381cce5d66e54b64845380f707b8336e0be9ffb400a9039409f435000c35a371

General

Target

381cce5d66e54b64845380f707b8336e0be9ffb400a9039409f435000c35a371.exe
Size

4.7MB
MD5

1426d1659b352b8f3a89c7977323636a
SHA1

4006b630a9bd15c05a4615aa1592a6a6df6900b2
SHA256

381cce5d66e54b64845380f707b8336e0be9ffb400a9039409f435000c35a371
SHA512

0e08701b821ffac9ad2232e3db3f3779409e0c3a35781567ef2c3eb8d61bd8ef4c20ee5702d82f50744311d18a3a107ff4b56a239e68ca3e9160a64f76b7a119
SSDEEP

98304:VrNDnifgPgjhcObmRCevTu6QDiU98WJONhZ9gsb0jJu/2vJYL4ooq:VFBMuOCTpDLaqiRYLT

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3128	regid.1991-06.com.microsoftSoftwareDistribution-type5.6.5.4.exe
3372	regid.1991-06.com.microsoftSoftwareDistribution-type5.6.5.4.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2840	icacls.exe
1272	icacls.exe
4484	icacls.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2604 set thread context of 3704	2604	381cce5d66e54b64845380f707b8336e0be9ffb400a9039409f435000c35a371.exe	83
PID 3704 set thread context of 2700	3704	AppLaunch.exe	85

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1428	schtasks.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 3704	2604	381cce5d66e54b64845380f707b8336e0be9ffb400a9039409f435000c35a371.exe	83
PID 2604 wrote to memory of 3704	2604	381cce5d66e54b64845380f707b8336e0be9ffb400a9039409f435000c35a371.exe	83
PID 2604 wrote to memory of 3704	2604	381cce5d66e54b64845380f707b8336e0be9ffb400a9039409f435000c35a371.exe	83
PID 2604 wrote to memory of 3704	2604	381cce5d66e54b64845380f707b8336e0be9ffb400a9039409f435000c35a371.exe	83
PID 2604 wrote to memory of 3704	2604	381cce5d66e54b64845380f707b8336e0be9ffb400a9039409f435000c35a371.exe	83
PID 3704 wrote to memory of 2700	3704	AppLaunch.exe	85
PID 3704 wrote to memory of 2700	3704	AppLaunch.exe	85
PID 3704 wrote to memory of 2700	3704	AppLaunch.exe	85
PID 3704 wrote to memory of 2700	3704	AppLaunch.exe	85
PID 3704 wrote to memory of 2700	3704	AppLaunch.exe	85
PID 2700 wrote to memory of 4484	2700	AppLaunch.exe	96
PID 2700 wrote to memory of 4484	2700	AppLaunch.exe	96
PID 2700 wrote to memory of 4484	2700	AppLaunch.exe	96
PID 2700 wrote to memory of 2840	2700	AppLaunch.exe	98
PID 2700 wrote to memory of 2840	2700	AppLaunch.exe	98
PID 2700 wrote to memory of 2840	2700	AppLaunch.exe	98
PID 2700 wrote to memory of 1272	2700	AppLaunch.exe	100
PID 2700 wrote to memory of 1272	2700	AppLaunch.exe	100
PID 2700 wrote to memory of 1272	2700	AppLaunch.exe	100
PID 2700 wrote to memory of 1428	2700	AppLaunch.exe	102
PID 2700 wrote to memory of 1428	2700	AppLaunch.exe	102
PID 2700 wrote to memory of 1428	2700	AppLaunch.exe	102
PID 2700 wrote to memory of 3128	2700	AppLaunch.exe	104
PID 2700 wrote to memory of 3128	2700	AppLaunch.exe	104

C:\Users\Admin\AppData\Local\Temp\381cce5d66e54b64845380f707b8336e0be9ffb400a9039409f435000c35a371.exe
"C:\Users\Admin\AppData\Local\Temp\381cce5d66e54b64845380f707b8336e0be9ffb400a9039409f435000c35a371.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3704
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Windows\SysWOW64\icacls.exe
      "C:\Windows\System32\icacls.exe" "C:\ProgramData\regid.1991-06.com.microsoftSoftwareDistribution-type5.6.5.4" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
      4⤵
      Modifies file permissions
      PID:4484
  - - C:\Windows\SysWOW64\icacls.exe
      "C:\Windows\System32\icacls.exe" "C:\ProgramData\regid.1991-06.com.microsoftSoftwareDistribution-type5.6.5.4" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
      4⤵
      Modifies file permissions
      PID:2840
  - - C:\Windows\SysWOW64\icacls.exe
      "C:\Windows\System32\icacls.exe" "C:\ProgramData\regid.1991-06.com.microsoftSoftwareDistribution-type5.6.5.4" /inheritance:e /deny "admin:(R,REA,RA,RD)"
      4⤵
      Modifies file permissions
      PID:1272
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /CREATE /TN "regid.1991-06.com.microsoftSoftwareDistribution-type5.6.5.4\regid.1991-06.com.microsoftSoftwareDistribution-type5.6.5.4" /TR "C:\ProgramData\regid.1991-06.com.microsoftSoftwareDistribution-type5.6.5.4\regid.1991-06.com.microsoftSoftwareDistribution-type5.6.5.4.exe" /SC MINUTE
      4⤵
      Creates scheduled task(s)
      PID:1428
  - - C:\ProgramData\regid.1991-06.com.microsoftSoftwareDistribution-type5.6.5.4\regid.1991-06.com.microsoftSoftwareDistribution-type5.6.5.4.exe
      "C:\ProgramData\regid.1991-06.com.microsoftSoftwareDistribution-type5.6.5.4\regid.1991-06.com.microsoftSoftwareDistribution-type5.6.5.4.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      Executes dropped EXE
      PID:3128

C:\ProgramData\regid.1991-06.com.microsoftSoftwareDistribution-type5.6.5.4\regid.1991-06.com.microsoftSoftwareDistribution-type5.6.5.4.exe
C:\ProgramData\regid.1991-06.com.microsoftSoftwareDistribution-type5.6.5.4\regid.1991-06.com.microsoftSoftwareDistribution-type5.6.5.4.exe
1⤵
- Executes dropped EXE
PID:3372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\regid.1991-06.com.microsoftSoftwareDistribution-type5.6.5.4\regid.1991-06.com.microsoftSoftwareDistribution-type5.6.5.4.exe

Filesize
609.4MB

MD5
13c050550470330cb620a5637b29d00d

SHA1
a3cd163d5e8fa118412ba80d2699daae46da47e1

SHA256
218299b7ac9a6b54cdf251cd820500bf569dcb1731feb4c1b1782a98c08c35a2

SHA512
fa7064f8f5ca7ce2847be4e18d728f78f928e810c164c95c0abf5734975772b93606a7db9a5d1dde3cf10c39e4a8bb5cefc49fd3028deb77e206dfc3594d93ab

Download Submit
C:\ProgramData\regid.1991-06.com.microsoftSoftwareDistribution-type5.6.5.4\regid.1991-06.com.microsoftSoftwareDistribution-type5.6.5.4.exe

Filesize
488.6MB

MD5
d66d526bd793c0cc8edd659dff083088

SHA1
af4ca3256e590ace5ae78ec9b862d3359cb2497c

SHA256
e1ce728968cf22ea161b19be8f4b02d506b99a5d570864ecb343be1d20b2f5c6

SHA512
12f13242131732a8cdfffe35b3e29267ae159b40ece083e2aa6ae4797a32f2e8bb093ad59a7366435b95d2e27b80909ec14a094f082339ed7088c0bff8016437

Download Submit
C:\ProgramData\regid.1991-06.com.microsoftSoftwareDistribution-type5.6.5.4\regid.1991-06.com.microsoftSoftwareDistribution-type5.6.5.4.exe

Filesize
527.9MB

MD5
355af575dc6a44d91b88ace93ea83fa7

SHA1
8db6392f1a5a5f59b6550af8d251dec7ff6a9892

SHA256
a7a58a34f5ca87d442cc02b0aba3428e1a82782abee949ff72b5ea2d38cf777d

SHA512
76b69e0759142be899165831473d4da254b33ae9970bfa2705348b9c3c8f78d1d5d4f9878da4b035bcdd3eac8b53bda333dd2886f57de03e01be967d07fb6b0d

Download Submit
C:\ProgramData\regid.1991-06.com.microsoftSoftwareDistribution-type5.6.5.4\regid.1991-06.com.microsoftSoftwareDistribution-type5.6.5.4.exe

Filesize
404.2MB

MD5
b6481c4cb413d7ff40a32b26c35a554c

SHA1
e08757df844de9e692eb08e4afc7114c3d902cad

SHA256
2c0ea56d0bb5c55d765463715d0dcfde77b113e96be15b5f77ac74adf7587986

SHA512
d6dc77084b753436aad5da28e0fe70310cef47ef1e212c5ed334c7e3c2c644e96bb1c20a04c07acfbf8d7d5588dba3b83a260fd73db2eeafd216734ffb8b8de6

Download Submit
memory/2700-150-0x0000000005260000-0x0000000005270000-memory.dmp

Filesize
64KB

Download
memory/2700-149-0x00000000051E0000-0x00000000051EA000-memory.dmp

Filesize
40KB

Download
memory/2700-151-0x0000000005260000-0x0000000005270000-memory.dmp

Filesize
64KB

Download
memory/2700-152-0x0000000005260000-0x0000000005270000-memory.dmp

Filesize
64KB

Download
memory/2700-153-0x0000000005260000-0x0000000005270000-memory.dmp

Filesize
64KB

Download
memory/2700-148-0x0000000005140000-0x00000000051D2000-memory.dmp

Filesize
584KB

Download
memory/2700-147-0x0000000005610000-0x0000000005BB4000-memory.dmp

Filesize
5.6MB

Download
memory/2700-142-0x0000000000700000-0x0000000000B8C000-memory.dmp

Filesize
4.5MB

Download
memory/3704-134-0x0000000000400000-0x00000000008A3000-memory.dmp

Filesize
4.6MB

Download
memory/3704-140-0x0000000000400000-0x00000000008A3000-memory.dmp

Filesize
4.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads