4f0ac3c5044699eaa4b05c0ef07d473edf86eac732df5304dc0c42fc4349d6d1

General

Target

4f0ac3c5044699eaa4b05c0ef07d473edf86eac732df5304dc0c42fc4349d6d1.exe
Size

4.2MB
MD5

a37810cc29d9cfa64243c40ad8a5c3df
SHA1

a4a57a48d8436c859d524b9223710008f7c5e1ad
SHA256

4f0ac3c5044699eaa4b05c0ef07d473edf86eac732df5304dc0c42fc4349d6d1
SHA512

7db726cbc72ee93ee076a1a01913753bd3f722ba1c660281223d7939d1ad5fecf8e593b39e47d2bd15975d5f9796d059bde7eb87e8d3e087dad3e2818613644f
SSDEEP

98304:BEhTEG4s2Rk5cs38shhSNjJe+i4sYeq69DedTV0VbTXF2RAvRthw:BRG4sskf38s7MjJeVYT69id+VbaMc

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4624	MicrosoftTemplates-type6.5.2.0.exe
4356	MicrosoftTemplates-type6.5.2.0.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1380	icacls.exe
1736	icacls.exe
3944	icacls.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4052 set thread context of 4816	4052	4f0ac3c5044699eaa4b05c0ef07d473edf86eac732df5304dc0c42fc4349d6d1.exe	68

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1292	schtasks.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4052 wrote to memory of 4816	4052	4f0ac3c5044699eaa4b05c0ef07d473edf86eac732df5304dc0c42fc4349d6d1.exe	68
PID 4052 wrote to memory of 4816	4052	4f0ac3c5044699eaa4b05c0ef07d473edf86eac732df5304dc0c42fc4349d6d1.exe	68
PID 4052 wrote to memory of 4816	4052	4f0ac3c5044699eaa4b05c0ef07d473edf86eac732df5304dc0c42fc4349d6d1.exe	68
PID 4052 wrote to memory of 4816	4052	4f0ac3c5044699eaa4b05c0ef07d473edf86eac732df5304dc0c42fc4349d6d1.exe	68
PID 4052 wrote to memory of 4816	4052	4f0ac3c5044699eaa4b05c0ef07d473edf86eac732df5304dc0c42fc4349d6d1.exe	68
PID 4816 wrote to memory of 1736	4816	AppLaunch.exe	69
PID 4816 wrote to memory of 1736	4816	AppLaunch.exe	69
PID 4816 wrote to memory of 1736	4816	AppLaunch.exe	69
PID 4816 wrote to memory of 3944	4816	AppLaunch.exe	71
PID 4816 wrote to memory of 3944	4816	AppLaunch.exe	71
PID 4816 wrote to memory of 3944	4816	AppLaunch.exe	71
PID 4816 wrote to memory of 1380	4816	AppLaunch.exe	73
PID 4816 wrote to memory of 1380	4816	AppLaunch.exe	73
PID 4816 wrote to memory of 1380	4816	AppLaunch.exe	73
PID 4816 wrote to memory of 1292	4816	AppLaunch.exe	75
PID 4816 wrote to memory of 1292	4816	AppLaunch.exe	75
PID 4816 wrote to memory of 1292	4816	AppLaunch.exe	75
PID 4816 wrote to memory of 4624	4816	AppLaunch.exe	77
PID 4816 wrote to memory of 4624	4816	AppLaunch.exe	77

C:\Users\Admin\AppData\Local\Temp\4f0ac3c5044699eaa4b05c0ef07d473edf86eac732df5304dc0c42fc4349d6d1.exe
"C:\Users\Admin\AppData\Local\Temp\4f0ac3c5044699eaa4b05c0ef07d473edf86eac732df5304dc0c42fc4349d6d1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4816
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\MicrosoftTemplates-type6.5.2.0" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:1736
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\MicrosoftTemplates-type6.5.2.0" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:3944
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\MicrosoftTemplates-type6.5.2.0" /inheritance:e /deny "admin:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:1380
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /CREATE /TN "MicrosoftTemplates-type6.5.2.0\MicrosoftTemplates-type6.5.2.0" /TR "C:\ProgramData\MicrosoftTemplates-type6.5.2.0\MicrosoftTemplates-type6.5.2.0.exe" /SC MINUTE
    3⤵
    - Creates scheduled task(s)
    PID:1292
- - C:\ProgramData\MicrosoftTemplates-type6.5.2.0\MicrosoftTemplates-type6.5.2.0.exe
    "C:\ProgramData\MicrosoftTemplates-type6.5.2.0\MicrosoftTemplates-type6.5.2.0.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Executes dropped EXE
    PID:4624

C:\ProgramData\MicrosoftTemplates-type6.5.2.0\MicrosoftTemplates-type6.5.2.0.exe
C:\ProgramData\MicrosoftTemplates-type6.5.2.0\MicrosoftTemplates-type6.5.2.0.exe
1⤵
- Executes dropped EXE
PID:4356

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\MicrosoftTemplates-type6.5.2.0\MicrosoftTemplates-type6.5.2.0.exe

Filesize
687.7MB

MD5
b390315b658dda93aeba5e7db79e7446

SHA1
1db9fc8a31c2c868c7f1ad3f534b4eed53a44dfc

SHA256
fbf4beed7e20b9f66e81b668c13752d4225868c807c9f7ada165ba12cb857a8c

SHA512
d922a78f4ec3afd5f92f6074619470701afd33aa6e3643f169b802fde2c41fd9e6f43f9d56062fecbc3f0f4cb13a2f5291943478a07de9be58a7317710697ac7

Download Submit
C:\ProgramData\MicrosoftTemplates-type6.5.2.0\MicrosoftTemplates-type6.5.2.0.exe

Filesize
687.7MB

MD5
b390315b658dda93aeba5e7db79e7446

SHA1
1db9fc8a31c2c868c7f1ad3f534b4eed53a44dfc

SHA256
fbf4beed7e20b9f66e81b668c13752d4225868c807c9f7ada165ba12cb857a8c

SHA512
d922a78f4ec3afd5f92f6074619470701afd33aa6e3643f169b802fde2c41fd9e6f43f9d56062fecbc3f0f4cb13a2f5291943478a07de9be58a7317710697ac7

Download Submit
C:\ProgramData\MicrosoftTemplates-type6.5.2.0\MicrosoftTemplates-type6.5.2.0.exe

Filesize
658.3MB

MD5
2206ec2836249e87fddbfc669bc64283

SHA1
7d73e9bd255588c1d5de770596449d3f2b8f5d49

SHA256
990bc6d4a91577d4441b79ffd8671110c336e4f785feae5e42924a33baeed36d

SHA512
e3fa1941fb44ed3fae32d09ec16f0f79263d4d33d3455ce593e9de178f36624911e98789e6e58a07d3e2321eb9d7c2668acf68d4d79554b474ec0b89626086bd

Download Submit
memory/4816-117-0x0000000000400000-0x0000000000828000-memory.dmp

Filesize
4.2MB

Download
memory/4816-124-0x0000000009900000-0x0000000009DFE000-memory.dmp

Filesize
5.0MB

Download
memory/4816-125-0x00000000092D0000-0x0000000009362000-memory.dmp

Filesize
584KB

Download
memory/4816-126-0x0000000009380000-0x000000000938A000-memory.dmp

Filesize
40KB

Download
memory/4816-127-0x0000000009270000-0x0000000009280000-memory.dmp

Filesize
64KB

Download
memory/4816-128-0x0000000009270000-0x0000000009280000-memory.dmp

Filesize
64KB

Download
memory/4816-129-0x0000000009270000-0x0000000009280000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads