ff5c080f472342f8394a52df7e596ae6acc9e7451d2f2bcb32f2603f1e13e987

General

Target

f2f0cea4d982de0c2a72b3ad036f95d8.exe
Size

4.6MB
MD5

f2f0cea4d982de0c2a72b3ad036f95d8
SHA1

9f95e32f3527b1bb43003ca463d0da1ea6a9fb66
SHA256

ff5c080f472342f8394a52df7e596ae6acc9e7451d2f2bcb32f2603f1e13e987
SHA512

7d8159dd69aa46e69a838ef7fcb1fcbd49f06c4c89be27873fbff74b9f7a3b80689e00da30336422b4961179fd28dd60c5c4aff7410107456fba773823e82ed6
SSDEEP

49152:ICs1N0xewXOBD4GaacfSG0K4ubh1992ZccWWF6ybP5XVvdDbNtOL4cCZtey+4t4l:YojKDtNkS8CRNdDJLcwZ+419RlmItbDe

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4080	USOSharedUSOShared-type2.5.9.8.exe
2188	USOSharedUSOShared-type2.5.9.8.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2808	icacls.exe
4304	icacls.exe
3724	icacls.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4436 set thread context of 2804	4436	f2f0cea4d982de0c2a72b3ad036f95d8.exe	87

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4944	schtasks.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4436 wrote to memory of 2804	4436	f2f0cea4d982de0c2a72b3ad036f95d8.exe	87
PID 4436 wrote to memory of 2804	4436	f2f0cea4d982de0c2a72b3ad036f95d8.exe	87
PID 4436 wrote to memory of 2804	4436	f2f0cea4d982de0c2a72b3ad036f95d8.exe	87
PID 4436 wrote to memory of 2804	4436	f2f0cea4d982de0c2a72b3ad036f95d8.exe	87
PID 4436 wrote to memory of 2804	4436	f2f0cea4d982de0c2a72b3ad036f95d8.exe	87
PID 2804 wrote to memory of 2808	2804	AppLaunch.exe	94
PID 2804 wrote to memory of 2808	2804	AppLaunch.exe	94
PID 2804 wrote to memory of 2808	2804	AppLaunch.exe	94
PID 2804 wrote to memory of 4304	2804	AppLaunch.exe	96
PID 2804 wrote to memory of 4304	2804	AppLaunch.exe	96
PID 2804 wrote to memory of 4304	2804	AppLaunch.exe	96
PID 2804 wrote to memory of 3724	2804	AppLaunch.exe	99
PID 2804 wrote to memory of 3724	2804	AppLaunch.exe	99
PID 2804 wrote to memory of 3724	2804	AppLaunch.exe	99
PID 2804 wrote to memory of 4944	2804	AppLaunch.exe	100
PID 2804 wrote to memory of 4944	2804	AppLaunch.exe	100
PID 2804 wrote to memory of 4944	2804	AppLaunch.exe	100
PID 2804 wrote to memory of 4080	2804	AppLaunch.exe	101
PID 2804 wrote to memory of 4080	2804	AppLaunch.exe	101

C:\Users\Admin\AppData\Local\Temp\f2f0cea4d982de0c2a72b3ad036f95d8.exe
"C:\Users\Admin\AppData\Local\Temp\f2f0cea4d982de0c2a72b3ad036f95d8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\USOSharedUSOShared-type2.5.9.8" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:2808
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\USOSharedUSOShared-type2.5.9.8" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:4304
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\USOSharedUSOShared-type2.5.9.8" /inheritance:e /deny "admin:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:3724
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /CREATE /TN "USOSharedUSOShared-type2.5.9.8\USOSharedUSOShared-type2.5.9.8" /TR "C:\ProgramData\USOSharedUSOShared-type2.5.9.8\USOSharedUSOShared-type2.5.9.8.exe" /SC MINUTE
    3⤵
    - Creates scheduled task(s)
    PID:4944
- - C:\ProgramData\USOSharedUSOShared-type2.5.9.8\USOSharedUSOShared-type2.5.9.8.exe
    "C:\ProgramData\USOSharedUSOShared-type2.5.9.8\USOSharedUSOShared-type2.5.9.8.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Executes dropped EXE
    PID:4080

C:\ProgramData\USOSharedUSOShared-type2.5.9.8\USOSharedUSOShared-type2.5.9.8.exe
C:\ProgramData\USOSharedUSOShared-type2.5.9.8\USOSharedUSOShared-type2.5.9.8.exe
1⤵
- Executes dropped EXE
PID:2188

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\USOSharedUSOShared-type2.5.9.8\USOSharedUSOShared-type2.5.9.8.exe

Filesize
572.6MB

MD5
cfa079e78c6a25ea963d0e31d4c3a39e

SHA1
e89cb169c0f34d475c0829dc31654a46ab9c4b9a

SHA256
b44c6b8e82be6c9bd4ff8b8da0a1d867d09af1e3196ae3fd688af2cde2706908

SHA512
b49e294dac2385b397fb79a79fc7f5c1116c54720b9e9e245d2cf623b379b42fdfad0e8d330bff6da7e874115d1cfb1a70a0b9c1e364ba5c81dedc265b39a690

Download Submit
C:\ProgramData\USOSharedUSOShared-type2.5.9.8\USOSharedUSOShared-type2.5.9.8.exe

Filesize
568.3MB

MD5
a23e17fd972002dd3d5c242738dfe1ad

SHA1
f18f59455360638c5bfcba44760cb254faa6987b

SHA256
9a2f885209d6b142596228d062b149cf2c57bda39e04abd454014aa045d1295b

SHA512
9b2e6c455e34db78f6da0919b048fe8442b57c1be7e4e233f95839ee1cc34eb67cabfeb5108aa19bb9e8881bdbe3c8118046e1c6af7f21ec4c399a135d3e7fbf

Download Submit
C:\ProgramData\USOSharedUSOShared-type2.5.9.8\USOSharedUSOShared-type2.5.9.8.exe

Filesize
598.9MB

MD5
3048aa1b5549529afa557eb47e8d896f

SHA1
b8ea4ba5c78e07d8ed94dcde2bce3a5f08864a22

SHA256
1503e203b2569eed4558445def0f0e1556e01a49629555ad9cb808d692ff40ac

SHA512
13b94fbc7055332a23abab84ceba6604c6c7babb5738f9a174aaaec1ba74e37286b54636b38abb26ec80de2be93eb8dfded7a9fd50974a4e56da81f609104216

Download Submit
C:\ProgramData\USOSharedUSOShared-type2.5.9.8\USOSharedUSOShared-type2.5.9.8.exe

Filesize
217.2MB

MD5
7b0624ab44cf039902417ca22dabfed6

SHA1
a45b638fcc737d03a682b4526a9bb34aec70d7ec

SHA256
526c074e4c13f4a27dcd7a8a43aab8f7887c95665f7c91414cb78cc9f904a3ba

SHA512
3b971d9574d2e500c8142b645b408febeca35af81757054cd108e3305b115fff8017f76b5a5fb39448e284240baef0757b507f236256c7e52b23054468e9c6f8

Download Submit
memory/2804-134-0x0000000000C00000-0x000000000108C000-memory.dmp

Filesize
4.5MB

Download
memory/2804-139-0x0000000005D40000-0x00000000062E4000-memory.dmp

Filesize
5.6MB

Download
memory/2804-140-0x0000000005670000-0x0000000005702000-memory.dmp

Filesize
584KB

Download
memory/2804-141-0x0000000005730000-0x000000000573A000-memory.dmp

Filesize
40KB

Download
memory/2804-142-0x0000000005600000-0x0000000005610000-memory.dmp

Filesize
64KB

Download
memory/2804-143-0x0000000005600000-0x0000000005610000-memory.dmp

Filesize
64KB

Download
memory/2804-144-0x0000000005600000-0x0000000005610000-memory.dmp

Filesize
64KB

Download
memory/2804-145-0x0000000005600000-0x0000000005610000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads