16dd30bc3187e0027b35c468a4838a4db135ac28aed4d0e4eb5aeaa0530e7426

General

Target

16dd30bc3187e0027b35c468a4838a4db135ac28aed4d0e4eb5aeaa0530e7426.exe
Size

282KB
MD5

572540a337ad063e789274532cbe9132
SHA1

1f36c5c0ce67f9fe9dd1cd716ab4e6058734955d
SHA256

16dd30bc3187e0027b35c468a4838a4db135ac28aed4d0e4eb5aeaa0530e7426
SHA512

24810cc3a63153a5839c2d7e1de4b9f9d51a8f19363482f8a716d34c5f6e21e11a54abf6e17935c0a06d92e82afc07a053c52416052f09fd5e5745fcf8d9abfa
SSDEEP

6144:62DRZVcMcpBrucMhrndQqAgKnef8AnA3n/LbFP1Z3s9B7txu8udmSr/:6cguRT1gRN1tsPBHSr

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\metlqowx.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\metlqowx.exe\""	Explorer.EXE

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1596 3308 WerFault.exe DllHost.exe

pid	pid_target	process	target process
1596	3308	WerFault.exe	DllHost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

16dd30bc3187e0027b35c468a4838a4db135ac28aed4d0e4eb5aeaa0530e7426.exeExplorer.EXE

pid	process
4216	16dd30bc3187e0027b35c468a4838a4db135ac28aed4d0e4eb5aeaa0530e7426.exe
4216	16dd30bc3187e0027b35c468a4838a4db135ac28aed4d0e4eb5aeaa0530e7426.exe
3068	Explorer.EXE
3068	Explorer.EXE
3068	Explorer.EXE
3068	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3068 Explorer.EXE

pid	process
3068	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

16dd30bc3187e0027b35c468a4838a4db135ac28aed4d0e4eb5aeaa0530e7426.exeExplorer.EXERuntimeBroker.exe

description	pid	process
Token: SeDebugPrivilege	4216	16dd30bc3187e0027b35c468a4838a4db135ac28aed4d0e4eb5aeaa0530e7426.exe
Token: SeDebugPrivilege	3068	Explorer.EXE
Token: SeShutdownPrivilege	3068	Explorer.EXE
Token: SeCreatePagefilePrivilege	3068	Explorer.EXE
Token: SeShutdownPrivilege	3524	RuntimeBroker.exe
Token: SeShutdownPrivilege	3524	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

16dd30bc3187e0027b35c468a4838a4db135ac28aed4d0e4eb5aeaa0530e7426.exeExplorer.EXE

description	pid	process	target process
PID 4216 wrote to memory of 1576	4216	16dd30bc3187e0027b35c468a4838a4db135ac28aed4d0e4eb5aeaa0530e7426.exe	cmd.exe
PID 4216 wrote to memory of 1576	4216	16dd30bc3187e0027b35c468a4838a4db135ac28aed4d0e4eb5aeaa0530e7426.exe	cmd.exe
PID 4216 wrote to memory of 1576	4216	16dd30bc3187e0027b35c468a4838a4db135ac28aed4d0e4eb5aeaa0530e7426.exe	cmd.exe
PID 4216 wrote to memory of 3068	4216	16dd30bc3187e0027b35c468a4838a4db135ac28aed4d0e4eb5aeaa0530e7426.exe	Explorer.EXE
PID 3068 wrote to memory of 2360	3068	Explorer.EXE	sihost.exe
PID 3068 wrote to memory of 2404	3068	Explorer.EXE	svchost.exe
PID 3068 wrote to memory of 2452	3068	Explorer.EXE	taskhostw.exe
PID 3068 wrote to memory of 3120	3068	Explorer.EXE	svchost.exe
PID 3068 wrote to memory of 3308	3068	Explorer.EXE	DllHost.exe
PID 3068 wrote to memory of 3408	3068	Explorer.EXE	StartMenuExperienceHost.exe
PID 3068 wrote to memory of 3524	3068	Explorer.EXE	RuntimeBroker.exe
PID 3068 wrote to memory of 3632	3068	Explorer.EXE	SearchApp.exe
PID 3068 wrote to memory of 3828	3068	Explorer.EXE	RuntimeBroker.exe
PID 3068 wrote to memory of 4772	3068	Explorer.EXE	RuntimeBroker.exe
PID 3068 wrote to memory of 4216	3068	Explorer.EXE	16dd30bc3187e0027b35c468a4838a4db135ac28aed4d0e4eb5aeaa0530e7426.exe
PID 3068 wrote to memory of 1576	3068	Explorer.EXE	cmd.exe

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3120

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3524

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3828

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3632

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4772

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3408

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3308

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3308 -s 848
2⤵
- Program crash
PID:1596

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068

C:\Users\Admin\AppData\Local\Temp\16dd30bc3187e0027b35c468a4838a4db135ac28aed4d0e4eb5aeaa0530e7426.exe
"C:\Users\Admin\AppData\Local\Temp\16dd30bc3187e0027b35c468a4838a4db135ac28aed4d0e4eb5aeaa0530e7426.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4216

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS9857~1.BAT"
3⤵
PID:1576

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2404

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2360

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 3308 -ip 3308
1⤵
PID:2284

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Network Service Scanning

1

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms9857819.bat

Filesize
201B

MD5
82ed3758730e09410afaf73af47a4285

SHA1
79d90204eaed8ebd323b9a276047321b1c656155

SHA256
70ca2c6d279ad7b3d85b03df7acf5d438af0b69c239bfc4131bf31ed4da86dce

SHA512
240e1267dfa1f66c920d58cca7ba62e4b684e0f76ff4012ebd9f93e8d882c82a25130cd29c4119d3f5c7ecb7acabf79dfe77f9b88be3a3ff52fc3db837a704a4

Download Submit
memory/1576-145-0x0000000037D80000-0x0000000037D90000-memory.dmp

Filesize
64KB

Download
memory/1576-134-0x0000000000000000-mapping.dmp

Download
memory/1576-147-0x0000000000390000-0x00000000003A4000-memory.dmp

Filesize
80KB

Download
memory/2360-149-0x0000021D51FC0000-0x0000021D51FD7000-memory.dmp

Filesize
92KB

Download
memory/2360-136-0x00007FF7CC670000-0x00007FF7CC680000-memory.dmp

Filesize
64KB

Download
memory/2404-137-0x00007FF7CC670000-0x00007FF7CC680000-memory.dmp

Filesize
64KB

Download
memory/2404-150-0x000001F0B40B0000-0x000001F0B40C7000-memory.dmp

Filesize
92KB

Download
memory/2452-151-0x00000183AE270000-0x00000183AE287000-memory.dmp

Filesize
92KB

Download
memory/2452-138-0x00007FF7CC670000-0x00007FF7CC680000-memory.dmp

Filesize
64KB

Download
memory/3068-135-0x00007FF7CC670000-0x00007FF7CC680000-memory.dmp

Filesize
64KB

Download
memory/3068-157-0x0000000002D70000-0x0000000002D87000-memory.dmp

Filesize
92KB

Download
memory/3068-148-0x0000000002D70000-0x0000000002D87000-memory.dmp

Filesize
92KB

Download
memory/3120-140-0x00007FF7CC670000-0x00007FF7CC680000-memory.dmp

Filesize
64KB

Download
memory/3120-152-0x00000234A96C0000-0x00000234A96D7000-memory.dmp

Filesize
92KB

Download
memory/3408-153-0x000001760CC30000-0x000001760CC47000-memory.dmp

Filesize
92KB

Download
memory/3408-139-0x00007FF7CC670000-0x00007FF7CC680000-memory.dmp

Filesize
64KB

Download
memory/3524-154-0x000002BCE1AF0000-0x000002BCE1B07000-memory.dmp

Filesize
92KB

Download
memory/3524-141-0x00007FF7CC670000-0x00007FF7CC680000-memory.dmp

Filesize
64KB

Download
memory/3828-142-0x00007FF7CC670000-0x00007FF7CC680000-memory.dmp

Filesize
64KB

Download
memory/3828-155-0x000002290A000000-0x000002290A017000-memory.dmp

Filesize
92KB

Download
memory/4216-144-0x0000000000890000-0x00000000008DD000-memory.dmp

Filesize
308KB

Download
memory/4216-132-0x0000000000F90000-0x0000000000F9E000-memory.dmp

Filesize
56KB

Download
memory/4216-133-0x0000000000890000-0x00000000008DD000-memory.dmp

Filesize
308KB

Download
memory/4772-143-0x00007FF7CC670000-0x00007FF7CC680000-memory.dmp

Filesize
64KB

Download
memory/4772-156-0x000001225B050000-0x000001225B067000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads