE80000-memory.dmp

Filesize
64KB

Download
memory/2444-138-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2444-132-0x0000000000000000-mapping.dmp

Download
memory/2444-136-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2444-133-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2448-144-0x00007FFFBFE70000-0x00007FFFBFE80000-memory.dmp

Filesize
64KB

Download
memory/2448-152-0x00000250A9C80000-0x00000250A9C97000-memory.dmp

Filesize
92KB

Download
memory/3164-154-0x000001BFEBF00000-0x000001BFEBF17000-memory.dmp

Filesize
92KB

Download
memory/3164-145-0x00007FFFBFE70000-0x00007FFFBFE80000-memory.dmp

Filesize
64KB

Download
memory/3464-142-0x00007FFFBFE70000-0x00007FFFBFE80000-memory.dmp

Filesize
64KB

Download
memory/3464-157-0x000001CBFF600000-0x000001CBFF617000-memory.dmp

Filesize
92KB

Download
memory/3540-155-0x00000193D6450000-0x00000193D6467000-memory.dmp

Filesize
92KB

Download
memory/3540-143-0x00007FFFBFE70000-0x00007FFFBFE80000-memory.dmp

Filesize
64KB

Download
memory/3796-147-0x00007FFFBFE70000-0x00007FFFBFE80000-memory.dmp

Filesize
64KB

Download
memory/3796-158-0x0000010C19D70000-0x0000010C19D87000-memory.dmp

Filesize
92KB

Download
memory/4676-159-0x0000025919580000-0x0000025919597000-memory.dmp

Filesize
92KB

Download
memory/4676-148-0x00007FFFBFE70000-0x00007FFFBFE80000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing