Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    11/03/2023, 11:56

General

  • Target

    a491649a56ddedaeacabc502d75a8990ce02b7f2de353cce1878b88c1ce05c95.exe

  • Size

    4.6MB

  • MD5

    b6b224677ca69b5a07c9b2a155976fc2

  • SHA1

    bcc25a596aed2aaadde4c6489e2158b2dc67c760

  • SHA256

    a491649a56ddedaeacabc502d75a8990ce02b7f2de353cce1878b88c1ce05c95

  • SHA512

    6a1a164684fe406e90bc025ff298ec1961a35195bed547396a8b3ec09add89903b1fd9316af3e46e81682f27f979622ab153acc298708827bbdb615396e0436d

  • SSDEEP

    98304:OweFRP61hlce+gu3O+UHKZc+sRZvojwn6MTSrP:4FRPQzceZHOc3RxAwZGz

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Modifies file permissions 1 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a491649a56ddedaeacabc502d75a8990ce02b7f2de353cce1878b88c1ce05c95.exe
    "C:\Users\Admin\AppData\Local\Temp\a491649a56ddedaeacabc502d75a8990ce02b7f2de353cce1878b88c1ce05c95.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1804
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3972
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\MicrosoftDocuments-type3.2.3.8" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:2460
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\MicrosoftDocuments-type3.2.3.8" /inheritance:e /deny "admin:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:3100
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\MicrosoftDocuments-type3.2.3.8" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:4180
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /CREATE /TN "MicrosoftDocuments-type3.2.3.8\MicrosoftDocuments-type3.2.3.8" /TR "C:\ProgramData\MicrosoftDocuments-type3.2.3.8\MicrosoftDocuments-type3.2.3.8.exe" /SC MINUTE
        3⤵
        • Creates scheduled task(s)
        PID:3020
      • C:\ProgramData\MicrosoftDocuments-type3.2.3.8\MicrosoftDocuments-type3.2.3.8.exe
        "C:\ProgramData\MicrosoftDocuments-type3.2.3.8\MicrosoftDocuments-type3.2.3.8.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
        • Executes dropped EXE
        PID:4264
  • C:\ProgramData\MicrosoftDocuments-type3.2.3.8\MicrosoftDocuments-type3.2.3.8.exe
    C:\ProgramData\MicrosoftDocuments-type3.2.3.8\MicrosoftDocuments-type3.2.3.8.exe
    1⤵
    • Executes dropped EXE
    PID:4452

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\MicrosoftDocuments-type3.2.3.8\MicrosoftDocuments-type3.2.3.8.exe

    Filesize

    804.2MB

    MD5

    38f63a39e0e5cffb47476320b2a6b624

    SHA1

    e96c45f3c8614435f93d7c03b229ebb51f9d71b9

    SHA256

    01e2c9e4f5b46dcca091ee50ffd8b190eb38d9e225c25b518a0b6c3b64c924a9

    SHA512

    cb67e405ebf4cbc88923ac5f753506c79b26fd3241582ae042f3520e5a98bd0b4daeecd743db7def7d8a6a0d115f35d365e717fb2be87bed1c944e3487e2d614

  • C:\ProgramData\MicrosoftDocuments-type3.2.3.8\MicrosoftDocuments-type3.2.3.8.exe

    Filesize

    700.1MB

    MD5

    7b10aa08399c2fee625e57171f6f12db

    SHA1

    686bf449b1e57e18f01f2e07ab70322f92740a70

    SHA256

    cb54cb6e5a1dbb8cf6789a36b472f4ca6cb5140450ffe4521b8893f4bd4d5ec9

    SHA512

    19c9abf1cbe7bfbcd89ce0379c62361d7789324d699553b17ba1e3fd6b35839428b0f811214e34a745bc69d946f4c2726142161f2d7f9561ca4774e072642d9e

  • C:\ProgramData\MicrosoftDocuments-type3.2.3.8\MicrosoftDocuments-type3.2.3.8.exe

    Filesize

    667.0MB

    MD5

    452bddfd910c38a34b810eab8466b0e2

    SHA1

    d25c5f69a06d2cabc71518e41ec0dab970044e7d

    SHA256

    5091dd564526414d5ff6c7aac6d609ced29af49b06a1051ebc0022ad68a1ea0b

    SHA512

    9f21711efd6f9a71372bd4cd7f9c225d5cb5e7e3b15cf059b32a9a8cf8cea4bc5b402ca20f0823733f6d2a42175846f28197906c2cb42bce5a3a8d55c32d7f89

  • memory/3972-121-0x0000000004700000-0x0000000004B8C000-memory.dmp

    Filesize

    4.5MB

  • memory/3972-128-0x0000000009500000-0x00000000099FE000-memory.dmp

    Filesize

    5.0MB

  • memory/3972-129-0x0000000009000000-0x0000000009092000-memory.dmp

    Filesize

    584KB

  • memory/3972-130-0x0000000008F40000-0x0000000008F4A000-memory.dmp

    Filesize

    40KB

  • memory/3972-131-0x0000000008F60000-0x0000000008F70000-memory.dmp

    Filesize

    64KB

  • memory/3972-132-0x0000000008F60000-0x0000000008F70000-memory.dmp

    Filesize

    64KB

  • memory/3972-133-0x0000000008F60000-0x0000000008F70000-memory.dmp

    Filesize

    64KB