e21068e869bbf343ab637e8efbaab85ba91dab51ff12c894fd568d21e73302f8

General

Target

e21068e869bbf343ab637e8efbaab85ba91dab51ff12c894fd568d21e73302f8.exe
Size

4.6MB
MD5

1388cbfbec43284a1212f9f18e20a074
SHA1

82e9dc4248ad0070d5169ebd1078484877cc75c7
SHA256

e21068e869bbf343ab637e8efbaab85ba91dab51ff12c894fd568d21e73302f8
SHA512

1b3d5b3c9f01d4364f05a22c8da3eebc4d6419e6408098b86401051edc38aa784803b18f1af3b521466c0e4b77c2bff9f1564de823a409965350f44609e42624
SSDEEP

98304:JgFRP61hlce+gu3O+UHKZc+sRZvojwn6MTSrZ:uFRPQzceZHOc3RxAwZGF

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4660	SoftwareDistributionMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type6.4.0.2.exe
2764	SoftwareDistributionMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type6.4.0.2.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4996	icacls.exe
5076	icacls.exe
1452	icacls.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2060 set thread context of 2556	2060	e21068e869bbf343ab637e8efbaab85ba91dab51ff12c894fd568d21e73302f8.exe	67

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4112	schtasks.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 2556	2060	e21068e869bbf343ab637e8efbaab85ba91dab51ff12c894fd568d21e73302f8.exe	67
PID 2060 wrote to memory of 2556	2060	e21068e869bbf343ab637e8efbaab85ba91dab51ff12c894fd568d21e73302f8.exe	67
PID 2060 wrote to memory of 2556	2060	e21068e869bbf343ab637e8efbaab85ba91dab51ff12c894fd568d21e73302f8.exe	67
PID 2060 wrote to memory of 2556	2060	e21068e869bbf343ab637e8efbaab85ba91dab51ff12c894fd568d21e73302f8.exe	67
PID 2060 wrote to memory of 2556	2060	e21068e869bbf343ab637e8efbaab85ba91dab51ff12c894fd568d21e73302f8.exe	67
PID 2556 wrote to memory of 4996	2556	AppLaunch.exe	68
PID 2556 wrote to memory of 4996	2556	AppLaunch.exe	68
PID 2556 wrote to memory of 4996	2556	AppLaunch.exe	68
PID 2556 wrote to memory of 5076	2556	AppLaunch.exe	70
PID 2556 wrote to memory of 5076	2556	AppLaunch.exe	70
PID 2556 wrote to memory of 5076	2556	AppLaunch.exe	70
PID 2556 wrote to memory of 1452	2556	AppLaunch.exe	71
PID 2556 wrote to memory of 1452	2556	AppLaunch.exe	71
PID 2556 wrote to memory of 1452	2556	AppLaunch.exe	71
PID 2556 wrote to memory of 4112	2556	AppLaunch.exe	74
PID 2556 wrote to memory of 4112	2556	AppLaunch.exe	74
PID 2556 wrote to memory of 4112	2556	AppLaunch.exe	74
PID 2556 wrote to memory of 4660	2556	AppLaunch.exe	76
PID 2556 wrote to memory of 4660	2556	AppLaunch.exe	76

C:\Users\Admin\AppData\Local\Temp\e21068e869bbf343ab637e8efbaab85ba91dab51ff12c894fd568d21e73302f8.exe
"C:\Users\Admin\AppData\Local\Temp\e21068e869bbf343ab637e8efbaab85ba91dab51ff12c894fd568d21e73302f8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\SoftwareDistributionMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type6.4.0.2" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:4996
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\SoftwareDistributionMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type6.4.0.2" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:5076
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\SoftwareDistributionMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type6.4.0.2" /inheritance:e /deny "admin:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:1452
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /CREATE /TN "SoftwareDistributionMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type6.4.0.2\SoftwareDistributionMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type6.4.0.2" /TR "C:\ProgramData\SoftwareDistributionMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type6.4.0.2\SoftwareDistributionMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type6.4.0.2.exe" /SC MINUTE
    3⤵
    - Creates scheduled task(s)
    PID:4112
- - C:\ProgramData\SoftwareDistributionMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type6.4.0.2\SoftwareDistributionMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type6.4.0.2.exe
    "C:\ProgramData\SoftwareDistributionMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type6.4.0.2\SoftwareDistributionMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type6.4.0.2.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Executes dropped EXE
    PID:4660

C:\ProgramData\SoftwareDistributionMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type6.4.0.2\SoftwareDistributionMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type6.4.0.2.exe
C:\ProgramData\SoftwareDistributionMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type6.4.0.2\SoftwareDistributionMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type6.4.0.2.exe
1⤵
- Executes dropped EXE
PID:2764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SoftwareDistributionMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type6.4.0.2\SoftwareDistributionMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type6.4.0.2.exe

Filesize
767.6MB

MD5
04232c6d20a4e859baf12645aa1b4bc6

SHA1
de18418ef0dfba39f1cdda50d486932683db5bc2

SHA256
8806a5742b3c53f6ad10104579c5c64402effd2629119b524076e1f3324ddebc

SHA512
7e7d8635eb5a3c5f750320c834b4d21a201c34194f808f293da00dba8ada0eca79c9d6b08c823c136ea53066e2b01122f3846e82e5416e04ba240e63e52c0770

Download Submit
C:\ProgramData\SoftwareDistributionMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type6.4.0.2\SoftwareDistributionMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type6.4.0.2.exe

Filesize
742.3MB

MD5
66c0c8be61f4c770b58d5d12196903aa

SHA1
4f871d9361a67a01c899eccd35651fccdf1c8b24

SHA256
a5155adf6bdd1cfb2cc56b78611cc0362e3c63a03bf9b5276db4756f5ef691bc

SHA512
e7839128749cc1bdf435d2a483432437d67e154eee8b5d56af6e1271b90bb3919f6ebc8f466f26541db71328d679468dd436e21292807600661fd25e5a208958

Download Submit
C:\ProgramData\SoftwareDistributionMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type6.4.0.2\SoftwareDistributionMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type6.4.0.2.exe

Filesize
358.5MB

MD5
099440cdff9ba04b33ac78747191b03b

SHA1
86f22ebcfb6e0df444702abb7bfb4f2077de6599

SHA256
7a82af037188f211f60eacb007720a25dd87486ccbc8ed96c85dd5173c5dff06

SHA512
72c764c4dda913cd530c82621838d4d35711e0be9f24f97c86128daf652d06c98034cfab71c84651f07d5abec7cad93ef8cb3d72c5550c7c542b1ab5ce47917d

Download Submit
memory/2556-122-0x0000000000740000-0x0000000000BCC000-memory.dmp

Filesize
4.5MB

Download
memory/2556-129-0x0000000009640000-0x0000000009B3E000-memory.dmp

Filesize
5.0MB

Download
memory/2556-130-0x0000000009090000-0x0000000009122000-memory.dmp

Filesize
584KB

Download
memory/2556-131-0x0000000009060000-0x000000000906A000-memory.dmp

Filesize
40KB

Download
memory/2556-132-0x00000000092F0000-0x0000000009300000-memory.dmp

Filesize
64KB

Download
memory/2556-133-0x00000000092F0000-0x0000000009300000-memory.dmp

Filesize
64KB

Download
memory/2556-134-0x00000000092F0000-0x0000000009300000-memory.dmp

Filesize
64KB

Download
memory/2556-135-0x00000000092F0000-0x0000000009300000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads