de4a2710d790bdc0a3d8ce259a70d04b5c91bccfa092786adf57a76cb7bd601a

General

Target

rechnung_november_2014_0003900028_2014_11_0029302375471_03_444_0039938289.exe
Size

152KB
MD5

f3ebd9dc2bb17ade3db704bcf06ddb6c
SHA1

8c827a862c86991d6f2012174c982c8bd4673fd1
SHA256

fd72f9b70df6b6acfaa5a6553bd0094a260982aa9a63f38163e380fa600b54c4
SHA512

f627a94307d0ee7517adb49f6820fef9c1a24b81b3777e6d0552ae475080c1b45f4e46ceafe097e9a6eeda48e00491bd7643961fedd8263453e77fb3372075b1
SSDEEP

3072:wXUSu53x+vhiBIVHIpSot5A9mW+iDbG8jOz102+SvJex9Jf+ySd+zr3/182:GChx+5iaVopH7A9mhEG8Sz6LOUj/

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\metlqowx.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\metlqowx.exe\""	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2224 set thread context of 2424	2224	rechnung_november_2014_0003900028_2014_11_0029302375471_03_444_0039938289.exe	80

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3184	3296	WerFault.exe	45

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2224	rechnung_november_2014_0003900028_2014_11_0029302375471_03_444_0039938289.exe
2224	rechnung_november_2014_0003900028_2014_11_0029302375471_03_444_0039938289.exe
2424	rechnung_november_2014_0003900028_2014_11_0029302375471_03_444_0039938289.exe
2424	rechnung_november_2014_0003900028_2014_11_0029302375471_03_444_0039938289.exe
2864	Explorer.EXE
2864	Explorer.EXE
2864	Explorer.EXE
2864	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2864	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2424	rechnung_november_2014_0003900028_2014_11_0029302375471_03_444_0039938289.exe
Token: SeDebugPrivilege	2864	Explorer.EXE
Token: SeShutdownPrivilege	2864	Explorer.EXE
Token: SeCreatePagefilePrivilege	2864	Explorer.EXE
Token: SeShutdownPrivilege	3452	RuntimeBroker.exe
Token: SeShutdownPrivilege	3452	RuntimeBroker.exe
Token: SeShutdownPrivilege	3452	RuntimeBroker.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2224	rechnung_november_2014_0003900028_2014_11_0029302375471_03_444_0039938289.exe
2224	rechnung_november_2014_0003900028_2014_11_0029302375471_03_444_0039938289.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2424	2224	rechnung_november_2014_0003900028_2014_11_0029302375471_03_444_0039938289.exe	80
PID 2224 wrote to memory of 2424	2224	rechnung_november_2014_0003900028_2014_11_0029302375471_03_444_0039938289.exe	80
PID 2224 wrote to memory of 2424	2224	rechnung_november_2014_0003900028_2014_11_0029302375471_03_444_0039938289.exe	80
PID 2224 wrote to memory of 2424	2224	rechnung_november_2014_0003900028_2014_11_0029302375471_03_444_0039938289.exe	80
PID 2224 wrote to memory of 2424	2224	rechnung_november_2014_0003900028_2014_11_0029302375471_03_444_0039938289.exe	80
PID 2224 wrote to memory of 2424	2224	rechnung_november_2014_0003900028_2014_11_0029302375471_03_444_0039938289.exe	80
PID 2224 wrote to memory of 2424	2224	rechnung_november_2014_0003900028_2014_11_0029302375471_03_444_0039938289.exe	80
PID 2224 wrote to memory of 2424	2224	rechnung_november_2014_0003900028_2014_11_0029302375471_03_444_0039938289.exe	80
PID 2224 wrote to memory of 2424	2224	rechnung_november_2014_0003900028_2014_11_0029302375471_03_444_0039938289.exe	80
PID 2424 wrote to memory of 5016	2424	rechnung_november_2014_0003900028_2014_11_0029302375471_03_444_0039938289.exe	81
PID 2424 wrote to memory of 5016	2424	rechnung_november_2014_0003900028_2014_11_0029302375471_03_444_0039938289.exe	81
PID 2424 wrote to memory of 5016	2424	rechnung_november_2014_0003900028_2014_11_0029302375471_03_444_0039938289.exe	81
PID 2424 wrote to memory of 2864	2424	rechnung_november_2014_0003900028_2014_11_0029302375471_03_444_0039938289.exe	39
PID 2864 wrote to memory of 2364	2864	Explorer.EXE	67
PID 2864 wrote to memory of 2404	2864	Explorer.EXE	31
PID 2864 wrote to memory of 2516	2864	Explorer.EXE	33
PID 2864 wrote to memory of 3128	2864	Explorer.EXE	40
PID 2864 wrote to memory of 3296	2864	Explorer.EXE	45
PID 2864 wrote to memory of 3384	2864	Explorer.EXE	41
PID 2864 wrote to memory of 3452	2864	Explorer.EXE	42
PID 2864 wrote to memory of 3536	2864	Explorer.EXE	43
PID 2864 wrote to memory of 3736	2864	Explorer.EXE	44
PID 2864 wrote to memory of 4708	2864	Explorer.EXE	65
PID 2864 wrote to memory of 5016	2864	Explorer.EXE	81
PID 2864 wrote to memory of 5032	2864	Explorer.EXE	82

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2404

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2516

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Users\Admin\AppData\Local\Temp\rechnung_november_2014_0003900028_2014_11_0029302375471_03_444_0039938289.exe
  "C:\Users\Admin\AppData\Local\Temp\rechnung_november_2014_0003900028_2014_11_0029302375471_03_444_0039938289.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Users\Admin\AppData\Local\Temp\rechnung_november_2014_0003900028_2014_11_0029302375471_03_444_0039938289.exe
    C:\Users\Admin\AppData\Local\Temp\rechnung_november_2014_0003900028_2014_11_0029302375471_03_444_0039938289.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2424
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS9042~1.BAT"
      4⤵
      PID:5016
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3128

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3384

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3452

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3536

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3736

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3296
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3296 -s 356
  2⤵
  - Program crash
  PID:3184

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4708

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2364

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 424 -p 3296 -ip 3296
1⤵
PID:3228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms9042738.bat

Filesize
201B

MD5
3e2e3059941a1e44fe5386cb6db4c329

SHA1
9ad893a95b39d820bcb15f87bb8002805a617af4

SHA256
074852bc8355fe5d663e35482fe11147f02c3674ebf801a769c42f19cf2c6f76

SHA512
4e67c0e554479cdd34e09224c90147b6b2c1b84aed4c697fc78bdff2c2fb89518a9749e2d2456fa7eb33e78013326427eb91451f74acc16bd3203c35e67df58e

Download Submit
memory/2364-146-0x000001E4B2250000-0x000001E4B2267000-memory.dmp

Filesize
92KB

Download
memory/2364-140-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmp

Filesize
64KB

Download
memory/2404-143-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmp

Filesize
64KB

Download
memory/2404-148-0x000001F2E0B50000-0x000001F2E0B67000-memory.dmp

Filesize
92KB

Download
memory/2424-138-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2424-135-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2424-133-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2516-149-0x000001DD74520000-0x000001DD74537000-memory.dmp

Filesize
92KB

Download
memory/2516-141-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmp

Filesize
64KB

Download
memory/2864-137-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmp

Filesize
64KB

Download
memory/2864-147-0x00000000004D0000-0x00000000004E7000-memory.dmp

Filesize
92KB

Download
memory/2864-161-0x00000000004D0000-0x00000000004E7000-memory.dmp

Filesize
92KB

Download
memory/3128-142-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmp

Filesize
64KB

Download
memory/3128-151-0x000001F2D58F0000-0x000001F2D5907000-memory.dmp

Filesize
92KB

Download
memory/3384-145-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmp

Filesize
64KB

Download
memory/3384-155-0x000002BD52C80000-0x000002BD52C97000-memory.dmp

Filesize
92KB

Download
memory/3452-144-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmp

Filesize
64KB

Download
memory/3452-154-0x0000029FC3BD0000-0x0000029FC3BE7000-memory.dmp

Filesize
92KB

Download
memory/3736-150-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmp

Filesize
64KB

Download
memory/3736-160-0x00000294A2940000-0x00000294A2957000-memory.dmp

Filesize
92KB

Download
memory/4708-156-0x000001DBD7FC0000-0x000001DBD7FD7000-memory.dmp

Filesize
92KB

Download
memory/4708-153-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmp

Filesize
64KB

Download
memory/5016-158-0x0000000037340000-0x0000000037350000-memory.dmp

Filesize
64KB

Download
memory/5016-159-0x0000000001190000-0x00000000011A4000-memory.dmp

Filesize
80KB

Download
memory/5032-152-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmp

Filesize
64KB

Download
memory/5032-157-0x000001B3CB620000-0x000001B3CB637000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing