f42a37d59e8034fc310c58c0eb3aef19426f562602e9d79d7f9189c625061ad3

Analysis

max time kernel
74s
max time network
31s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06-03-2023 22:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f42a37d59e8034fc310c58c0eb3aef19426f562602e9d79d7f9189c625061ad3.exe
Size

4.2MB
MD5

62b50ea3ba98413176469822113246c0
SHA1

cdbdebfb16abe5a4c46d4102a85768f65e5b3c5d
SHA256

f42a37d59e8034fc310c58c0eb3aef19426f562602e9d79d7f9189c625061ad3
SHA512

92b3d74e45264d5619ca392aaefbc23a889955a0fa577b298d470bcde106e8622cab942814b2d91fa1c73b0d828387a0ea59c63f00e0a64236a9ed4b7ee6053e
SSDEEP

98304:zEhTEG4s2Rk5cs38shhSNjJe+i4sYeq69DedTV0VbTXF2RAvRthw:zRG4sskf38s7MjJeVYT69id+VbaMc

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1656	AdobeMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type1.7.4.4.exe
1236	AdobeMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type1.7.4.4.exe

Loads dropped DLL 4 IoCs

pid	Process
1980	AppLaunch.exe
1980	AppLaunch.exe
1368	taskeng.exe
1368	taskeng.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
472	icacls.exe
268	icacls.exe
1708	icacls.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2016 set thread context of 1980	2016	f42a37d59e8034fc310c58c0eb3aef19426f562602e9d79d7f9189c625061ad3.exe	29

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1044	schtasks.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 1980	2016	f42a37d59e8034fc310c58c0eb3aef19426f562602e9d79d7f9189c625061ad3.exe	29
PID 2016 wrote to memory of 1980	2016	f42a37d59e8034fc310c58c0eb3aef19426f562602e9d79d7f9189c625061ad3.exe	29
PID 2016 wrote to memory of 1980	2016	f42a37d59e8034fc310c58c0eb3aef19426f562602e9d79d7f9189c625061ad3.exe	29
PID 2016 wrote to memory of 1980	2016	f42a37d59e8034fc310c58c0eb3aef19426f562602e9d79d7f9189c625061ad3.exe	29
PID 2016 wrote to memory of 1980	2016	f42a37d59e8034fc310c58c0eb3aef19426f562602e9d79d7f9189c625061ad3.exe	29
PID 2016 wrote to memory of 1980	2016	f42a37d59e8034fc310c58c0eb3aef19426f562602e9d79d7f9189c625061ad3.exe	29
PID 2016 wrote to memory of 1980	2016	f42a37d59e8034fc310c58c0eb3aef19426f562602e9d79d7f9189c625061ad3.exe	29
PID 2016 wrote to memory of 1980	2016	f42a37d59e8034fc310c58c0eb3aef19426f562602e9d79d7f9189c625061ad3.exe	29
PID 2016 wrote to memory of 1980	2016	f42a37d59e8034fc310c58c0eb3aef19426f562602e9d79d7f9189c625061ad3.exe	29
PID 1980 wrote to memory of 472	1980	AppLaunch.exe	30
PID 1980 wrote to memory of 472	1980	AppLaunch.exe	30
PID 1980 wrote to memory of 472	1980	AppLaunch.exe	30
PID 1980 wrote to memory of 472	1980	AppLaunch.exe	30
PID 1980 wrote to memory of 472	1980	AppLaunch.exe	30
PID 1980 wrote to memory of 472	1980	AppLaunch.exe	30
PID 1980 wrote to memory of 472	1980	AppLaunch.exe	30
PID 1980 wrote to memory of 268	1980	AppLaunch.exe	32
PID 1980 wrote to memory of 268	1980	AppLaunch.exe	32
PID 1980 wrote to memory of 268	1980	AppLaunch.exe	32
PID 1980 wrote to memory of 268	1980	AppLaunch.exe	32
PID 1980 wrote to memory of 268	1980	AppLaunch.exe	32
PID 1980 wrote to memory of 268	1980	AppLaunch.exe	32
PID 1980 wrote to memory of 268	1980	AppLaunch.exe	32
PID 1980 wrote to memory of 1708	1980	AppLaunch.exe	34
PID 1980 wrote to memory of 1708	1980	AppLaunch.exe	34
PID 1980 wrote to memory of 1708	1980	AppLaunch.exe	34
PID 1980 wrote to memory of 1708	1980	AppLaunch.exe	34
PID 1980 wrote to memory of 1708	1980	AppLaunch.exe	34
PID 1980 wrote to memory of 1708	1980	AppLaunch.exe	34
PID 1980 wrote to memory of 1708	1980	AppLaunch.exe	34
PID 1980 wrote to memory of 1044	1980	AppLaunch.exe	36
PID 1980 wrote to memory of 1044	1980	AppLaunch.exe	36
PID 1980 wrote to memory of 1044	1980	AppLaunch.exe	36
PID 1980 wrote to memory of 1044	1980	AppLaunch.exe	36
PID 1980 wrote to memory of 1044	1980	AppLaunch.exe	36
PID 1980 wrote to memory of 1044	1980	AppLaunch.exe	36
PID 1980 wrote to memory of 1044	1980	AppLaunch.exe	36
PID 1980 wrote to memory of 1656	1980	AppLaunch.exe	38
PID 1980 wrote to memory of 1656	1980	AppLaunch.exe	38
PID 1980 wrote to memory of 1656	1980	AppLaunch.exe	38
PID 1980 wrote to memory of 1656	1980	AppLaunch.exe	38
PID 1368 wrote to memory of 1236	1368	taskeng.exe	40
PID 1368 wrote to memory of 1236	1368	taskeng.exe	40
PID 1368 wrote to memory of 1236	1368	taskeng.exe	40

C:\Users\Admin\AppData\Local\Temp\f42a37d59e8034fc310c58c0eb3aef19426f562602e9d79d7f9189c625061ad3.exe
"C:\Users\Admin\AppData\Local\Temp\f42a37d59e8034fc310c58c0eb3aef19426f562602e9d79d7f9189c625061ad3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\AdobeMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type1.7.4.4" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:472
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\AdobeMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type1.7.4.4" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:268
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\AdobeMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type1.7.4.4" /inheritance:e /deny "admin:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:1708
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /CREATE /TN "AdobeMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type1.7.4.4\AdobeMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type1.7.4.4" /TR "C:\ProgramData\AdobeMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type1.7.4.4\AdobeMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type1.7.4.4.exe" /SC MINUTE
    3⤵
    - Creates scheduled task(s)
    PID:1044
- - C:\ProgramData\AdobeMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type1.7.4.4\AdobeMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type1.7.4.4.exe
    "C:\ProgramData\AdobeMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type1.7.4.4\AdobeMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type1.7.4.4.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Executes dropped EXE
    PID:1656

C:\Windows\system32\taskeng.exe
taskeng.exe {1F7F66CA-D895-4A72-81F1-4029313F207F} S-1-5-21-3499517378-2376672570-1134980332-1000:MLXLFKOI\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1368
- C:\ProgramData\AdobeMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type1.7.4.4\AdobeMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type1.7.4.4.exe
  C:\ProgramData\AdobeMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type1.7.4.4\AdobeMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type1.7.4.4.exe
  2⤵
  - Executes dropped EXE
  PID:1236

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AdobeMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type1.7.4.4\AdobeMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type1.7.4.4.exe

Filesize
677.3MB

MD5
b320880819636ce7fb3797cfa6fe7b57

SHA1
f763dd7e86d063379a866fc7ba6b76bb4d13fc76

SHA256
bff520c249441aa369fbea3c2ec6e1c740ad275b3d6bd0e02ee533289172c611

SHA512
b8cb3a3ab5e3676646b576f0b78724cd8544a1a92eb1c478f8621eeb33e70beb05b99e6a9b95a78d2f1b399eafb79c5d0ed4358053eb9ff6d02da738b46af9ef

Download Submit
C:\ProgramData\AdobeMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type1.7.4.4\AdobeMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type1.7.4.4.exe

Filesize
677.3MB

MD5
b320880819636ce7fb3797cfa6fe7b57

SHA1
f763dd7e86d063379a866fc7ba6b76bb4d13fc76

SHA256
bff520c249441aa369fbea3c2ec6e1c740ad275b3d6bd0e02ee533289172c611

SHA512
b8cb3a3ab5e3676646b576f0b78724cd8544a1a92eb1c478f8621eeb33e70beb05b99e6a9b95a78d2f1b399eafb79c5d0ed4358053eb9ff6d02da738b46af9ef

Download Submit
C:\ProgramData\AdobeMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type1.7.4.4\AdobeMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type1.7.4.4.exe

Filesize
677.3MB

MD5
b320880819636ce7fb3797cfa6fe7b57

SHA1
f763dd7e86d063379a866fc7ba6b76bb4d13fc76

SHA256
bff520c249441aa369fbea3c2ec6e1c740ad275b3d6bd0e02ee533289172c611

SHA512
b8cb3a3ab5e3676646b576f0b78724cd8544a1a92eb1c478f8621eeb33e70beb05b99e6a9b95a78d2f1b399eafb79c5d0ed4358053eb9ff6d02da738b46af9ef

Download Submit
\ProgramData\AdobeMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type1.7.4.4\AdobeMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type1.7.4.4.exe

Filesize
677.3MB

MD5
b320880819636ce7fb3797cfa6fe7b57

SHA1
f763dd7e86d063379a866fc7ba6b76bb4d13fc76

SHA256
bff520c249441aa369fbea3c2ec6e1c740ad275b3d6bd0e02ee533289172c611

SHA512
b8cb3a3ab5e3676646b576f0b78724cd8544a1a92eb1c478f8621eeb33e70beb05b99e6a9b95a78d2f1b399eafb79c5d0ed4358053eb9ff6d02da738b46af9ef

Download Submit
\ProgramData\AdobeMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type1.7.4.4\AdobeMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type1.7.4.4.exe

Filesize
677.3MB

MD5
b320880819636ce7fb3797cfa6fe7b57

SHA1
f763dd7e86d063379a866fc7ba6b76bb4d13fc76

SHA256
bff520c249441aa369fbea3c2ec6e1c740ad275b3d6bd0e02ee533289172c611

SHA512
b8cb3a3ab5e3676646b576f0b78724cd8544a1a92eb1c478f8621eeb33e70beb05b99e6a9b95a78d2f1b399eafb79c5d0ed4358053eb9ff6d02da738b46af9ef

Download Submit
\ProgramData\AdobeMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type1.7.4.4\AdobeMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type1.7.4.4.exe

Filesize
639.9MB

MD5
fe3e5606298a73a59d83457452b159f2

SHA1
f8c57bc724cda3c9c64a67f2c4334876699947a6

SHA256
cccc4749c835154df90ddbf482087cee3c152370d981b1c0cb749794505cee8a

SHA512
ecc1350f4e046133cabcffb65cf2bf6129abff6a9fa86528ed92251d635c23864a286487de683a7b9568604895ca2e1b29fc812ebd5d8b3180db69e128859cfe

Download Submit
\ProgramData\AdobeMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type1.7.4.4\AdobeMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type1.7.4.4.exe

Filesize
677.3MB

MD5
b320880819636ce7fb3797cfa6fe7b57

SHA1
f763dd7e86d063379a866fc7ba6b76bb4d13fc76

SHA256
bff520c249441aa369fbea3c2ec6e1c740ad275b3d6bd0e02ee533289172c611

SHA512
b8cb3a3ab5e3676646b576f0b78724cd8544a1a92eb1c478f8621eeb33e70beb05b99e6a9b95a78d2f1b399eafb79c5d0ed4358053eb9ff6d02da738b46af9ef

Download Submit
memory/1980-62-0x0000000000400000-0x0000000000828000-memory.dmp

Filesize
4.2MB

Download
memory/1980-66-0x0000000002A30000-0x0000000002A70000-memory.dmp

Filesize
256KB

Download
memory/1980-65-0x0000000002A30000-0x0000000002A70000-memory.dmp

Filesize
256KB

Download
memory/1980-64-0x0000000002A30000-0x0000000002A70000-memory.dmp

Filesize
256KB

Download
memory/1980-63-0x0000000000400000-0x0000000000828000-memory.dmp

Filesize
4.2MB

Download
memory/1980-55-0x0000000000400000-0x0000000000828000-memory.dmp

Filesize
4.2MB

Download
memory/1980-60-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1980-56-0x0000000000400000-0x0000000000828000-memory.dmp

Filesize
4.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads