4ed92e599177ad6e594daa6167bdba35d65c7646c02d984aab2467cbfb717667

General

Target

2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe
Size

283KB
MD5

a168f69f6e79f6830b1c3f0ac54d68e6
SHA1

1cfbae35bf5e26762432e3bdae57193c92b898af
SHA256

a4b10ed2faa80a978480458dc4f95543ebad4a497d2b441346c7b44adee51e78
SHA512

1a557575ff7ff6e67edb58c6acd28bc2bacf4dbc985ead70d935d0e0a6d0e36635fc252dcd51d61ef022f84370eee53ee5e66aa1d2370074a24e97578f799773
SSDEEP

6144:MHT0BiwUyoqwx658IIIOf1G4ELtrWWiz0Lm1+V+XjMSBaf/9:MH+z8Byb+Xvw

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\metlqowx.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\metlqowx.exe\""	Explorer.EXE

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3700 3376 WerFault.exe DllHost.exe

pid	pid_target	process	target process
3700	3376	WerFault.exe	DllHost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exeExplorer.EXE

pid	process
536	2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe
536	2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe
2408	Explorer.EXE
2408	Explorer.EXE
2408	Explorer.EXE
2408	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2408 Explorer.EXE

pid	process
2408	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exeExplorer.EXERuntimeBroker.exe

description	pid	process
Token: SeDebugPrivilege	536	2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe
Token: SeDebugPrivilege	2408	Explorer.EXE
Token: SeShutdownPrivilege	2408	Explorer.EXE
Token: SeCreatePagefilePrivilege	2408	Explorer.EXE
Token: SeShutdownPrivilege	3540	RuntimeBroker.exe
Token: SeShutdownPrivilege	3540	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exeExplorer.EXE

description	pid	process	target process
PID 536 wrote to memory of 2044	536	2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe	cmd.exe
PID 536 wrote to memory of 2044	536	2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe	cmd.exe
PID 536 wrote to memory of 2044	536	2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe	cmd.exe
PID 536 wrote to memory of 2408	536	2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe	Explorer.EXE
PID 2408 wrote to memory of 2340	2408	Explorer.EXE	sihost.exe
PID 2408 wrote to memory of 2376	2408	Explorer.EXE	svchost.exe
PID 2408 wrote to memory of 2448	2408	Explorer.EXE	taskhostw.exe
PID 2408 wrote to memory of 3164	2408	Explorer.EXE	svchost.exe
PID 2408 wrote to memory of 3376	2408	Explorer.EXE	DllHost.exe
PID 2408 wrote to memory of 3464	2408	Explorer.EXE	StartMenuExperienceHost.exe
PID 2408 wrote to memory of 3540	2408	Explorer.EXE	RuntimeBroker.exe
PID 2408 wrote to memory of 3620	2408	Explorer.EXE	SearchApp.exe
PID 2408 wrote to memory of 3796	2408	Explorer.EXE	RuntimeBroker.exe
PID 2408 wrote to memory of 4676	2408	Explorer.EXE	RuntimeBroker.exe
PID 2408 wrote to memory of 536	2408	Explorer.EXE	2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe
PID 2408 wrote to memory of 2044	2408	Explorer.EXE	cmd.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2376

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2448

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3464

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3540

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3376

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3376 -s 980
2⤵
- Program crash
PID:3700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3164

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2408

C:\Users\Admin\AppData\Local\Temp\2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\2014_11rechnungonline_pdf_vodafone_0095890374_537999190_82135674.pdf.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:536

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS8509~1.BAT"
3⤵
PID:2044

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4676

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3796

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3620

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 424 -p 3376 -ip 3376
1⤵
PID:2036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Network Service Scanning

1

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms8509199.bat

Filesize
201B

MD5
29f0acd873f056073e86a9975ea329b0

SHA1
5f2d0dcf066836677018fede20833465019ba0be

SHA256
4540e69e3f14aa1c9c70c56832445de9c5b605545c3ef93e585cbabcd62b58f6

SHA512
59ede0de9ca546cab83177ed351b1d939dce2756ee57f3894974ce6639048d6f618c930a83311359383f60ae70b7e9fe62717014af1958a3150df413b51677a5

Download Submit
memory/536-137-0x0000000000060000-0x00000000000AA000-memory.dmp

Filesize
296KB

Download
memory/536-133-0x0000000000060000-0x00000000000AA000-memory.dmp

Filesize
296KB

Download
memory/536-132-0x0000000002EF0000-0x0000000002EFE000-memory.dmp

Filesize
56KB

Download
memory/2044-134-0x0000000000000000-mapping.dmp

Download
memory/2044-156-0x00000000008F0000-0x0000000000904000-memory.dmp

Filesize
80KB

Download
memory/2044-145-0x00000000371B0000-0x00000000371C0000-memory.dmp

Filesize
64KB

Download
memory/2340-150-0x0000026439F30000-0x0000026439F47000-memory.dmp

Filesize
92KB

Download
memory/2340-136-0x00007FFFBFE70000-0x00007FFFBFE80000-memory.dmp

Filesize
64KB

Download
memory/2376-138-0x00007FFFBFE70000-0x00007FFFBFE80000-memory.dmp

Filesize
64KB

Download
memory/2376-147-0x00000214ED750000-0x00000214ED767000-memory.dmp

Filesize
92KB

Download
memory/2408-149-0x0000000002930000-0x0000000002947000-memory.dmp

Filesize
92KB

Download
memory/2408-135-0x00007FFFBFE70000-0x00007FFFBFE80000-memory.dmp

Filesize
64KB

Download
memory/2448-139-0x00007FFFBFE70000-0x00007FFFBFE80000-memory.dmp

Filesize
64KB

Download
memory/2448-148-0x00000250A9C80000-0x00000250A9C97000-memory.dmp

Filesize
92KB

Download
memory/3164-141-0x00007FFFBFE70000-0x00007FFFBFE80000-memory.dmp

Filesize
64KB

Download
memory/3164-151-0x000001BFEBF00000-0x000001BFEBF17000-memory.dmp

Filesize
92KB

Download
memory/3464-142-0x00007FFFBFE70000-0x00007FFFBFE80000-memory.dmp

Filesize
64KB

Download
memory/3464-153-0x000001CBFF600000-0x000001CBFF617000-memory.dmp

Filesize
92KB

Download
memory/3540-152-0x00000193D6450000-0x00000193D6467000-memory.dmp

Filesize
92KB

Download
memory/3540-140-0x00007FFFBFE70000-0x00007FFFBFE80000-memory.dmp

Filesize
64KB

Download
memory/3796-143-0x00007FFFBFE70000-0x00007FFFBFE80000-memory.dmp

Filesize
64KB

Download
memory/3796-154-0x0000010C19D70000-0x0000010C19D87000-memory.dmp

Filesize
92KB

Download
memory/4676-144-0x00007FFFBFE70000-0x00007FFFBFE80000-memory.dmp

Filesize
64KB

Download
memory/4676-155-0x0000025919580000-0x0000025919597000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads