44fc233405668d203b9ff9cbaf6ec5fffca2e4b99ffae1b2cd4cac977763fbbd

General

Target

44fc233405668d203b9ff9cbaf6ec5fffca2e4b99ffae1b2cd4cac977763fbbd.exe
Size

4.2MB
MD5

c703c77dcf8e51ae01114701f03c8885
SHA1

cf07f0e81996a6be578dfe63a7f4a8fcb02ebbc9
SHA256

44fc233405668d203b9ff9cbaf6ec5fffca2e4b99ffae1b2cd4cac977763fbbd
SHA512

3644dec0e9ee6870f90a368778c546f4e44035fece60f4e4b9af63db2a95d0fc7972bf121d1db1464e68d4fe773431a4d8969ef58c3875601b886100fe69c403
SSDEEP

49152:Cx28PbFFbDmcVY9yIsI/qaQjI6DpiRp5ZtCaMRka7eQxh+KDQy8YTc7cN6oe4C8C:PutKcm9yB4iIEiB2+a7eUkuC

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3760	Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38USOShared-type1.3.5.9.exe
4848	Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38USOShared-type1.3.5.9.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2700	icacls.exe
3900	icacls.exe
1672	icacls.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4208 set thread context of 4284	4208	44fc233405668d203b9ff9cbaf6ec5fffca2e4b99ffae1b2cd4cac977763fbbd.exe	87

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4300	schtasks.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4208 wrote to memory of 4284	4208	44fc233405668d203b9ff9cbaf6ec5fffca2e4b99ffae1b2cd4cac977763fbbd.exe	87
PID 4208 wrote to memory of 4284	4208	44fc233405668d203b9ff9cbaf6ec5fffca2e4b99ffae1b2cd4cac977763fbbd.exe	87
PID 4208 wrote to memory of 4284	4208	44fc233405668d203b9ff9cbaf6ec5fffca2e4b99ffae1b2cd4cac977763fbbd.exe	87
PID 4208 wrote to memory of 4284	4208	44fc233405668d203b9ff9cbaf6ec5fffca2e4b99ffae1b2cd4cac977763fbbd.exe	87
PID 4208 wrote to memory of 4284	4208	44fc233405668d203b9ff9cbaf6ec5fffca2e4b99ffae1b2cd4cac977763fbbd.exe	87
PID 4284 wrote to memory of 2700	4284	MSBuild.exe	94
PID 4284 wrote to memory of 2700	4284	MSBuild.exe	94
PID 4284 wrote to memory of 2700	4284	MSBuild.exe	94
PID 4284 wrote to memory of 3900	4284	MSBuild.exe	96
PID 4284 wrote to memory of 3900	4284	MSBuild.exe	96
PID 4284 wrote to memory of 3900	4284	MSBuild.exe	96
PID 4284 wrote to memory of 1672	4284	MSBuild.exe	99
PID 4284 wrote to memory of 1672	4284	MSBuild.exe	99
PID 4284 wrote to memory of 1672	4284	MSBuild.exe	99
PID 4284 wrote to memory of 4300	4284	MSBuild.exe	100
PID 4284 wrote to memory of 4300	4284	MSBuild.exe	100
PID 4284 wrote to memory of 4300	4284	MSBuild.exe	100
PID 4284 wrote to memory of 3760	4284	MSBuild.exe	102
PID 4284 wrote to memory of 3760	4284	MSBuild.exe	102

C:\Users\Admin\AppData\Local\Temp\44fc233405668d203b9ff9cbaf6ec5fffca2e4b99ffae1b2cd4cac977763fbbd.exe
"C:\Users\Admin\AppData\Local\Temp\44fc233405668d203b9ff9cbaf6ec5fffca2e4b99ffae1b2cd4cac977763fbbd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4208
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4284
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38USOShared-type1.3.5.9" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:2700
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38USOShared-type1.3.5.9" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:3900
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38USOShared-type1.3.5.9" /inheritance:e /deny "admin:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:1672
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /CREATE /TN "Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38USOShared-type1.3.5.9\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38USOShared-type1.3.5.9" /TR "C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38USOShared-type1.3.5.9\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38USOShared-type1.3.5.9.exe" /SC MINUTE
    3⤵
    - Creates scheduled task(s)
    PID:4300
- - C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38USOShared-type1.3.5.9\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38USOShared-type1.3.5.9.exe
    "C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38USOShared-type1.3.5.9\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38USOShared-type1.3.5.9.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - Executes dropped EXE
    PID:3760

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38USOShared-type1.3.5.9\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38USOShared-type1.3.5.9.exe
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38USOShared-type1.3.5.9\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38USOShared-type1.3.5.9.exe
1⤵
- Executes dropped EXE
PID:4848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38USOShared-type1.3.5.9\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38USOShared-type1.3.5.9.exe

Filesize
683.5MB

MD5
1853499630096b9c9fd661c554202d1f

SHA1
f67c33d2f78e2ab1516e30fd098bb3384dbf82cf

SHA256
f350660ab205e673a47e961892fc5ed48ce19e645172a420a0b77f1a494d761d

SHA512
735c0ed7cd4512d02ed5e2ed1a8901f412fb41b151584121af72c44a5428b89ba51de602e11f01365301ff95e59999d4557db3c24b53ffdfcacacddcd926e6e8

Download Submit
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38USOShared-type1.3.5.9\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38USOShared-type1.3.5.9.exe

Filesize
683.5MB

MD5
1853499630096b9c9fd661c554202d1f

SHA1
f67c33d2f78e2ab1516e30fd098bb3384dbf82cf

SHA256
f350660ab205e673a47e961892fc5ed48ce19e645172a420a0b77f1a494d761d

SHA512
735c0ed7cd4512d02ed5e2ed1a8901f412fb41b151584121af72c44a5428b89ba51de602e11f01365301ff95e59999d4557db3c24b53ffdfcacacddcd926e6e8

Download Submit
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38USOShared-type1.3.5.9\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38USOShared-type1.3.5.9.exe

Filesize
435.3MB

MD5
c49401e8902a101439d72df727b82974

SHA1
a548d4b4e4988ae79342127de93dc90c780bac64

SHA256
40436e1d555039736cee1326d6ff228bfe6d5f11f6d79de64a5c4918300cd918

SHA512
991d1c37f28a8945185ed06251ea0a14e75edf454f368edbf164954e6a233f4123770d24c3abc1c32c0bc8ea52ca3b702f5a3a099212ab5475a1a350bcb94596

Download Submit
memory/4284-134-0x0000000000500000-0x0000000000928000-memory.dmp

Filesize
4.2MB

Download
memory/4284-139-0x00000000054A0000-0x0000000005A44000-memory.dmp

Filesize
5.6MB

Download
memory/4284-140-0x0000000004EF0000-0x0000000004F82000-memory.dmp

Filesize
584KB

Download
memory/4284-141-0x0000000004E60000-0x0000000004E6A000-memory.dmp

Filesize
40KB

Download
memory/4284-142-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/4284-143-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/4284-144-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/4284-145-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads