2584fbe24ad7ee8e837673d1df2f7b7dbced157012ee30cbddc84fa2c542fed4

General

Target

ihre_telekom_mobilfunk_december_2014_8320002103_12_01_910238002_1_9_3_7_001_002.exe
Size

144KB
MD5

165e0668c9007305f4335ff6ed4c9854
SHA1

b8ff03c73b8df5f9a840378b6862c39bd2b5eb5a
SHA256

9bfb04be2ce0a624be8edc3666d93686b73ead053644430876047c4a88862881
SHA512

a0232ea13fc9e30b9fbe89cd865a608ddb5137d03642ccb9674bfb8cd12590ac8560f6f6adc0ef2ee6040e50216f0abc1110d7d457b468534649eb2de8e5984b
SSDEEP

3072:UT6NN25fPi/Xaxa6keLTCYAo4RaHOP6AU59ZvHa3B:5fMXi/XaxBn3C3o4ROOybLCR

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\metlqowx.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\metlqowx.exe\""	Explorer.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2472 set thread context of 3880	2472	ihre_telekom_mobilfunk_december_2014_8320002103_12_01_910238002_1_9_3_7_001_002.exe	80

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2060	3384	WerFault.exe	47

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2472	ihre_telekom_mobilfunk_december_2014_8320002103_12_01_910238002_1_9_3_7_001_002.exe
2472	ihre_telekom_mobilfunk_december_2014_8320002103_12_01_910238002_1_9_3_7_001_002.exe
3880	ihre_telekom_mobilfunk_december_2014_8320002103_12_01_910238002_1_9_3_7_001_002.exe
3880	ihre_telekom_mobilfunk_december_2014_8320002103_12_01_910238002_1_9_3_7_001_002.exe
2644	Explorer.EXE
2644	Explorer.EXE
2644	Explorer.EXE
2644	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2644	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3880	ihre_telekom_mobilfunk_december_2014_8320002103_12_01_910238002_1_9_3_7_001_002.exe
Token: SeDebugPrivilege	2644	Explorer.EXE
Token: SeShutdownPrivilege	2644	Explorer.EXE
Token: SeCreatePagefilePrivilege	2644	Explorer.EXE
Token: SeShutdownPrivilege	3552	RuntimeBroker.exe
Token: SeShutdownPrivilege	3552	RuntimeBroker.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2472	ihre_telekom_mobilfunk_december_2014_8320002103_12_01_910238002_1_9_3_7_001_002.exe
2472	ihre_telekom_mobilfunk_december_2014_8320002103_12_01_910238002_1_9_3_7_001_002.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2472 wrote to memory of 3880	2472	ihre_telekom_mobilfunk_december_2014_8320002103_12_01_910238002_1_9_3_7_001_002.exe	80
PID 2472 wrote to memory of 3880	2472	ihre_telekom_mobilfunk_december_2014_8320002103_12_01_910238002_1_9_3_7_001_002.exe	80
PID 2472 wrote to memory of 3880	2472	ihre_telekom_mobilfunk_december_2014_8320002103_12_01_910238002_1_9_3_7_001_002.exe	80
PID 2472 wrote to memory of 3880	2472	ihre_telekom_mobilfunk_december_2014_8320002103_12_01_910238002_1_9_3_7_001_002.exe	80
PID 2472 wrote to memory of 3880	2472	ihre_telekom_mobilfunk_december_2014_8320002103_12_01_910238002_1_9_3_7_001_002.exe	80
PID 2472 wrote to memory of 3880	2472	ihre_telekom_mobilfunk_december_2014_8320002103_12_01_910238002_1_9_3_7_001_002.exe	80
PID 2472 wrote to memory of 3880	2472	ihre_telekom_mobilfunk_december_2014_8320002103_12_01_910238002_1_9_3_7_001_002.exe	80
PID 2472 wrote to memory of 3880	2472	ihre_telekom_mobilfunk_december_2014_8320002103_12_01_910238002_1_9_3_7_001_002.exe	80
PID 2472 wrote to memory of 3880	2472	ihre_telekom_mobilfunk_december_2014_8320002103_12_01_910238002_1_9_3_7_001_002.exe	80
PID 3880 wrote to memory of 4824	3880	ihre_telekom_mobilfunk_december_2014_8320002103_12_01_910238002_1_9_3_7_001_002.exe	81
PID 3880 wrote to memory of 4824	3880	ihre_telekom_mobilfunk_december_2014_8320002103_12_01_910238002_1_9_3_7_001_002.exe	81
PID 3880 wrote to memory of 4824	3880	ihre_telekom_mobilfunk_december_2014_8320002103_12_01_910238002_1_9_3_7_001_002.exe	81
PID 3880 wrote to memory of 2644	3880	ihre_telekom_mobilfunk_december_2014_8320002103_12_01_910238002_1_9_3_7_001_002.exe	46
PID 2644 wrote to memory of 2388	2644	Explorer.EXE	58
PID 2644 wrote to memory of 2396	2644	Explorer.EXE	50
PID 2644 wrote to memory of 2512	2644	Explorer.EXE	38
PID 2644 wrote to memory of 3188	2644	Explorer.EXE	48
PID 2644 wrote to memory of 3384	2644	Explorer.EXE	47
PID 2644 wrote to memory of 3488	2644	Explorer.EXE	57
PID 2644 wrote to memory of 3552	2644	Explorer.EXE	51
PID 2644 wrote to memory of 3640	2644	Explorer.EXE	55
PID 2644 wrote to memory of 3796	2644	Explorer.EXE	54
PID 2644 wrote to memory of 4680	2644	Explorer.EXE	56
PID 2644 wrote to memory of 4824	2644	Explorer.EXE	81
PID 2644 wrote to memory of 4796	2644	Explorer.EXE	82

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2512

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Users\Admin\AppData\Local\Temp\ihre_telekom_mobilfunk_december_2014_8320002103_12_01_910238002_1_9_3_7_001_002.exe
  "C:\Users\Admin\AppData\Local\Temp\ihre_telekom_mobilfunk_december_2014_8320002103_12_01_910238002_1_9_3_7_001_002.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Users\Admin\AppData\Local\Temp\ihre_telekom_mobilfunk_december_2014_8320002103_12_01_910238002_1_9_3_7_001_002.exe
    C:\Users\Admin\AppData\Local\Temp\ihre_telekom_mobilfunk_december_2014_8320002103_12_01_910238002_1_9_3_7_001_002.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3880
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\ms787571.bat"
      4⤵
      PID:4824
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4796

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3384
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3384 -s 1000
  2⤵
  - Program crash
  PID:2060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2396

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3552

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3796

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3640

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4680

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3488

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2388

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 428 -p 3384 -ip 3384
1⤵
PID:1520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms787571.bat

Filesize
201B

MD5
587ff3d3b2508da4765027db5f3c8383

SHA1
f89dccfb1d0040b330104d508fed11cc14bf04bb

SHA256
4a873dbcea6d6a680937e0901ca30e7d1dd80de5df55ff51fdf77af5ab3a6dc7

SHA512
f2509c22f1a7ff78f2659f1f6582750c1391ba2f21b5d457c34f261d76641b6030477054426893d946b1d06518d7fa416677ba9df1f1c74fe4fe268e920a1bb4

Download Submit
memory/2388-140-0x00007FFA46370000-0x00007FFA46380000-memory.dmp

Filesize
64KB

Download
memory/2388-155-0x000002D7B0D40000-0x000002D7B0D57000-memory.dmp

Filesize
92KB

Download
memory/2396-153-0x0000027F96BD0000-0x0000027F96BE7000-memory.dmp

Filesize
92KB

Download
memory/2396-141-0x00007FFA46370000-0x00007FFA46380000-memory.dmp

Filesize
64KB

Download
memory/2472-136-0x0000000002C50000-0x0000000002C54000-memory.dmp

Filesize
16KB

Download
memory/2512-142-0x00007FFA46370000-0x00007FFA46380000-memory.dmp

Filesize
64KB

Download
memory/2512-156-0x00000229AD660000-0x00000229AD677000-memory.dmp

Filesize
92KB

Download
memory/2644-162-0x0000000001410000-0x0000000001427000-memory.dmp

Filesize
92KB

Download
memory/2644-154-0x0000000001410000-0x0000000001427000-memory.dmp

Filesize
92KB

Download
memory/2644-139-0x00007FFA46370000-0x00007FFA46380000-memory.dmp

Filesize
64KB

Download
memory/3188-157-0x000002EF957D0000-0x000002EF957E7000-memory.dmp

Filesize
92KB

Download
memory/3188-143-0x00007FFA46370000-0x00007FFA46380000-memory.dmp

Filesize
64KB

Download
memory/3488-158-0x0000024CAE9E0000-0x0000024CAE9F7000-memory.dmp

Filesize
92KB

Download
memory/3488-144-0x00007FFA46370000-0x00007FFA46380000-memory.dmp

Filesize
64KB

Download
memory/3552-145-0x00007FFA46370000-0x00007FFA46380000-memory.dmp

Filesize
64KB

Download
memory/3552-159-0x000001EBBF360000-0x000001EBBF377000-memory.dmp

Filesize
92KB

Download
memory/3796-148-0x00007FFA46370000-0x00007FFA46380000-memory.dmp

Filesize
64KB

Download
memory/3796-160-0x00000281A7FD0000-0x00000281A7FE7000-memory.dmp

Filesize
92KB

Download
memory/3880-135-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3880-138-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3880-133-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4680-146-0x00007FFA46370000-0x00007FFA46380000-memory.dmp

Filesize
64KB

Download
memory/4680-161-0x000001A2ED5A0000-0x000001A2ED5B7000-memory.dmp

Filesize
92KB

Download
memory/4796-152-0x000001A538890000-0x000001A5388A7000-memory.dmp

Filesize
92KB

Download
memory/4796-147-0x00007FFA46370000-0x00007FFA46380000-memory.dmp

Filesize
64KB

Download
memory/4824-151-0x0000000001490000-0x00000000014A4000-memory.dmp

Filesize
80KB

Download
memory/4824-149-0x00000000377A0000-0x00000000377B0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing