Analysis
-
max time kernel
153s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 02:58
Static task
static1
Behavioral task
behavioral1
Sample
2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe
Resource
win10v2004-20220812-en
General
-
Target
2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe
-
Size
306KB
-
MD5
756fae3b80bf129ce578006534c1413f
-
SHA1
00ec3c18110067acd9014a27c366160f2ea18ab3
-
SHA256
69b81b054100dc55fa61aa0edb9acdecccb84ab84fa37177b33e5d9814067633
-
SHA512
10274e2d15f6c7990acee9dd6b8e4d3b30c5dc810321198257671862f125baecede3cb5193468f8361d3289fb4623cb3ab6a9f0caceb780eaa6e0e4ef4d1626e
-
SSDEEP
6144:Ci37LbbWiaYUpwXV9RIKWn/TUVs8oL48N8lqFzc+tRJShtvUdJk:CO/izXrN8UbtPShoJk
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\metlqowx.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\metlqowx.exe\"" Explorer.EXE -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 888 3288 WerFault.exe DllHost.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exeExplorer.EXEpid process 3712 2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe 3712 2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe 900 Explorer.EXE 900 Explorer.EXE 900 Explorer.EXE 900 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 900 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exeExplorer.EXERuntimeBroker.exedescription pid process Token: SeDebugPrivilege 3712 2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe Token: SeDebugPrivilege 900 Explorer.EXE Token: SeShutdownPrivilege 900 Explorer.EXE Token: SeCreatePagefilePrivilege 900 Explorer.EXE Token: SeShutdownPrivilege 3444 RuntimeBroker.exe Token: SeShutdownPrivilege 3444 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exeExplorer.EXEdescription pid process target process PID 3712 wrote to memory of 404 3712 2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe cmd.exe PID 3712 wrote to memory of 404 3712 2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe cmd.exe PID 3712 wrote to memory of 404 3712 2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe cmd.exe PID 3712 wrote to memory of 900 3712 2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe Explorer.EXE PID 900 wrote to memory of 2484 900 Explorer.EXE sihost.exe PID 900 wrote to memory of 2504 900 Explorer.EXE svchost.exe PID 900 wrote to memory of 2768 900 Explorer.EXE taskhostw.exe PID 900 wrote to memory of 3080 900 Explorer.EXE svchost.exe PID 900 wrote to memory of 3288 900 Explorer.EXE DllHost.exe PID 900 wrote to memory of 3376 900 Explorer.EXE StartMenuExperienceHost.exe PID 900 wrote to memory of 3444 900 Explorer.EXE RuntimeBroker.exe PID 900 wrote to memory of 3548 900 Explorer.EXE SearchApp.exe PID 900 wrote to memory of 3704 900 Explorer.EXE RuntimeBroker.exe PID 900 wrote to memory of 4652 900 Explorer.EXE RuntimeBroker.exe PID 900 wrote to memory of 3712 900 Explorer.EXE 2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe PID 900 wrote to memory of 404 900 Explorer.EXE cmd.exe PID 900 wrote to memory of 544 900 Explorer.EXE Conhost.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe"C:\Users\Admin\AppData\Local\Temp\2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS3414~1.BAT"3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3288 -s 7562⤵
- Program crash
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 408 -p 3288 -ip 32881⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\ms3414114.batFilesize
201B
MD5e54e5f7692f8c05c92235d88d41aa8c1
SHA132ad71f52b4dcc961055ecc1569fdfa83bb52f7a
SHA2568e61c8076dc5f8705870a62703c9c53c09de2f8998948534b0db296cd304936b
SHA51240a3e0fae251b13052e2d9a7885e5aa5d040ea100e526a81e7a4fdc2ff76897aee8d09cd3c401bab010534e0347bc1d2b11daeb437d92f2dec042e9a3ab3678d
-
memory/404-158-0x0000000001010000-0x0000000001024000-memory.dmpFilesize
80KB
-
memory/404-149-0x00000000373C0000-0x00000000373D0000-memory.dmpFilesize
64KB
-
memory/404-134-0x0000000000000000-mapping.dmp
-
memory/544-145-0x00007FFA72110000-0x00007FFA72120000-memory.dmpFilesize
64KB
-
memory/544-156-0x00000203AD080000-0x00000203AD097000-memory.dmpFilesize
92KB
-
memory/900-142-0x0000000001190000-0x00000000011A7000-memory.dmpFilesize
92KB
-
memory/900-135-0x00007FFA72110000-0x00007FFA72120000-memory.dmpFilesize
64KB
-
memory/900-159-0x0000000001190000-0x00000000011A7000-memory.dmpFilesize
92KB
-
memory/2484-146-0x0000025E7A430000-0x0000025E7A447000-memory.dmpFilesize
92KB
-
memory/2484-136-0x00007FFA72110000-0x00007FFA72120000-memory.dmpFilesize
64KB
-
memory/2504-147-0x00000266FD940000-0x00000266FD957000-memory.dmpFilesize
92KB
-
memory/2504-137-0x00007FFA72110000-0x00007FFA72120000-memory.dmpFilesize
64KB
-
memory/2768-138-0x00007FFA72110000-0x00007FFA72120000-memory.dmpFilesize
64KB
-
memory/2768-148-0x0000022D17400000-0x0000022D17417000-memory.dmpFilesize
92KB
-
memory/3080-139-0x00007FFA72110000-0x00007FFA72120000-memory.dmpFilesize
64KB
-
memory/3080-150-0x0000020BF0CC0000-0x0000020BF0CD7000-memory.dmpFilesize
92KB
-
memory/3376-151-0x000001EC6AC80000-0x000001EC6AC97000-memory.dmpFilesize
92KB
-
memory/3376-140-0x00007FFA72110000-0x00007FFA72120000-memory.dmpFilesize
64KB
-
memory/3444-152-0x0000021FD3380000-0x0000021FD3397000-memory.dmpFilesize
92KB
-
memory/3444-141-0x00007FFA72110000-0x00007FFA72120000-memory.dmpFilesize
64KB
-
memory/3704-153-0x00000176C8430000-0x00000176C8447000-memory.dmpFilesize
92KB
-
memory/3704-143-0x00007FFA72110000-0x00007FFA72120000-memory.dmpFilesize
64KB
-
memory/3712-132-0x00000000016C0000-0x00000000016CE000-memory.dmpFilesize
56KB
-
memory/3712-157-0x0000000000730000-0x0000000000784000-memory.dmpFilesize
336KB
-
memory/3712-133-0x0000000000730000-0x0000000000784000-memory.dmpFilesize
336KB
-
memory/4652-154-0x00000248A9570000-0x00000248A9587000-memory.dmpFilesize
92KB
-
memory/4652-144-0x00007FFA72110000-0x00007FFA72120000-memory.dmpFilesize
64KB