5961ba3798d8753956cad1ba2f751f2fc6d42b866169416c1a79a7fc7d020477

General

Target

2014_11vodafone_onlinerechnung_0020003909_november_3903980009_11_00000000445.exe
Size

148KB
MD5

69a462f5962e03c6dc1d34b3ec702ef7
SHA1

42a898eb901252f9839b3376e91c80eb508ecf40
SHA256

7cad924cac4762e897aa2d5406cf63083e9d44d86f61cdde86946e0419746a2c
SHA512

252f8baabb0f160c2886b8d781a55ac747fc443029428929e52d42974eb8bbcc362181b8813c45a91d21dde405859943dd59d148d5f4bb04a5e44e02cca9260f
SSDEEP

3072:xQ/LFEPXCmqhQkGmgb6/d33HfI5NxwCshg0e4FeV3q0E:iTePXBaQkG7G5/Izbye4oVq0

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\metlqowx.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\metlqowx.exe\""	Explorer.EXE

Suspicious use of SetThreadContext 1 IoCs

Processes:

2014_11vodafone_onlinerechnung_0020003909_november_3903980009_11_00000000445.exe

description	pid	process	target process
PID 4572 set thread context of 644	4572	2014_11vodafone_onlinerechnung_0020003909_november_3903980009_11_00000000445.exe	2014_11vodafone_onlinerechnung_0020003909_november_3903980009_11_00000000445.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4664 3308 WerFault.exe DllHost.exe

pid	pid_target	process	target process
4664	3308	WerFault.exe	DllHost.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

2014_11vodafone_onlinerechnung_0020003909_november_3903980009_11_00000000445.exe2014_11vodafone_onlinerechnung_0020003909_november_3903980009_11_00000000445.exeExplorer.EXE

pid	process
4572	2014_11vodafone_onlinerechnung_0020003909_november_3903980009_11_00000000445.exe
4572	2014_11vodafone_onlinerechnung_0020003909_november_3903980009_11_00000000445.exe
4572	2014_11vodafone_onlinerechnung_0020003909_november_3903980009_11_00000000445.exe
4572	2014_11vodafone_onlinerechnung_0020003909_november_3903980009_11_00000000445.exe
4572	2014_11vodafone_onlinerechnung_0020003909_november_3903980009_11_00000000445.exe
4572	2014_11vodafone_onlinerechnung_0020003909_november_3903980009_11_00000000445.exe
644	2014_11vodafone_onlinerechnung_0020003909_november_3903980009_11_00000000445.exe
644	2014_11vodafone_onlinerechnung_0020003909_november_3903980009_11_00000000445.exe
2228	Explorer.EXE
2228	Explorer.EXE
2228	Explorer.EXE
2228	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2228 Explorer.EXE

pid	process
2228	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

2014_11vodafone_onlinerechnung_0020003909_november_3903980009_11_00000000445.exeExplorer.EXERuntimeBroker.exe

description	pid	process
Token: SeDebugPrivilege	644	2014_11vodafone_onlinerechnung_0020003909_november_3903980009_11_00000000445.exe
Token: SeDebugPrivilege	2228	Explorer.EXE
Token: SeShutdownPrivilege	2228	Explorer.EXE
Token: SeCreatePagefilePrivilege	2228	Explorer.EXE
Token: SeShutdownPrivilege	3512	RuntimeBroker.exe
Token: SeShutdownPrivilege	3512	RuntimeBroker.exe
Token: SeShutdownPrivilege	3512	RuntimeBroker.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

2014_11vodafone_onlinerechnung_0020003909_november_3903980009_11_00000000445.exe

pid	process
4572	2014_11vodafone_onlinerechnung_0020003909_november_3903980009_11_00000000445.exe
4572	2014_11vodafone_onlinerechnung_0020003909_november_3903980009_11_00000000445.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

2014_11vodafone_onlinerechnung_0020003909_november_3903980009_11_00000000445.exe2014_11vodafone_onlinerechnung_0020003909_november_3903980009_11_00000000445.exeExplorer.EXE

description	pid	process	target process
PID 4572 wrote to memory of 644	4572	2014_11vodafone_onlinerechnung_0020003909_november_3903980009_11_00000000445.exe	2014_11vodafone_onlinerechnung_0020003909_november_3903980009_11_00000000445.exe
PID 4572 wrote to memory of 644	4572	2014_11vodafone_onlinerechnung_0020003909_november_3903980009_11_00000000445.exe	2014_11vodafone_onlinerechnung_0020003909_november_3903980009_11_00000000445.exe
PID 4572 wrote to memory of 644	4572	2014_11vodafone_onlinerechnung_0020003909_november_3903980009_11_00000000445.exe	2014_11vodafone_onlinerechnung_0020003909_november_3903980009_11_00000000445.exe
PID 4572 wrote to memory of 644	4572	2014_11vodafone_onlinerechnung_0020003909_november_3903980009_11_00000000445.exe	2014_11vodafone_onlinerechnung_0020003909_november_3903980009_11_00000000445.exe
PID 4572 wrote to memory of 644	4572	2014_11vodafone_onlinerechnung_0020003909_november_3903980009_11_00000000445.exe	2014_11vodafone_onlinerechnung_0020003909_november_3903980009_11_00000000445.exe
PID 4572 wrote to memory of 644	4572	2014_11vodafone_onlinerechnung_0020003909_november_3903980009_11_00000000445.exe	2014_11vodafone_onlinerechnung_0020003909_november_3903980009_11_00000000445.exe
PID 4572 wrote to memory of 644	4572	2014_11vodafone_onlinerechnung_0020003909_november_3903980009_11_00000000445.exe	2014_11vodafone_onlinerechnung_0020003909_november_3903980009_11_00000000445.exe
PID 4572 wrote to memory of 644	4572	2014_11vodafone_onlinerechnung_0020003909_november_3903980009_11_00000000445.exe	2014_11vodafone_onlinerechnung_0020003909_november_3903980009_11_00000000445.exe
PID 4572 wrote to memory of 644	4572	2014_11vodafone_onlinerechnung_0020003909_november_3903980009_11_00000000445.exe	2014_11vodafone_onlinerechnung_0020003909_november_3903980009_11_00000000445.exe
PID 644 wrote to memory of 2908	644	2014_11vodafone_onlinerechnung_0020003909_november_3903980009_11_00000000445.exe	cmd.exe
PID 644 wrote to memory of 2908	644	2014_11vodafone_onlinerechnung_0020003909_november_3903980009_11_00000000445.exe	cmd.exe
PID 644 wrote to memory of 2908	644	2014_11vodafone_onlinerechnung_0020003909_november_3903980009_11_00000000445.exe	cmd.exe
PID 644 wrote to memory of 2228	644	2014_11vodafone_onlinerechnung_0020003909_november_3903980009_11_00000000445.exe	Explorer.EXE
PID 2228 wrote to memory of 2372	2228	Explorer.EXE	sihost.exe
PID 2228 wrote to memory of 2380	2228	Explorer.EXE	svchost.exe
PID 2228 wrote to memory of 2476	2228	Explorer.EXE	taskhostw.exe
PID 2228 wrote to memory of 3108	2228	Explorer.EXE	svchost.exe
PID 2228 wrote to memory of 3308	2228	Explorer.EXE	DllHost.exe
PID 2228 wrote to memory of 3404	2228	Explorer.EXE	StartMenuExperienceHost.exe
PID 2228 wrote to memory of 3512	2228	Explorer.EXE	RuntimeBroker.exe
PID 2228 wrote to memory of 3620	2228	Explorer.EXE	SearchApp.exe
PID 2228 wrote to memory of 3824	2228	Explorer.EXE	RuntimeBroker.exe
PID 2228 wrote to memory of 4700	2228	Explorer.EXE	RuntimeBroker.exe
PID 2228 wrote to memory of 2908	2228	Explorer.EXE	cmd.exe
PID 2228 wrote to memory of 5072	2228	Explorer.EXE	Conhost.exe

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2380

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2372

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4700

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3824

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3620

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3512

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3404

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3308

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3308 -s 936
2⤵
- Program crash
PID:4664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3108

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2228

C:\Users\Admin\AppData\Local\Temp\2014_11vodafone_onlinerechnung_0020003909_november_3903980009_11_00000000445.exe
"C:\Users\Admin\AppData\Local\Temp\2014_11vodafone_onlinerechnung_0020003909_november_3903980009_11_00000000445.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4572

C:\Users\Admin\AppData\Local\Temp\2014_11vodafone_onlinerechnung_0020003909_november_3903980009_11_00000000445.exe
C:\Users\Admin\AppData\Local\Temp\2014_11vodafone_onlinerechnung_0020003909_november_3903980009_11_00000000445.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:644

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS3762~1.BAT"
4⤵
PID:2908

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:5072

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2476

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 3308 -ip 3308
1⤵
PID:1972

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms3762299.bat
Filesize
201B

MD5
57bbe88db6c2ab29ce3923244caf0f31

SHA1
603d9b633e0b5fe5b340ed34209cd9360d0f2851

SHA256
674f1f0be836477169e25348e9f02d9940d23e4c9d4ad422c673825ff628fa6d

SHA512
9d65b188dff07d6e5287eb095259cd5ebcdc78e976c6a341daf88d132933c4c177bd7b5b2fd1109c1854f379b21479901d2cc8374fa5d720b39bfcbbc2b83e0c

Download Submit
memory/644-140-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/644-133-0x0000000000000000-mapping.dmp

Download
memory/644-134-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/644-136-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/644-137-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2228-139-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

Filesize
64KB

Download
memory/2228-163-0x0000000000870000-0x0000000000887000-memory.dmp

Filesize
92KB

Download
memory/2228-151-0x0000000000870000-0x0000000000887000-memory.dmp

Filesize
92KB

Download
memory/2372-150-0x000002002A000000-0x000002002A017000-memory.dmp

Filesize
92KB

Download
memory/2372-141-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

Filesize
64KB

Download
memory/2380-142-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

Filesize
64KB

Download
memory/2380-152-0x0000020E9CD00000-0x0000020E9CD17000-memory.dmp

Filesize
92KB

Download
memory/2476-153-0x000001E4D0560000-0x000001E4D0577000-memory.dmp

Filesize
92KB

Download
memory/2476-143-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

Filesize
64KB

Download
memory/2908-157-0x0000000037210000-0x0000000037220000-memory.dmp

Filesize
64KB

Download
memory/2908-138-0x0000000000000000-mapping.dmp

Download
memory/2908-162-0x00000000012A0000-0x00000000012B4000-memory.dmp

Filesize
80KB

Download
memory/3108-144-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

Filesize
64KB

Download
memory/3108-154-0x0000020E5B120000-0x0000020E5B137000-memory.dmp

Filesize
92KB

Download
memory/3404-146-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

Filesize
64KB

Download
memory/3404-156-0x0000018555540000-0x0000018555557000-memory.dmp

Filesize
92KB

Download
memory/3512-145-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

Filesize
64KB

Download
memory/3512-155-0x00000129A2F30000-0x00000129A2F47000-memory.dmp

Filesize
92KB

Download
memory/3824-148-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

Filesize
64KB

Download
memory/3824-158-0x000002410A3C0000-0x000002410A3D7000-memory.dmp

Filesize
92KB

Download
memory/4572-132-0x0000000002290000-0x0000000002294000-memory.dmp

Filesize
16KB

Download
memory/4700-159-0x0000026885640000-0x0000026885657000-memory.dmp

Filesize
92KB

Download
memory/4700-147-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

Filesize
64KB

Download
memory/5072-149-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

Filesize
64KB

Download
memory/5072-160-0x0000024107DE0000-0x0000024107DF7000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads