Analysis

  • max time kernel
    104s
  • max time network
    58s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    06/03/2023, 14:30

General

  • Target

    48538dea30f2042edcae98127b9e163f4f0d6a56aec15625d8bd2dae5ba8ac35.exe

  • Size

    4.2MB

  • MD5

    35f181ee49ec409d056cca073b71fdae

  • SHA1

    c03b476e3ebea8c806149072963125c032f5016a

  • SHA256

    48538dea30f2042edcae98127b9e163f4f0d6a56aec15625d8bd2dae5ba8ac35

  • SHA512

    7dafc8c67971f1e49004566f815ca85553562317b7a661dcca0eb4d8cdcb08347ee21799242a79b8c1afa89700dd12f5621281971615e5937762538771737219

  • SSDEEP

    98304:3pEhTEG4s2Rk5cs38shhSNjJe+i4sYeq69DedTV0VbTXF2RAvRthQ:ZRG4sskf38s7MjJeVYT69id+VbaM8

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Modifies file permissions 1 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\48538dea30f2042edcae98127b9e163f4f0d6a56aec15625d8bd2dae5ba8ac35.exe
    "C:\Users\Admin\AppData\Local\Temp\48538dea30f2042edcae98127b9e163f4f0d6a56aec15625d8bd2dae5ba8ac35.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4128
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3840
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\DesktopMicrosoft-type2.3.5.7" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:4264
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\DesktopMicrosoft-type2.3.5.7" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:1544
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\DesktopMicrosoft-type2.3.5.7" /inheritance:e /deny "admin:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:3992
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /CREATE /TN "DesktopMicrosoft-type2.3.5.7\DesktopMicrosoft-type2.3.5.7" /TR "C:\ProgramData\DesktopMicrosoft-type2.3.5.7\DesktopMicrosoft-type2.3.5.7.exe" /SC MINUTE
        3⤵
        • Creates scheduled task(s)
        PID:4644
      • C:\ProgramData\DesktopMicrosoft-type2.3.5.7\DesktopMicrosoft-type2.3.5.7.exe
        "C:\ProgramData\DesktopMicrosoft-type2.3.5.7\DesktopMicrosoft-type2.3.5.7.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
        • Executes dropped EXE
        PID:3224
  • C:\ProgramData\DesktopMicrosoft-type2.3.5.7\DesktopMicrosoft-type2.3.5.7.exe
    C:\ProgramData\DesktopMicrosoft-type2.3.5.7\DesktopMicrosoft-type2.3.5.7.exe
    1⤵
    • Executes dropped EXE
    PID:4504

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\DesktopMicrosoft-type2.3.5.7\DesktopMicrosoft-type2.3.5.7.exe

    Filesize

    652.7MB

    MD5

    4462db1a5d6252bc5ad6753e4c372d8a

    SHA1

    ae8af0675bd4b62aaad671054a44bfa3fa140b20

    SHA256

    060e93e0742ddc337b75b08c1e2411b09ebdb3eba3bf167aebf55b6d9af84811

    SHA512

    b5ef9b05bd377e564a4d4911023a2cdf9a330cbd15536e313f480afde77ea1e7a46282da9b0156ee91daed89459886d2d4422fbea43c5a174b99942ecbeeae32

  • C:\ProgramData\DesktopMicrosoft-type2.3.5.7\DesktopMicrosoft-type2.3.5.7.exe

    Filesize

    638.1MB

    MD5

    fac6722b64026a9c743fcf6f589ee019

    SHA1

    6472fe4052ae31dce25e0b40196e27f3ad949c25

    SHA256

    f23ea990dc9e38c461876d544658b21c4993fa867a68213a8d9d0ff1ffb34fdf

    SHA512

    3b86f40f52c55fa96fe33d9b84869dffe6cfdcee15f2bf4f7835afce4ce811ceea59477c107c8b9aaca44e64002e10a747359c8e2e683a2220d7c8d1b11ea570

  • C:\ProgramData\DesktopMicrosoft-type2.3.5.7\DesktopMicrosoft-type2.3.5.7.exe

    Filesize

    196.1MB

    MD5

    0e0ca754f1979364edbc321a7fecf3a7

    SHA1

    a0d75ddb9ca3bdb8adb33ce3dbe9861c46fe26ee

    SHA256

    827dfde661ab0b576c7a387174b3fbf984c2494f3426dfe21687d5d853dc58ff

    SHA512

    b83323fe64b9d9ab17c4dba850446025d0d57ce8cc53f22ad5ead8a79dcd94275d177c8964bac0e99b23a08dd70080c6240dcc06188fec992f93f3c2d35d6214

  • memory/3840-122-0x0000000000A00000-0x0000000000E28000-memory.dmp

    Filesize

    4.2MB

  • memory/3840-129-0x0000000009950000-0x0000000009E4E000-memory.dmp

    Filesize

    5.0MB

  • memory/3840-130-0x0000000009450000-0x00000000094E2000-memory.dmp

    Filesize

    584KB

  • memory/3840-131-0x00000000096D0000-0x00000000096E0000-memory.dmp

    Filesize

    64KB

  • memory/3840-132-0x00000000093E0000-0x00000000093EA000-memory.dmp

    Filesize

    40KB

  • memory/3840-133-0x00000000096D0000-0x00000000096E0000-memory.dmp

    Filesize

    64KB

  • memory/3840-134-0x00000000096D0000-0x00000000096E0000-memory.dmp

    Filesize

    64KB