34ac94d4483fe75b414b17fee0259f213ba750b295a584830910f79af75ff450

General

Target

2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe
Size

306KB
MD5

756fae3b80bf129ce578006534c1413f
SHA1

00ec3c18110067acd9014a27c366160f2ea18ab3
SHA256

69b81b054100dc55fa61aa0edb9acdecccb84ab84fa37177b33e5d9814067633
SHA512

10274e2d15f6c7990acee9dd6b8e4d3b30c5dc810321198257671862f125baecede3cb5193468f8361d3289fb4623cb3ab6a9f0caceb780eaa6e0e4ef4d1626e
SSDEEP

6144:Ci37LbbWiaYUpwXV9RIKWn/TUVs8oL48N8lqFzc+tRJShtvUdJk:CO/izXrN8UbtPShoJk

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\metlqowx.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\metlqowx.exe\""	Explorer.EXE

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

888 3288 WerFault.exe DllHost.exe

pid	pid_target	process	target process
888	3288	WerFault.exe	DllHost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exeExplorer.EXE

pid	process
3712	2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe
3712	2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe
900	Explorer.EXE
900	Explorer.EXE
900	Explorer.EXE
900	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

900 Explorer.EXE

pid	process
900	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exeExplorer.EXERuntimeBroker.exe

description	pid	process
Token: SeDebugPrivilege	3712	2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe
Token: SeDebugPrivilege	900	Explorer.EXE
Token: SeShutdownPrivilege	900	Explorer.EXE
Token: SeCreatePagefilePrivilege	900	Explorer.EXE
Token: SeShutdownPrivilege	3444	RuntimeBroker.exe
Token: SeShutdownPrivilege	3444	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exeExplorer.EXE

description	pid	process	target process
PID 3712 wrote to memory of 404	3712	2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe	cmd.exe
PID 3712 wrote to memory of 404	3712	2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe	cmd.exe
PID 3712 wrote to memory of 404	3712	2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe	cmd.exe
PID 3712 wrote to memory of 900	3712	2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe	Explorer.EXE
PID 900 wrote to memory of 2484	900	Explorer.EXE	sihost.exe
PID 900 wrote to memory of 2504	900	Explorer.EXE	svchost.exe
PID 900 wrote to memory of 2768	900	Explorer.EXE	taskhostw.exe
PID 900 wrote to memory of 3080	900	Explorer.EXE	svchost.exe
PID 900 wrote to memory of 3288	900	Explorer.EXE	DllHost.exe
PID 900 wrote to memory of 3376	900	Explorer.EXE	StartMenuExperienceHost.exe
PID 900 wrote to memory of 3444	900	Explorer.EXE	RuntimeBroker.exe
PID 900 wrote to memory of 3548	900	Explorer.EXE	SearchApp.exe
PID 900 wrote to memory of 3704	900	Explorer.EXE	RuntimeBroker.exe
PID 900 wrote to memory of 4652	900	Explorer.EXE	RuntimeBroker.exe
PID 900 wrote to memory of 3712	900	Explorer.EXE	2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe
PID 900 wrote to memory of 404	900	Explorer.EXE	cmd.exe
PID 900 wrote to memory of 544	900	Explorer.EXE	Conhost.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2504

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2768

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:900

C:\Users\Admin\AppData\Local\Temp\2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe
"C:\Users\Admin\AppData\Local\Temp\2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3712

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS3414~1.BAT"
3⤵
PID:404

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:544

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3288

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3288 -s 756
2⤵
- Program crash
PID:888

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3080

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3444

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3548

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3704

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4652

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 3288 -ip 3288
1⤵
PID:4744

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Network Service Scanning

1

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms3414114.bat
Filesize
201B

MD5
e54e5f7692f8c05c92235d88d41aa8c1

SHA1
32ad71f52b4dcc961055ecc1569fdfa83bb52f7a

SHA256
8e61c8076dc5f8705870a62703c9c53c09de2f8998948534b0db296cd304936b

SHA512
40a3e0fae251b13052e2d9a7885e5aa5d040ea100e526a81e7a4fdc2ff76897aee8d09cd3c401bab010534e0347bc1d2b11daeb437d92f2dec042e9a3ab3678d

Download Submit
memory/404-158-0x0000000001010000-0x0000000001024000-memory.dmp

Filesize
80KB

Download
memory/404-149-0x00000000373C0000-0x00000000373D0000-memory.dmp

Filesize
64KB

Download
memory/404-134-0x0000000000000000-mapping.dmp

Download
memory/544-145-0x00007FFA72110000-0x00007FFA72120000-memory.dmp

Filesize
64KB

Download
memory/544-156-0x00000203AD080000-0x00000203AD097000-memory.dmp

Filesize
92KB

Download
memory/900-142-0x0000000001190000-0x00000000011A7000-memory.dmp

Filesize
92KB

Download
memory/900-135-0x00007FFA72110000-0x00007FFA72120000-memory.dmp

Filesize
64KB

Download
memory/900-159-0x0000000001190000-0x00000000011A7000-memory.dmp

Filesize
92KB

Download
memory/2484-146-0x0000025E7A430000-0x0000025E7A447000-memory.dmp

Filesize
92KB

Download
memory/2484-136-0x00007FFA72110000-0x00007FFA72120000-memory.dmp

Filesize
64KB

Download
memory/2504-147-0x00000266FD940000-0x00000266FD957000-memory.dmp

Filesize
92KB

Download
memory/2504-137-0x00007FFA72110000-0x00007FFA72120000-memory.dmp

Filesize
64KB

Download
memory/2768-138-0x00007FFA72110000-0x00007FFA72120000-memory.dmp

Filesize
64KB

Download
memory/2768-148-0x0000022D17400000-0x0000022D17417000-memory.dmp

Filesize
92KB

Download
memory/3080-139-0x00007FFA72110000-0x00007FFA72120000-memory.dmp

Filesize
64KB

Download
memory/3080-150-0x0000020BF0CC0000-0x0000020BF0CD7000-memory.dmp

Filesize
92KB

Download
memory/3376-151-0x000001EC6AC80000-0x000001EC6AC97000-memory.dmp

Filesize
92KB

Download
memory/3376-140-0x00007FFA72110000-0x00007FFA72120000-memory.dmp

Filesize
64KB

Download
memory/3444-152-0x0000021FD3380000-0x0000021FD3397000-memory.dmp

Filesize
92KB

Download
memory/3444-141-0x00007FFA72110000-0x00007FFA72120000-memory.dmp

Filesize
64KB

Download
memory/3704-153-0x00000176C8430000-0x00000176C8447000-memory.dmp

Filesize
92KB

Download
memory/3704-143-0x00007FFA72110000-0x00007FFA72120000-memory.dmp

Filesize
64KB

Download
memory/3712-132-0x00000000016C0000-0x00000000016CE000-memory.dmp

Filesize
56KB

Download
memory/3712-157-0x0000000000730000-0x0000000000784000-memory.dmp

Filesize
336KB

Download
memory/3712-133-0x0000000000730000-0x0000000000784000-memory.dmp

Filesize
336KB

Download
memory/4652-154-0x00000248A9570000-0x00000248A9587000-memory.dmp

Filesize
92KB

Download
memory/4652-144-0x00007FFA72110000-0x00007FFA72120000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads