48538dea30f2042edcae98127b9e163f4f0d6a56aec15625d8bd2dae5ba8ac35

General

Target

48538dea30f2042edcae98127b9e163f4f0d6a56aec15625d8bd2dae5ba8ac35.exe
Size

4.2MB
MD5

35f181ee49ec409d056cca073b71fdae
SHA1

c03b476e3ebea8c806149072963125c032f5016a
SHA256

48538dea30f2042edcae98127b9e163f4f0d6a56aec15625d8bd2dae5ba8ac35
SHA512

7dafc8c67971f1e49004566f815ca85553562317b7a661dcca0eb4d8cdcb08347ee21799242a79b8c1afa89700dd12f5621281971615e5937762538771737219
SSDEEP

98304:3pEhTEG4s2Rk5cs38shhSNjJe+i4sYeq69DedTV0VbTXF2RAvRthQ:ZRG4sskf38s7MjJeVYT69id+VbaM8

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3224	DesktopMicrosoft-type2.3.5.7.exe
4504	DesktopMicrosoft-type2.3.5.7.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3992	icacls.exe
4264	icacls.exe
1544	icacls.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4128 set thread context of 3840	4128	48538dea30f2042edcae98127b9e163f4f0d6a56aec15625d8bd2dae5ba8ac35.exe	67

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4644	schtasks.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4128 wrote to memory of 3840	4128	48538dea30f2042edcae98127b9e163f4f0d6a56aec15625d8bd2dae5ba8ac35.exe	67
PID 4128 wrote to memory of 3840	4128	48538dea30f2042edcae98127b9e163f4f0d6a56aec15625d8bd2dae5ba8ac35.exe	67
PID 4128 wrote to memory of 3840	4128	48538dea30f2042edcae98127b9e163f4f0d6a56aec15625d8bd2dae5ba8ac35.exe	67
PID 4128 wrote to memory of 3840	4128	48538dea30f2042edcae98127b9e163f4f0d6a56aec15625d8bd2dae5ba8ac35.exe	67
PID 4128 wrote to memory of 3840	4128	48538dea30f2042edcae98127b9e163f4f0d6a56aec15625d8bd2dae5ba8ac35.exe	67
PID 3840 wrote to memory of 4264	3840	AppLaunch.exe	68
PID 3840 wrote to memory of 4264	3840	AppLaunch.exe	68
PID 3840 wrote to memory of 4264	3840	AppLaunch.exe	68
PID 3840 wrote to memory of 1544	3840	AppLaunch.exe	70
PID 3840 wrote to memory of 1544	3840	AppLaunch.exe	70
PID 3840 wrote to memory of 1544	3840	AppLaunch.exe	70
PID 3840 wrote to memory of 3992	3840	AppLaunch.exe	73
PID 3840 wrote to memory of 3992	3840	AppLaunch.exe	73
PID 3840 wrote to memory of 3992	3840	AppLaunch.exe	73
PID 3840 wrote to memory of 4644	3840	AppLaunch.exe	74
PID 3840 wrote to memory of 4644	3840	AppLaunch.exe	74
PID 3840 wrote to memory of 4644	3840	AppLaunch.exe	74
PID 3840 wrote to memory of 3224	3840	AppLaunch.exe	76
PID 3840 wrote to memory of 3224	3840	AppLaunch.exe	76

C:\Users\Admin\AppData\Local\Temp\48538dea30f2042edcae98127b9e163f4f0d6a56aec15625d8bd2dae5ba8ac35.exe
"C:\Users\Admin\AppData\Local\Temp\48538dea30f2042edcae98127b9e163f4f0d6a56aec15625d8bd2dae5ba8ac35.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4128
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3840
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\DesktopMicrosoft-type2.3.5.7" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:4264
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\DesktopMicrosoft-type2.3.5.7" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:1544
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\DesktopMicrosoft-type2.3.5.7" /inheritance:e /deny "admin:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:3992
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /CREATE /TN "DesktopMicrosoft-type2.3.5.7\DesktopMicrosoft-type2.3.5.7" /TR "C:\ProgramData\DesktopMicrosoft-type2.3.5.7\DesktopMicrosoft-type2.3.5.7.exe" /SC MINUTE
    3⤵
    - Creates scheduled task(s)
    PID:4644
- - C:\ProgramData\DesktopMicrosoft-type2.3.5.7\DesktopMicrosoft-type2.3.5.7.exe
    "C:\ProgramData\DesktopMicrosoft-type2.3.5.7\DesktopMicrosoft-type2.3.5.7.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Executes dropped EXE
    PID:3224

C:\ProgramData\DesktopMicrosoft-type2.3.5.7\DesktopMicrosoft-type2.3.5.7.exe
C:\ProgramData\DesktopMicrosoft-type2.3.5.7\DesktopMicrosoft-type2.3.5.7.exe
1⤵
- Executes dropped EXE
PID:4504

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DesktopMicrosoft-type2.3.5.7\DesktopMicrosoft-type2.3.5.7.exe

Filesize
652.7MB

MD5
4462db1a5d6252bc5ad6753e4c372d8a

SHA1
ae8af0675bd4b62aaad671054a44bfa3fa140b20

SHA256
060e93e0742ddc337b75b08c1e2411b09ebdb3eba3bf167aebf55b6d9af84811

SHA512
b5ef9b05bd377e564a4d4911023a2cdf9a330cbd15536e313f480afde77ea1e7a46282da9b0156ee91daed89459886d2d4422fbea43c5a174b99942ecbeeae32

Download Submit
C:\ProgramData\DesktopMicrosoft-type2.3.5.7\DesktopMicrosoft-type2.3.5.7.exe

Filesize
638.1MB

MD5
fac6722b64026a9c743fcf6f589ee019

SHA1
6472fe4052ae31dce25e0b40196e27f3ad949c25

SHA256
f23ea990dc9e38c461876d544658b21c4993fa867a68213a8d9d0ff1ffb34fdf

SHA512
3b86f40f52c55fa96fe33d9b84869dffe6cfdcee15f2bf4f7835afce4ce811ceea59477c107c8b9aaca44e64002e10a747359c8e2e683a2220d7c8d1b11ea570

Download Submit
C:\ProgramData\DesktopMicrosoft-type2.3.5.7\DesktopMicrosoft-type2.3.5.7.exe

Filesize
196.1MB

MD5
0e0ca754f1979364edbc321a7fecf3a7

SHA1
a0d75ddb9ca3bdb8adb33ce3dbe9861c46fe26ee

SHA256
827dfde661ab0b576c7a387174b3fbf984c2494f3426dfe21687d5d853dc58ff

SHA512
b83323fe64b9d9ab17c4dba850446025d0d57ce8cc53f22ad5ead8a79dcd94275d177c8964bac0e99b23a08dd70080c6240dcc06188fec992f93f3c2d35d6214

Download Submit
memory/3840-122-0x0000000000A00000-0x0000000000E28000-memory.dmp

Filesize
4.2MB

Download
memory/3840-129-0x0000000009950000-0x0000000009E4E000-memory.dmp

Filesize
5.0MB

Download
memory/3840-130-0x0000000009450000-0x00000000094E2000-memory.dmp

Filesize
584KB

Download
memory/3840-131-0x00000000096D0000-0x00000000096E0000-memory.dmp

Filesize
64KB

Download
memory/3840-132-0x00000000093E0000-0x00000000093EA000-memory.dmp

Filesize
40KB

Download
memory/3840-133-0x00000000096D0000-0x00000000096E0000-memory.dmp

Filesize
64KB

Download
memory/3840-134-0x00000000096D0000-0x00000000096E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads