fd56c0575f88516d18618f948348845251d51a0526e84bea3a5ef6929a2ac41a

General

Target

fd56c0575f88516d18618f948348845251d51a0526e84bea3a5ef6929a2ac41a.exe
Size

4.2MB
MD5

641a3c89cdebd4be64517c1a8c5e6603
SHA1

39ed3d1d168de659fe89771abb0c4abb762c9505
SHA256

fd56c0575f88516d18618f948348845251d51a0526e84bea3a5ef6929a2ac41a
SHA512

463362abce9f1a1282d22f85230fc1626ef76cd7f67b15fa057640005a901f3c98012116febff7693559660735dff26ae558fcfc30dbd4f8b3abfa21cd4ebda7
SSDEEP

49152:Bx28PbFFbDmcVY9yIsI/qaQjI6DpiRp5ZtCaMRka7eQxh+KDQy8YTc7cN6oe4C8r:+utKcm9yB4iIEiB2+a7eUkur

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2052	Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38USOPrivate-type1.2.4.0.exe
4572	Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38USOPrivate-type1.2.4.0.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1560	icacls.exe
1440	icacls.exe
2292	icacls.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1084 set thread context of 4080	1084	fd56c0575f88516d18618f948348845251d51a0526e84bea3a5ef6929a2ac41a.exe	88

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1624	schtasks.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1084 wrote to memory of 4080	1084	fd56c0575f88516d18618f948348845251d51a0526e84bea3a5ef6929a2ac41a.exe	88
PID 1084 wrote to memory of 4080	1084	fd56c0575f88516d18618f948348845251d51a0526e84bea3a5ef6929a2ac41a.exe	88
PID 1084 wrote to memory of 4080	1084	fd56c0575f88516d18618f948348845251d51a0526e84bea3a5ef6929a2ac41a.exe	88
PID 1084 wrote to memory of 4080	1084	fd56c0575f88516d18618f948348845251d51a0526e84bea3a5ef6929a2ac41a.exe	88
PID 1084 wrote to memory of 4080	1084	fd56c0575f88516d18618f948348845251d51a0526e84bea3a5ef6929a2ac41a.exe	88
PID 4080 wrote to memory of 1560	4080	MSBuild.exe	95
PID 4080 wrote to memory of 1560	4080	MSBuild.exe	95
PID 4080 wrote to memory of 1560	4080	MSBuild.exe	95
PID 4080 wrote to memory of 1440	4080	MSBuild.exe	97
PID 4080 wrote to memory of 1440	4080	MSBuild.exe	97
PID 4080 wrote to memory of 1440	4080	MSBuild.exe	97
PID 4080 wrote to memory of 2292	4080	MSBuild.exe	99
PID 4080 wrote to memory of 2292	4080	MSBuild.exe	99
PID 4080 wrote to memory of 2292	4080	MSBuild.exe	99
PID 4080 wrote to memory of 1624	4080	MSBuild.exe	101
PID 4080 wrote to memory of 1624	4080	MSBuild.exe	101
PID 4080 wrote to memory of 1624	4080	MSBuild.exe	101
PID 4080 wrote to memory of 2052	4080	MSBuild.exe	103
PID 4080 wrote to memory of 2052	4080	MSBuild.exe	103

C:\Users\Admin\AppData\Local\Temp\fd56c0575f88516d18618f948348845251d51a0526e84bea3a5ef6929a2ac41a.exe
"C:\Users\Admin\AppData\Local\Temp\fd56c0575f88516d18618f948348845251d51a0526e84bea3a5ef6929a2ac41a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4080
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38USOPrivate-type1.2.4.0" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:1560
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38USOPrivate-type1.2.4.0" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:1440
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38USOPrivate-type1.2.4.0" /inheritance:e /deny "admin:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:2292
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /CREATE /TN "Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38USOPrivate-type1.2.4.0\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38USOPrivate-type1.2.4.0" /TR "C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38USOPrivate-type1.2.4.0\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38USOPrivate-type1.2.4.0.exe" /SC MINUTE
    3⤵
    - Creates scheduled task(s)
    PID:1624
- - C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38USOPrivate-type1.2.4.0\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38USOPrivate-type1.2.4.0.exe
    "C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38USOPrivate-type1.2.4.0\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38USOPrivate-type1.2.4.0.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - Executes dropped EXE
    PID:2052

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38USOPrivate-type1.2.4.0\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38USOPrivate-type1.2.4.0.exe
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38USOPrivate-type1.2.4.0\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38USOPrivate-type1.2.4.0.exe
1⤵
- Executes dropped EXE
PID:4572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38USOPrivate-type1.2.4.0\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38USOPrivate-type1.2.4.0.exe

Filesize
679.2MB

MD5
b526a410fd1cae64e3ed79ff122252af

SHA1
c8ad493a4d531aba3c8e1771d772ed1c47dd2cb3

SHA256
120350416009d5057b07ae1555c8a6d9caaae5d117130650edf784ed28673914

SHA512
846b22098d3f71a5db387bfeda55b669ee52b7086bfe6ecc691778e6e9f22e1682b1eaddeb96f784e5f0f21bd79f22aa361266d659249f0cc93e3489c61ce712

Download Submit
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38USOPrivate-type1.2.4.0\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38USOPrivate-type1.2.4.0.exe

Filesize
679.2MB

MD5
b526a410fd1cae64e3ed79ff122252af

SHA1
c8ad493a4d531aba3c8e1771d772ed1c47dd2cb3

SHA256
120350416009d5057b07ae1555c8a6d9caaae5d117130650edf784ed28673914

SHA512
846b22098d3f71a5db387bfeda55b669ee52b7086bfe6ecc691778e6e9f22e1682b1eaddeb96f784e5f0f21bd79f22aa361266d659249f0cc93e3489c61ce712

Download Submit
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38USOPrivate-type1.2.4.0\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38USOPrivate-type1.2.4.0.exe

Filesize
593.2MB

MD5
fa0012b16dc3ab85a02a19e13a4fea27

SHA1
b0f356b7223b75cec93f76f7ed67c37d44926a4a

SHA256
cab9ce362d591ac10c394e5537fd7f8656fa6409c7e9e1ec8a7d6a71a9c1c9bc

SHA512
6152e8235f176ce447dd33389188819278e2f1634e1d42e16288c57f5a65225194f2b5a0ffe92d4a436f5f24f96ce5f57e51e6f480ea6342d7387ee97da40701

Download Submit
memory/4080-134-0x0000000000910000-0x0000000000D38000-memory.dmp

Filesize
4.2MB

Download
memory/4080-139-0x00000000058D0000-0x0000000005E74000-memory.dmp

Filesize
5.6MB

Download
memory/4080-140-0x00000000053C0000-0x0000000005452000-memory.dmp

Filesize
584KB

Download
memory/4080-141-0x0000000005350000-0x000000000535A000-memory.dmp

Filesize
40KB

Download
memory/4080-142-0x00000000052D0000-0x00000000052E0000-memory.dmp

Filesize
64KB

Download
memory/4080-143-0x00000000052D0000-0x00000000052E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads