33519024241e83fd9baf13dbf0b640b66c6dea98ce47c0b5a4a1f5287b41ff5b

General

Target

33519024241e83fd9baf13dbf0b640b66c6dea98ce47c0b5a4a1f5287b41ff5b.exe
Size

4.2MB
MD5

e263514b8e1b96a6045c5c3ae5f43b89
SHA1

3bd56b0eeaa9ce0570efc40bc57bcfa1377b221a
SHA256

33519024241e83fd9baf13dbf0b640b66c6dea98ce47c0b5a4a1f5287b41ff5b
SHA512

bf96ea0a6bb81e28e775d896557f925ceb55f33ef27aa7a36b6a912e71022337b79658219dd8c350e175d190399a0a4589933d1450218fcb574aeeb33fa75e2f
SSDEEP

98304:haEhTEG4s2Rk5cs38shhSNjJe+i4sYeq69DedTV0VbTXF2RAvRthg:IRG4sskf38s7MjJeVYT69id+VbaMs

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4848	regid.1991-06.com.microsoftMicrosoft-type9.9.0.8.exe
2820	regid.1991-06.com.microsoftMicrosoft-type9.9.0.8.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4820	icacls.exe
3552	icacls.exe
3668	icacls.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4460 set thread context of 2952	4460	33519024241e83fd9baf13dbf0b640b66c6dea98ce47c0b5a4a1f5287b41ff5b.exe	67

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2876	schtasks.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4460 wrote to memory of 2952	4460	33519024241e83fd9baf13dbf0b640b66c6dea98ce47c0b5a4a1f5287b41ff5b.exe	67
PID 4460 wrote to memory of 2952	4460	33519024241e83fd9baf13dbf0b640b66c6dea98ce47c0b5a4a1f5287b41ff5b.exe	67
PID 4460 wrote to memory of 2952	4460	33519024241e83fd9baf13dbf0b640b66c6dea98ce47c0b5a4a1f5287b41ff5b.exe	67
PID 4460 wrote to memory of 2952	4460	33519024241e83fd9baf13dbf0b640b66c6dea98ce47c0b5a4a1f5287b41ff5b.exe	67
PID 4460 wrote to memory of 2952	4460	33519024241e83fd9baf13dbf0b640b66c6dea98ce47c0b5a4a1f5287b41ff5b.exe	67
PID 2952 wrote to memory of 4820	2952	AppLaunch.exe	68
PID 2952 wrote to memory of 4820	2952	AppLaunch.exe	68
PID 2952 wrote to memory of 4820	2952	AppLaunch.exe	68
PID 2952 wrote to memory of 3552	2952	AppLaunch.exe	70
PID 2952 wrote to memory of 3552	2952	AppLaunch.exe	70
PID 2952 wrote to memory of 3552	2952	AppLaunch.exe	70
PID 2952 wrote to memory of 3668	2952	AppLaunch.exe	72
PID 2952 wrote to memory of 3668	2952	AppLaunch.exe	72
PID 2952 wrote to memory of 3668	2952	AppLaunch.exe	72
PID 2952 wrote to memory of 2876	2952	AppLaunch.exe	74
PID 2952 wrote to memory of 2876	2952	AppLaunch.exe	74
PID 2952 wrote to memory of 2876	2952	AppLaunch.exe	74
PID 2952 wrote to memory of 4848	2952	AppLaunch.exe	76
PID 2952 wrote to memory of 4848	2952	AppLaunch.exe	76

C:\Users\Admin\AppData\Local\Temp\33519024241e83fd9baf13dbf0b640b66c6dea98ce47c0b5a4a1f5287b41ff5b.exe
"C:\Users\Admin\AppData\Local\Temp\33519024241e83fd9baf13dbf0b640b66c6dea98ce47c0b5a4a1f5287b41ff5b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\regid.1991-06.com.microsoftMicrosoft-type9.9.0.8" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:4820
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\regid.1991-06.com.microsoftMicrosoft-type9.9.0.8" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:3552
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\regid.1991-06.com.microsoftMicrosoft-type9.9.0.8" /inheritance:e /deny "admin:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:3668
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /CREATE /TN "regid.1991-06.com.microsoftMicrosoft-type9.9.0.8\regid.1991-06.com.microsoftMicrosoft-type9.9.0.8" /TR "C:\ProgramData\regid.1991-06.com.microsoftMicrosoft-type9.9.0.8\regid.1991-06.com.microsoftMicrosoft-type9.9.0.8.exe" /SC MINUTE
    3⤵
    - Creates scheduled task(s)
    PID:2876
- - C:\ProgramData\regid.1991-06.com.microsoftMicrosoft-type9.9.0.8\regid.1991-06.com.microsoftMicrosoft-type9.9.0.8.exe
    "C:\ProgramData\regid.1991-06.com.microsoftMicrosoft-type9.9.0.8\regid.1991-06.com.microsoftMicrosoft-type9.9.0.8.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Executes dropped EXE
    PID:4848

C:\ProgramData\regid.1991-06.com.microsoftMicrosoft-type9.9.0.8\regid.1991-06.com.microsoftMicrosoft-type9.9.0.8.exe
C:\ProgramData\regid.1991-06.com.microsoftMicrosoft-type9.9.0.8\regid.1991-06.com.microsoftMicrosoft-type9.9.0.8.exe
1⤵
- Executes dropped EXE
PID:2820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\regid.1991-06.com.microsoftMicrosoft-type9.9.0.8\regid.1991-06.com.microsoftMicrosoft-type9.9.0.8.exe

Filesize
368.3MB

MD5
5311240be72e6a8ab8d882e37f681858

SHA1
bf4b7326f043ae92e03a2f5088b69d118dd03fac

SHA256
5230f7d567be08177f1ce2e6fe8d57bbed83b40668961efa4172b4ff11e533a6

SHA512
e27283f803d09e0945ce4208f039f9385f782e1977e3b15b0b9ef41b6f8484b45281938e3142f3f95cb4c2fcfcd44cbf34b538753665c773079978a23b0e120a

Download Submit
C:\ProgramData\regid.1991-06.com.microsoftMicrosoft-type9.9.0.8\regid.1991-06.com.microsoftMicrosoft-type9.9.0.8.exe

Filesize
363.1MB

MD5
b59c0f8f8446069041d9269da82fa721

SHA1
2d93b18c389f5a74841d49160678806005e0757a

SHA256
022d23ae9cea44318e357c3a9cd12b048587b2e8ca3d9c3b89eb4a1b91d02610

SHA512
438fd6bcd6b2cf118689e3b57381a9c8cb7d2bba0a9bdfe828d71276eaf83cb65a0c8ccd87378bf6eabe7b8352d8a49ff181b6c7aa192727ab0db157b1f08a33

Download Submit
C:\ProgramData\regid.1991-06.com.microsoftMicrosoft-type9.9.0.8\regid.1991-06.com.microsoftMicrosoft-type9.9.0.8.exe

Filesize
277.0MB

MD5
3c4f921c58f1ccb9d11dbb92caecef38

SHA1
a57cd557953da3abf94c8b9316be1dcae83fdc36

SHA256
68976e8f5a118bb80262d2e98050db8d993934f2184ceac1f58cf31b9aa26f89

SHA512
26de88398867f0cae12b15ba9580840556593bace25c7c86414a61a70c7cf89bf7594a46c6fa332ee9320343e335d62d3108c8dea038e29e14c2b71c71e2b325

Download Submit
memory/2952-118-0x0000000000400000-0x0000000000828000-memory.dmp

Filesize
4.2MB

Download
memory/2952-125-0x0000000009850000-0x0000000009D4E000-memory.dmp

Filesize
5.0MB

Download
memory/2952-126-0x0000000009270000-0x0000000009302000-memory.dmp

Filesize
584KB

Download
memory/2952-127-0x0000000009250000-0x000000000925A000-memory.dmp

Filesize
40KB

Download
memory/2952-128-0x0000000009510000-0x0000000009520000-memory.dmp

Filesize
64KB

Download
memory/2952-129-0x0000000009510000-0x0000000009520000-memory.dmp

Filesize
64KB

Download
memory/2952-130-0x0000000009510000-0x0000000009520000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads