Analysis
-
max time kernel
158s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 05:27
Static task
static1
Behavioral task
behavioral1
Sample
16dd30bc3187e0027b35c468a4838a4db135ac28aed4d0e4eb5aeaa0530e7426.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
16dd30bc3187e0027b35c468a4838a4db135ac28aed4d0e4eb5aeaa0530e7426.exe
Resource
win10v2004-20220812-en
General
-
Target
16dd30bc3187e0027b35c468a4838a4db135ac28aed4d0e4eb5aeaa0530e7426.exe
-
Size
282KB
-
MD5
572540a337ad063e789274532cbe9132
-
SHA1
1f36c5c0ce67f9fe9dd1cd716ab4e6058734955d
-
SHA256
16dd30bc3187e0027b35c468a4838a4db135ac28aed4d0e4eb5aeaa0530e7426
-
SHA512
24810cc3a63153a5839c2d7e1de4b9f9d51a8f19363482f8a716d34c5f6e21e11a54abf6e17935c0a06d92e82afc07a053c52416052f09fd5e5745fcf8d9abfa
-
SSDEEP
6144:62DRZVcMcpBrucMhrndQqAgKnef8AnA3n/LbFP1Z3s9B7txu8udmSr/:6cguRT1gRN1tsPBHSr
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\metlqowx.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\metlqowx.exe\"" Explorer.EXE -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1596 3308 WerFault.exe DllHost.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
16dd30bc3187e0027b35c468a4838a4db135ac28aed4d0e4eb5aeaa0530e7426.exeExplorer.EXEpid process 4216 16dd30bc3187e0027b35c468a4838a4db135ac28aed4d0e4eb5aeaa0530e7426.exe 4216 16dd30bc3187e0027b35c468a4838a4db135ac28aed4d0e4eb5aeaa0530e7426.exe 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3068 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
16dd30bc3187e0027b35c468a4838a4db135ac28aed4d0e4eb5aeaa0530e7426.exeExplorer.EXERuntimeBroker.exedescription pid process Token: SeDebugPrivilege 4216 16dd30bc3187e0027b35c468a4838a4db135ac28aed4d0e4eb5aeaa0530e7426.exe Token: SeDebugPrivilege 3068 Explorer.EXE Token: SeShutdownPrivilege 3068 Explorer.EXE Token: SeCreatePagefilePrivilege 3068 Explorer.EXE Token: SeShutdownPrivilege 3524 RuntimeBroker.exe Token: SeShutdownPrivilege 3524 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
16dd30bc3187e0027b35c468a4838a4db135ac28aed4d0e4eb5aeaa0530e7426.exeExplorer.EXEdescription pid process target process PID 4216 wrote to memory of 1576 4216 16dd30bc3187e0027b35c468a4838a4db135ac28aed4d0e4eb5aeaa0530e7426.exe cmd.exe PID 4216 wrote to memory of 1576 4216 16dd30bc3187e0027b35c468a4838a4db135ac28aed4d0e4eb5aeaa0530e7426.exe cmd.exe PID 4216 wrote to memory of 1576 4216 16dd30bc3187e0027b35c468a4838a4db135ac28aed4d0e4eb5aeaa0530e7426.exe cmd.exe PID 4216 wrote to memory of 3068 4216 16dd30bc3187e0027b35c468a4838a4db135ac28aed4d0e4eb5aeaa0530e7426.exe Explorer.EXE PID 3068 wrote to memory of 2360 3068 Explorer.EXE sihost.exe PID 3068 wrote to memory of 2404 3068 Explorer.EXE svchost.exe PID 3068 wrote to memory of 2452 3068 Explorer.EXE taskhostw.exe PID 3068 wrote to memory of 3120 3068 Explorer.EXE svchost.exe PID 3068 wrote to memory of 3308 3068 Explorer.EXE DllHost.exe PID 3068 wrote to memory of 3408 3068 Explorer.EXE StartMenuExperienceHost.exe PID 3068 wrote to memory of 3524 3068 Explorer.EXE RuntimeBroker.exe PID 3068 wrote to memory of 3632 3068 Explorer.EXE SearchApp.exe PID 3068 wrote to memory of 3828 3068 Explorer.EXE RuntimeBroker.exe PID 3068 wrote to memory of 4772 3068 Explorer.EXE RuntimeBroker.exe PID 3068 wrote to memory of 4216 3068 Explorer.EXE 16dd30bc3187e0027b35c468a4838a4db135ac28aed4d0e4eb5aeaa0530e7426.exe PID 3068 wrote to memory of 1576 3068 Explorer.EXE cmd.exe
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3120
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3524
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3828
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3632
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4772
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3408
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3308
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3308 -s 8482⤵
- Program crash
PID:1596
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Users\Admin\AppData\Local\Temp\16dd30bc3187e0027b35c468a4838a4db135ac28aed4d0e4eb5aeaa0530e7426.exe"C:\Users\Admin\AppData\Local\Temp\16dd30bc3187e0027b35c468a4838a4db135ac28aed4d0e4eb5aeaa0530e7426.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS9857~1.BAT"3⤵PID:1576
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2452
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2404
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2360
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 408 -p 3308 -ip 33081⤵PID:2284
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
201B
MD582ed3758730e09410afaf73af47a4285
SHA179d90204eaed8ebd323b9a276047321b1c656155
SHA25670ca2c6d279ad7b3d85b03df7acf5d438af0b69c239bfc4131bf31ed4da86dce
SHA512240e1267dfa1f66c920d58cca7ba62e4b684e0f76ff4012ebd9f93e8d882c82a25130cd29c4119d3f5c7ecb7acabf79dfe77f9b88be3a3ff52fc3db837a704a4