f1b92ffa009cc6386a41c029b0d091d41f2a73f6fb43f2e3f925651a843f1c11

General

Target

f1b92ffa009cc6386a41c029b0d091d41f2a73f6fb43f2e3f925651a843f1c11.exe
Size

4.6MB
MD5

469e8bfd42a83e276331e5fb586060d1
SHA1

2bd1bd4a5172a967d775809c098182d3ae5ddba5
SHA256

f1b92ffa009cc6386a41c029b0d091d41f2a73f6fb43f2e3f925651a843f1c11
SHA512

4de58af4f00756cd2f5c4f6286308f5496126e3c1148d3d5bb309b8c28445acd46bb83290a84711013fb636f3e831da2f62c731a440923e0e9e44d204353cb3d
SSDEEP

98304:aFRP61hlce+gu3O+UHKZc+sRZvojwn6MTSrJ:aFRPQzceZHOc3RxAwZGV

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1988	Desktopregid.1991-06.com.microsoft-type4.2.9.5.exe
2460	Desktopregid.1991-06.com.microsoft-type4.2.9.5.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1772	icacls.exe
3788	icacls.exe
5052	icacls.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 932 set thread context of 3912	932	f1b92ffa009cc6386a41c029b0d091d41f2a73f6fb43f2e3f925651a843f1c11.exe	88

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2392	schtasks.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 932 wrote to memory of 3912	932	f1b92ffa009cc6386a41c029b0d091d41f2a73f6fb43f2e3f925651a843f1c11.exe	88
PID 932 wrote to memory of 3912	932	f1b92ffa009cc6386a41c029b0d091d41f2a73f6fb43f2e3f925651a843f1c11.exe	88
PID 932 wrote to memory of 3912	932	f1b92ffa009cc6386a41c029b0d091d41f2a73f6fb43f2e3f925651a843f1c11.exe	88
PID 932 wrote to memory of 3912	932	f1b92ffa009cc6386a41c029b0d091d41f2a73f6fb43f2e3f925651a843f1c11.exe	88
PID 932 wrote to memory of 3912	932	f1b92ffa009cc6386a41c029b0d091d41f2a73f6fb43f2e3f925651a843f1c11.exe	88
PID 3912 wrote to memory of 3788	3912	AppLaunch.exe	96
PID 3912 wrote to memory of 3788	3912	AppLaunch.exe	96
PID 3912 wrote to memory of 3788	3912	AppLaunch.exe	96
PID 3912 wrote to memory of 5052	3912	AppLaunch.exe	98
PID 3912 wrote to memory of 5052	3912	AppLaunch.exe	98
PID 3912 wrote to memory of 5052	3912	AppLaunch.exe	98
PID 3912 wrote to memory of 1772	3912	AppLaunch.exe	100
PID 3912 wrote to memory of 1772	3912	AppLaunch.exe	100
PID 3912 wrote to memory of 1772	3912	AppLaunch.exe	100
PID 3912 wrote to memory of 2392	3912	AppLaunch.exe	102
PID 3912 wrote to memory of 2392	3912	AppLaunch.exe	102
PID 3912 wrote to memory of 2392	3912	AppLaunch.exe	102
PID 3912 wrote to memory of 1988	3912	AppLaunch.exe	104
PID 3912 wrote to memory of 1988	3912	AppLaunch.exe	104

C:\Users\Admin\AppData\Local\Temp\f1b92ffa009cc6386a41c029b0d091d41f2a73f6fb43f2e3f925651a843f1c11.exe
"C:\Users\Admin\AppData\Local\Temp\f1b92ffa009cc6386a41c029b0d091d41f2a73f6fb43f2e3f925651a843f1c11.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3912
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\Desktopregid.1991-06.com.microsoft-type4.2.9.5" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:3788
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\Desktopregid.1991-06.com.microsoft-type4.2.9.5" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:5052
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\Desktopregid.1991-06.com.microsoft-type4.2.9.5" /inheritance:e /deny "admin:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:1772
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /CREATE /TN "Desktopregid.1991-06.com.microsoft-type4.2.9.5\Desktopregid.1991-06.com.microsoft-type4.2.9.5" /TR "C:\ProgramData\Desktopregid.1991-06.com.microsoft-type4.2.9.5\Desktopregid.1991-06.com.microsoft-type4.2.9.5.exe" /SC MINUTE
    3⤵
    - Creates scheduled task(s)
    PID:2392
- - C:\ProgramData\Desktopregid.1991-06.com.microsoft-type4.2.9.5\Desktopregid.1991-06.com.microsoft-type4.2.9.5.exe
    "C:\ProgramData\Desktopregid.1991-06.com.microsoft-type4.2.9.5\Desktopregid.1991-06.com.microsoft-type4.2.9.5.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Executes dropped EXE
    PID:1988

C:\ProgramData\Desktopregid.1991-06.com.microsoft-type4.2.9.5\Desktopregid.1991-06.com.microsoft-type4.2.9.5.exe
C:\ProgramData\Desktopregid.1991-06.com.microsoft-type4.2.9.5\Desktopregid.1991-06.com.microsoft-type4.2.9.5.exe
1⤵
- Executes dropped EXE
PID:2460

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Desktopregid.1991-06.com.microsoft-type4.2.9.5\Desktopregid.1991-06.com.microsoft-type4.2.9.5.exe

Filesize
648.1MB

MD5
49c6ae71afcdf26b04402d7d2075c9f3

SHA1
6e600cc2f649022f58bd3d4af263f0eaf7f1c0c3

SHA256
28273d4ed202025e23a0f5ac04519b92c7031157fa72a658725c42ba4099ec43

SHA512
2b9970c4ff94c1fe343dd470d70b2ffdc056fe1099ef55547e542b02ee64affbb4e607c6d5e66e4d15e75de1cb61a8902b36790db16eb020cdce54d4ec5326f6

Download Submit
C:\ProgramData\Desktopregid.1991-06.com.microsoft-type4.2.9.5\Desktopregid.1991-06.com.microsoft-type4.2.9.5.exe

Filesize
598.1MB

MD5
bd71f858ad1e5dab1e86cd0715110806

SHA1
200ffab89322828768dee81aeca218bed711e5b0

SHA256
656304574641ff8d794b08547ddd6b849ccd2ded874e7b48becec1ed16ce5c21

SHA512
2291664cfa9db2dc3e6a914d3f47ad3b8519aab802b48f41968806def9802dbc43f0931c68491232d2fe45bcc500f53a2a6049b6573f5777e86f5f91e6380dc6

Download Submit
C:\ProgramData\Desktopregid.1991-06.com.microsoft-type4.2.9.5\Desktopregid.1991-06.com.microsoft-type4.2.9.5.exe

Filesize
584.2MB

MD5
e5be991fe4339f6ef1c68040f2a63656

SHA1
65c16f1dddc7287e1eea631c67b5f493793eb8d3

SHA256
c544f4789ec3f777160ecd6c580b6c40d40d729b0cbc2fb5761782eecfdc93f1

SHA512
7554eb65bcda3133cf9c3b29b08a1cb2dc824b38eba0bbd8a983972c332b4ece4a9293568aa09ff77dab0ef32f2634411082898b7e63b68a14efad62b5ba5670

Download Submit
C:\ProgramData\Desktopregid.1991-06.com.microsoft-type4.2.9.5\Desktopregid.1991-06.com.microsoft-type4.2.9.5.exe

Filesize
190.4MB

MD5
c617776e102f5378a42d61d9d347db2b

SHA1
b290f24425bfaf05dd05ded25d911dbafc141d8e

SHA256
fa949fe5ef47629a4e6f9316d017aed40c0282e32eb613cbf330ed601f323006

SHA512
7e4b023ee5cea6268bb573c7a490ad0edfe3dac07a69b234bceaf07037cf45dc2561ebdec9fbd774c04d758ec503849060c0eba3f9be7d4c96bcf3dcacdb1b33

Download Submit
memory/3912-134-0x0000000000900000-0x0000000000D8C000-memory.dmp

Filesize
4.5MB

Download
memory/3912-139-0x0000000005760000-0x0000000005D04000-memory.dmp

Filesize
5.6MB

Download
memory/3912-140-0x00000000052A0000-0x0000000005332000-memory.dmp

Filesize
584KB

Download
memory/3912-141-0x0000000005370000-0x000000000537A000-memory.dmp

Filesize
40KB

Download
memory/3912-142-0x0000000005530000-0x0000000005540000-memory.dmp

Filesize
64KB

Download
memory/3912-143-0x0000000005530000-0x0000000005540000-memory.dmp

Filesize
64KB

Download
memory/3912-144-0x0000000005530000-0x0000000005540000-memory.dmp

Filesize
64KB

Download
memory/3912-145-0x0000000005530000-0x0000000005540000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads