143a1f9b68a412aa70906ec63e9ad00ec082feff9fadefc1d6b3badf788f16d2

General

Target

informationen_zum_transaktions_02JS_2820_JWIOU_29MQ_2001_KA21.pdf.exe
Size

94KB
MD5

dbc35cd99daa5b3f3083e911a43b7c31
SHA1

dcbe9859542d22bc8684d798d9f5227624f5be97
SHA256

47063fabbef0d6759cc4076c988760f82ba0328e878431cce6a3691d052e7b06
SHA512

d8212148e1c5897e1c92b2eb054c9b158eafc49fb3047fe22dd01208c1384212ab388848e746f9c37e2b561975e300fe440fdc9877411f460b4cb7c9666ca641
SSDEEP

1536:CvSM+QtpWT1G9NS89i4XZ0wovNOinmYbGmjBtwiRAd6S9C5Qhkxolh+:Cv3I1G9NnH8vN0eGKBqLMS9cIkxolU

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\metlqowx.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\metlqowx.exe\""	Explorer.EXE

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5076	3308	WerFault.exe	26

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4028	informationen_zum_transaktions_02JS_2820_JWIOU_29MQ_2001_KA21.pdf.exe
4028	informationen_zum_transaktions_02JS_2820_JWIOU_29MQ_2001_KA21.pdf.exe
3068	Explorer.EXE
3068	Explorer.EXE
3068	Explorer.EXE
3068	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3068	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4028	informationen_zum_transaktions_02JS_2820_JWIOU_29MQ_2001_KA21.pdf.exe
Token: SeDebugPrivilege	3068	Explorer.EXE
Token: SeShutdownPrivilege	3068	Explorer.EXE
Token: SeCreatePagefilePrivilege	3068	Explorer.EXE
Token: SeShutdownPrivilege	3524	RuntimeBroker.exe
Token: SeShutdownPrivilege	3524	RuntimeBroker.exe
Token: SeShutdownPrivilege	3524	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4028 wrote to memory of 1864	4028	informationen_zum_transaktions_02JS_2820_JWIOU_29MQ_2001_KA21.pdf.exe	79
PID 4028 wrote to memory of 1864	4028	informationen_zum_transaktions_02JS_2820_JWIOU_29MQ_2001_KA21.pdf.exe	79
PID 4028 wrote to memory of 1864	4028	informationen_zum_transaktions_02JS_2820_JWIOU_29MQ_2001_KA21.pdf.exe	79
PID 4028 wrote to memory of 3068	4028	informationen_zum_transaktions_02JS_2820_JWIOU_29MQ_2001_KA21.pdf.exe	49
PID 3068 wrote to memory of 2360	3068	Explorer.EXE	24
PID 3068 wrote to memory of 2404	3068	Explorer.EXE	59
PID 3068 wrote to memory of 2452	3068	Explorer.EXE	58
PID 3068 wrote to memory of 3120	3068	Explorer.EXE	48
PID 3068 wrote to memory of 3308	3068	Explorer.EXE	26
PID 3068 wrote to memory of 3408	3068	Explorer.EXE	47
PID 3068 wrote to memory of 3524	3068	Explorer.EXE	27
PID 3068 wrote to memory of 3632	3068	Explorer.EXE	45
PID 3068 wrote to memory of 3828	3068	Explorer.EXE	44
PID 3068 wrote to memory of 4772	3068	Explorer.EXE	42
PID 3068 wrote to memory of 4028	3068	Explorer.EXE	78
PID 3068 wrote to memory of 1864	3068	Explorer.EXE	79

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2360

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3308
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3308 -s 848
  2⤵
  - Program crash
  PID:5076

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3524

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4772

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3828

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3632

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3120

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Users\Admin\AppData\Local\Temp\informationen_zum_transaktions_02JS_2820_JWIOU_29MQ_2001_KA21.pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\informationen_zum_transaktions_02JS_2820_JWIOU_29MQ_2001_KA21.pdf.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4028
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS1654~1.BAT"
    3⤵
    PID:1864

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2404

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 428 -p 3308 -ip 3308
1⤵
PID:1636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Network Service Scanning

1

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms1654797.bat

Filesize
201B

MD5
330717b45b9c4566ecb98965346e5cd7

SHA1
bcb9ce29bd3f9d5d2f02e0a56154712361ba84c5

SHA256
f64d78755e70953d881dd1a8e3f67ae6eed95dfb44bded643c545e261d0f15dc

SHA512
81082ab3bacee9356524e4d17ea14e4d3e5533ce9415acc139ca32c89e303828392fb2761d07e11a65a35975ebc0ac4da4d64db449a38a3cf2b8e9a30f185018

Download Submit
memory/1864-147-0x0000000000E70000-0x0000000000E84000-memory.dmp

Filesize
80KB

Download
memory/1864-145-0x0000000037D80000-0x0000000037D90000-memory.dmp

Filesize
64KB

Download
memory/2360-148-0x0000021D51FC0000-0x0000021D51FD7000-memory.dmp

Filesize
92KB

Download
memory/2360-137-0x00007FF7CC670000-0x00007FF7CC680000-memory.dmp

Filesize
64KB

Download
memory/2404-138-0x00007FF7CC670000-0x00007FF7CC680000-memory.dmp

Filesize
64KB

Download
memory/2404-149-0x000001F0B40B0000-0x000001F0B40C7000-memory.dmp

Filesize
92KB

Download
memory/2452-139-0x00007FF7CC670000-0x00007FF7CC680000-memory.dmp

Filesize
64KB

Download
memory/2452-151-0x00000183AE270000-0x00000183AE287000-memory.dmp

Filesize
92KB

Download
memory/3068-157-0x0000000002D70000-0x0000000002D87000-memory.dmp

Filesize
92KB

Download
memory/3068-135-0x00007FF7CC670000-0x00007FF7CC680000-memory.dmp

Filesize
64KB

Download
memory/3068-150-0x0000000002D70000-0x0000000002D87000-memory.dmp

Filesize
92KB

Download
memory/3120-142-0x00007FF7CC670000-0x00007FF7CC680000-memory.dmp

Filesize
64KB

Download
memory/3120-152-0x00000234A96C0000-0x00000234A96D7000-memory.dmp

Filesize
92KB

Download
memory/3408-141-0x00007FF7CC670000-0x00007FF7CC680000-memory.dmp

Filesize
64KB

Download
memory/3408-153-0x000001760CC30000-0x000001760CC47000-memory.dmp

Filesize
92KB

Download
memory/3524-140-0x00007FF7CC670000-0x00007FF7CC680000-memory.dmp

Filesize
64KB

Download
memory/3524-154-0x000002BCE2070000-0x000002BCE2087000-memory.dmp

Filesize
92KB

Download
memory/3828-144-0x00007FF7CC670000-0x00007FF7CC680000-memory.dmp

Filesize
64KB

Download
memory/3828-156-0x000002290A000000-0x000002290A017000-memory.dmp

Filesize
92KB

Download
memory/4028-133-0x0000000000380000-0x000000000039B000-memory.dmp

Filesize
108KB

Download
memory/4028-136-0x0000000000380000-0x000000000039B000-memory.dmp

Filesize
108KB

Download
memory/4028-132-0x0000000000A90000-0x0000000000A9E000-memory.dmp

Filesize
56KB

Download
memory/4772-155-0x000001225B050000-0x000001225B067000-memory.dmp

Filesize
92KB

Download
memory/4772-143-0x00007FF7CC670000-0x00007FF7CC680000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing