f42a37d59e8034fc310c58c0eb3aef19426f562602e9d79d7f9189c625061ad3

General

Target

f42a37d59e8034fc310c58c0eb3aef19426f562602e9d79d7f9189c625061ad3.exe
Size

4.2MB
MD5

62b50ea3ba98413176469822113246c0
SHA1

cdbdebfb16abe5a4c46d4102a85768f65e5b3c5d
SHA256

f42a37d59e8034fc310c58c0eb3aef19426f562602e9d79d7f9189c625061ad3
SHA512

92b3d74e45264d5619ca392aaefbc23a889955a0fa577b298d470bcde106e8622cab942814b2d91fa1c73b0d828387a0ea59c63f00e0a64236a9ed4b7ee6053e
SSDEEP

98304:zEhTEG4s2Rk5cs38shhSNjJe+i4sYeq69DedTV0VbTXF2RAvRthw:zRG4sskf38s7MjJeVYT69id+VbaMc

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4560	Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type7.0.1.3.exe
1076	Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type7.0.1.3.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1628	icacls.exe
3256	icacls.exe
4456	icacls.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4100 set thread context of 4576	4100	f42a37d59e8034fc310c58c0eb3aef19426f562602e9d79d7f9189c625061ad3.exe	67

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1940	schtasks.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4100 wrote to memory of 4576	4100	f42a37d59e8034fc310c58c0eb3aef19426f562602e9d79d7f9189c625061ad3.exe	67
PID 4100 wrote to memory of 4576	4100	f42a37d59e8034fc310c58c0eb3aef19426f562602e9d79d7f9189c625061ad3.exe	67
PID 4100 wrote to memory of 4576	4100	f42a37d59e8034fc310c58c0eb3aef19426f562602e9d79d7f9189c625061ad3.exe	67
PID 4100 wrote to memory of 4576	4100	f42a37d59e8034fc310c58c0eb3aef19426f562602e9d79d7f9189c625061ad3.exe	67
PID 4100 wrote to memory of 4576	4100	f42a37d59e8034fc310c58c0eb3aef19426f562602e9d79d7f9189c625061ad3.exe	67
PID 4576 wrote to memory of 1628	4576	AppLaunch.exe	68
PID 4576 wrote to memory of 1628	4576	AppLaunch.exe	68
PID 4576 wrote to memory of 1628	4576	AppLaunch.exe	68
PID 4576 wrote to memory of 3256	4576	AppLaunch.exe	70
PID 4576 wrote to memory of 3256	4576	AppLaunch.exe	70
PID 4576 wrote to memory of 3256	4576	AppLaunch.exe	70
PID 4576 wrote to memory of 4456	4576	AppLaunch.exe	72
PID 4576 wrote to memory of 4456	4576	AppLaunch.exe	72
PID 4576 wrote to memory of 4456	4576	AppLaunch.exe	72
PID 4576 wrote to memory of 1940	4576	AppLaunch.exe	74
PID 4576 wrote to memory of 1940	4576	AppLaunch.exe	74
PID 4576 wrote to memory of 1940	4576	AppLaunch.exe	74
PID 4576 wrote to memory of 4560	4576	AppLaunch.exe	76
PID 4576 wrote to memory of 4560	4576	AppLaunch.exe	76

C:\Users\Admin\AppData\Local\Temp\f42a37d59e8034fc310c58c0eb3aef19426f562602e9d79d7f9189c625061ad3.exe
"C:\Users\Admin\AppData\Local\Temp\f42a37d59e8034fc310c58c0eb3aef19426f562602e9d79d7f9189c625061ad3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4576
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type7.0.1.3" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:1628
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type7.0.1.3" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:3256
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type7.0.1.3" /inheritance:e /deny "admin:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:4456
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /CREATE /TN "Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type7.0.1.3\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type7.0.1.3" /TR "C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type7.0.1.3\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type7.0.1.3.exe" /SC MINUTE
    3⤵
    - Creates scheduled task(s)
    PID:1940
- - C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type7.0.1.3\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type7.0.1.3.exe
    "C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type7.0.1.3\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type7.0.1.3.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Executes dropped EXE
    PID:4560

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type7.0.1.3\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type7.0.1.3.exe
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type7.0.1.3\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type7.0.1.3.exe
1⤵
- Executes dropped EXE
PID:1076

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type7.0.1.3\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type7.0.1.3.exe

Filesize
697.6MB

MD5
877f8a8da6beb52369cdc6cecc6ba9eb

SHA1
915c63b14a2aff89084bf62b4411b57e34a4c043

SHA256
6356e4796f368655fdf5bc196b21c5c6cbf9c7dc9f64b0c0559b0c7091907549

SHA512
58e9b305a9a48cc58afa135da464170c93f072f9dabf95450e0e4d63fd7b24e9328d1bfb3244822bc440fc0b32a1aac9d54391bbd806814a9fea4819848a79e8

Download Submit
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type7.0.1.3\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type7.0.1.3.exe

Filesize
697.6MB

MD5
877f8a8da6beb52369cdc6cecc6ba9eb

SHA1
915c63b14a2aff89084bf62b4411b57e34a4c043

SHA256
6356e4796f368655fdf5bc196b21c5c6cbf9c7dc9f64b0c0559b0c7091907549

SHA512
58e9b305a9a48cc58afa135da464170c93f072f9dabf95450e0e4d63fd7b24e9328d1bfb3244822bc440fc0b32a1aac9d54391bbd806814a9fea4819848a79e8

Download Submit
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type7.0.1.3\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type7.0.1.3.exe

Filesize
697.6MB

MD5
877f8a8da6beb52369cdc6cecc6ba9eb

SHA1
915c63b14a2aff89084bf62b4411b57e34a4c043

SHA256
6356e4796f368655fdf5bc196b21c5c6cbf9c7dc9f64b0c0559b0c7091907549

SHA512
58e9b305a9a48cc58afa135da464170c93f072f9dabf95450e0e4d63fd7b24e9328d1bfb3244822bc440fc0b32a1aac9d54391bbd806814a9fea4819848a79e8

Download Submit
memory/4576-117-0x0000000000400000-0x0000000000828000-memory.dmp

Filesize
4.2MB

Download
memory/4576-124-0x0000000009B50000-0x000000000A04E000-memory.dmp

Filesize
5.0MB

Download
memory/4576-125-0x0000000009590000-0x0000000009622000-memory.dmp

Filesize
584KB

Download
memory/4576-126-0x0000000009520000-0x000000000952A000-memory.dmp

Filesize
40KB

Download
memory/4576-127-0x00000000096F0000-0x0000000009700000-memory.dmp

Filesize
64KB

Download
memory/4576-128-0x00000000096F0000-0x0000000009700000-memory.dmp

Filesize
64KB

Download
memory/4576-129-0x00000000096F0000-0x0000000009700000-memory.dmp

Filesize
64KB

Download
memory/4576-130-0x00000000096F0000-0x0000000009700000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads