3a0e50bf1a90925d4d255b7e5febea46e173a1081c2208d6bfef90cd0724c4f1

General

Target

3a0e50bf1a90925d4d255b7e5febea46e173a1081c2208d6bfef90cd0724c4f1.exe
Size

4.6MB
MD5

af732877d559768744a14634c14686ad
SHA1

85d5d8636f0f2b19133450e94bae6dddfad30aeb
SHA256

3a0e50bf1a90925d4d255b7e5febea46e173a1081c2208d6bfef90cd0724c4f1
SHA512

56344b1ede822bcecd99c71a06e584f3d344f8b7cb75d69a12ba42a859c5985d8238a4dca8c220e8199d89b4be949469a13d0d7fa40bcccc574fa47a9cc5381f
SSDEEP

98304:okFRP61hlce+gu3O+UHKZc+sRZvojwn6MTSrp:okFRPQzceZHOc3RxAwZG1

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3900	MicrosoftTemplates-type5.4.3.1.exe
3612	MicrosoftTemplates-type5.4.3.1.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4656	icacls.exe
3576	icacls.exe
4512	icacls.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2692 set thread context of 2532	2692	3a0e50bf1a90925d4d255b7e5febea46e173a1081c2208d6bfef90cd0724c4f1.exe	85

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4976	schtasks.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 2532	2692	3a0e50bf1a90925d4d255b7e5febea46e173a1081c2208d6bfef90cd0724c4f1.exe	85
PID 2692 wrote to memory of 2532	2692	3a0e50bf1a90925d4d255b7e5febea46e173a1081c2208d6bfef90cd0724c4f1.exe	85
PID 2692 wrote to memory of 2532	2692	3a0e50bf1a90925d4d255b7e5febea46e173a1081c2208d6bfef90cd0724c4f1.exe	85
PID 2692 wrote to memory of 2532	2692	3a0e50bf1a90925d4d255b7e5febea46e173a1081c2208d6bfef90cd0724c4f1.exe	85
PID 2692 wrote to memory of 2532	2692	3a0e50bf1a90925d4d255b7e5febea46e173a1081c2208d6bfef90cd0724c4f1.exe	85
PID 2532 wrote to memory of 4656	2532	AppLaunch.exe	98
PID 2532 wrote to memory of 4656	2532	AppLaunch.exe	98
PID 2532 wrote to memory of 4656	2532	AppLaunch.exe	98
PID 2532 wrote to memory of 3576	2532	AppLaunch.exe	100
PID 2532 wrote to memory of 3576	2532	AppLaunch.exe	100
PID 2532 wrote to memory of 3576	2532	AppLaunch.exe	100
PID 2532 wrote to memory of 4512	2532	AppLaunch.exe	103
PID 2532 wrote to memory of 4512	2532	AppLaunch.exe	103
PID 2532 wrote to memory of 4512	2532	AppLaunch.exe	103
PID 2532 wrote to memory of 4976	2532	AppLaunch.exe	104
PID 2532 wrote to memory of 4976	2532	AppLaunch.exe	104
PID 2532 wrote to memory of 4976	2532	AppLaunch.exe	104
PID 2532 wrote to memory of 3900	2532	AppLaunch.exe	106
PID 2532 wrote to memory of 3900	2532	AppLaunch.exe	106

C:\Users\Admin\AppData\Local\Temp\3a0e50bf1a90925d4d255b7e5febea46e173a1081c2208d6bfef90cd0724c4f1.exe
"C:\Users\Admin\AppData\Local\Temp\3a0e50bf1a90925d4d255b7e5febea46e173a1081c2208d6bfef90cd0724c4f1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\MicrosoftTemplates-type5.4.3.1" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:4656
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\MicrosoftTemplates-type5.4.3.1" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:3576
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\MicrosoftTemplates-type5.4.3.1" /inheritance:e /deny "admin:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:4512
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /CREATE /TN "MicrosoftTemplates-type5.4.3.1\MicrosoftTemplates-type5.4.3.1" /TR "C:\ProgramData\MicrosoftTemplates-type5.4.3.1\MicrosoftTemplates-type5.4.3.1.exe" /SC MINUTE
    3⤵
    - Creates scheduled task(s)
    PID:4976
- - C:\ProgramData\MicrosoftTemplates-type5.4.3.1\MicrosoftTemplates-type5.4.3.1.exe
    "C:\ProgramData\MicrosoftTemplates-type5.4.3.1\MicrosoftTemplates-type5.4.3.1.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Executes dropped EXE
    PID:3900

C:\ProgramData\MicrosoftTemplates-type5.4.3.1\MicrosoftTemplates-type5.4.3.1.exe
C:\ProgramData\MicrosoftTemplates-type5.4.3.1\MicrosoftTemplates-type5.4.3.1.exe
1⤵
- Executes dropped EXE
PID:3612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\MicrosoftTemplates-type5.4.3.1\MicrosoftTemplates-type5.4.3.1.exe

Filesize
856.8MB

MD5
1dbfea7b17f2a70d48cc9e49eb981ae0

SHA1
21f0e25b2c0605da4619496350ada3fbb684a730

SHA256
f5fd535e77eff4193353d4c343d9a13e74b2b3e79087b0c89c8c6435e317d2cc

SHA512
589dfe19a5d697e0d032c8d7d10b390f2f383bc84ddbdbb51fb21779d2499aa4dffb26459fa7038b878a216280752ba0acb75cc7b736a24d71cc65ccc70c435b

Download Submit
C:\ProgramData\MicrosoftTemplates-type5.4.3.1\MicrosoftTemplates-type5.4.3.1.exe

Filesize
856.8MB

MD5
1dbfea7b17f2a70d48cc9e49eb981ae0

SHA1
21f0e25b2c0605da4619496350ada3fbb684a730

SHA256
f5fd535e77eff4193353d4c343d9a13e74b2b3e79087b0c89c8c6435e317d2cc

SHA512
589dfe19a5d697e0d032c8d7d10b390f2f383bc84ddbdbb51fb21779d2499aa4dffb26459fa7038b878a216280752ba0acb75cc7b736a24d71cc65ccc70c435b

Download Submit
C:\ProgramData\MicrosoftTemplates-type5.4.3.1\MicrosoftTemplates-type5.4.3.1.exe

Filesize
365.6MB

MD5
ebdfbca6884babeee229cda3f03265c0

SHA1
88f36ba631ea3deb7c8c122e301b6f23a7c6cc49

SHA256
ae646fcd01ed0e587c6ff02ec5ff266ab35edf1750ee854253ecbaa5b5fe668a

SHA512
47cf1e6ca4cdd32eab38c07d12aa64401f95b4d09104f05f3e82c46affcfa7dc1922f51cceb8e267ab5ad9cc94fa99b7e06b6b63e671aaeba5ee6a55c01d2cdd

Download Submit
memory/2532-134-0x0000000000D00000-0x000000000118C000-memory.dmp

Filesize
4.5MB

Download
memory/2532-139-0x0000000005AD0000-0x0000000006074000-memory.dmp

Filesize
5.6MB

Download
memory/2532-140-0x00000000055C0000-0x0000000005652000-memory.dmp

Filesize
584KB

Download
memory/2532-141-0x0000000005780000-0x000000000578A000-memory.dmp

Filesize
40KB

Download
memory/2532-142-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download
memory/2532-143-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download
memory/2532-144-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download
memory/2532-145-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads