e25a1050eba1d2800e12178ec056082cb84e4825dfab58c3a44a173b6f9c1792

Analysis

max time kernel
48s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
13/03/2023, 05:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e25a1050eba1d2800e12178ec056082cb84e4825dfab58c3a44a173b6f9c1792.exe
Size

4.7MB
MD5

e51f56cff8d20eabff2f5097e89617f0
SHA1

bb44250f7c7b658e0b004d1a50e8311401047f74
SHA256

e25a1050eba1d2800e12178ec056082cb84e4825dfab58c3a44a173b6f9c1792
SHA512

a8db7f2e6ded80f4052d91083ff3ba5bb26af14cea16378cb840924792be42628b1770f0c977530383c8929c5fadb47c40a557012fb2aeeae53384f8c50ea7b3
SSDEEP

98304:XrNDnifgPgjhcObmRCevTu6QDiU98WJONhZ9gsb0jJu/2vJYL4oo2:XFBMuOCTpDLaqiRYLv

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
804	TemplatesTemplates-type2.6.5.2.exe
1288	TemplatesTemplates-type2.6.5.2.exe

Loads dropped DLL 4 IoCs

pid	Process
1072	AppLaunch.exe
1072	AppLaunch.exe
1048	taskeng.exe
1048	taskeng.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1360	icacls.exe
1768	icacls.exe
1604	icacls.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2004 set thread context of 1960	2004	e25a1050eba1d2800e12178ec056082cb84e4825dfab58c3a44a173b6f9c1792.exe	29
PID 1960 set thread context of 1072	1960	AppLaunch.exe	31

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
880	schtasks.exe

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 1960	2004	e25a1050eba1d2800e12178ec056082cb84e4825dfab58c3a44a173b6f9c1792.exe	29
PID 2004 wrote to memory of 1960	2004	e25a1050eba1d2800e12178ec056082cb84e4825dfab58c3a44a173b6f9c1792.exe	29
PID 2004 wrote to memory of 1960	2004	e25a1050eba1d2800e12178ec056082cb84e4825dfab58c3a44a173b6f9c1792.exe	29
PID 2004 wrote to memory of 1960	2004	e25a1050eba1d2800e12178ec056082cb84e4825dfab58c3a44a173b6f9c1792.exe	29
PID 2004 wrote to memory of 1960	2004	e25a1050eba1d2800e12178ec056082cb84e4825dfab58c3a44a173b6f9c1792.exe	29
PID 2004 wrote to memory of 1960	2004	e25a1050eba1d2800e12178ec056082cb84e4825dfab58c3a44a173b6f9c1792.exe	29
PID 2004 wrote to memory of 1960	2004	e25a1050eba1d2800e12178ec056082cb84e4825dfab58c3a44a173b6f9c1792.exe	29
PID 2004 wrote to memory of 1960	2004	e25a1050eba1d2800e12178ec056082cb84e4825dfab58c3a44a173b6f9c1792.exe	29
PID 2004 wrote to memory of 1960	2004	e25a1050eba1d2800e12178ec056082cb84e4825dfab58c3a44a173b6f9c1792.exe	29
PID 1960 wrote to memory of 1072	1960	AppLaunch.exe	31
PID 1960 wrote to memory of 1072	1960	AppLaunch.exe	31
PID 1960 wrote to memory of 1072	1960	AppLaunch.exe	31
PID 1960 wrote to memory of 1072	1960	AppLaunch.exe	31
PID 1960 wrote to memory of 1072	1960	AppLaunch.exe	31
PID 1960 wrote to memory of 1072	1960	AppLaunch.exe	31
PID 1960 wrote to memory of 1072	1960	AppLaunch.exe	31
PID 1960 wrote to memory of 1072	1960	AppLaunch.exe	31
PID 1960 wrote to memory of 1072	1960	AppLaunch.exe	31
PID 1072 wrote to memory of 1360	1072	AppLaunch.exe	32
PID 1072 wrote to memory of 1360	1072	AppLaunch.exe	32
PID 1072 wrote to memory of 1360	1072	AppLaunch.exe	32
PID 1072 wrote to memory of 1360	1072	AppLaunch.exe	32
PID 1072 wrote to memory of 1360	1072	AppLaunch.exe	32
PID 1072 wrote to memory of 1360	1072	AppLaunch.exe	32
PID 1072 wrote to memory of 1360	1072	AppLaunch.exe	32
PID 1072 wrote to memory of 1768	1072	AppLaunch.exe	33
PID 1072 wrote to memory of 1768	1072	AppLaunch.exe	33
PID 1072 wrote to memory of 1768	1072	AppLaunch.exe	33
PID 1072 wrote to memory of 1768	1072	AppLaunch.exe	33
PID 1072 wrote to memory of 1768	1072	AppLaunch.exe	33
PID 1072 wrote to memory of 1768	1072	AppLaunch.exe	33
PID 1072 wrote to memory of 1768	1072	AppLaunch.exe	33
PID 1072 wrote to memory of 1604	1072	AppLaunch.exe	36
PID 1072 wrote to memory of 1604	1072	AppLaunch.exe	36
PID 1072 wrote to memory of 1604	1072	AppLaunch.exe	36
PID 1072 wrote to memory of 1604	1072	AppLaunch.exe	36
PID 1072 wrote to memory of 1604	1072	AppLaunch.exe	36
PID 1072 wrote to memory of 1604	1072	AppLaunch.exe	36
PID 1072 wrote to memory of 1604	1072	AppLaunch.exe	36
PID 1072 wrote to memory of 880	1072	AppLaunch.exe	38
PID 1072 wrote to memory of 880	1072	AppLaunch.exe	38
PID 1072 wrote to memory of 880	1072	AppLaunch.exe	38
PID 1072 wrote to memory of 880	1072	AppLaunch.exe	38
PID 1072 wrote to memory of 880	1072	AppLaunch.exe	38
PID 1072 wrote to memory of 880	1072	AppLaunch.exe	38
PID 1072 wrote to memory of 880	1072	AppLaunch.exe	38
PID 1072 wrote to memory of 804	1072	AppLaunch.exe	40
PID 1072 wrote to memory of 804	1072	AppLaunch.exe	40
PID 1072 wrote to memory of 804	1072	AppLaunch.exe	40
PID 1072 wrote to memory of 804	1072	AppLaunch.exe	40
PID 1048 wrote to memory of 1288	1048	taskeng.exe	42
PID 1048 wrote to memory of 1288	1048	taskeng.exe	42
PID 1048 wrote to memory of 1288	1048	taskeng.exe	42

C:\Users\Admin\AppData\Local\Temp\e25a1050eba1d2800e12178ec056082cb84e4825dfab58c3a44a173b6f9c1792.exe
"C:\Users\Admin\AppData\Local\Temp\e25a1050eba1d2800e12178ec056082cb84e4825dfab58c3a44a173b6f9c1792.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1072
  - - C:\Windows\SysWOW64\icacls.exe
      "C:\Windows\System32\icacls.exe" "C:\ProgramData\TemplatesTemplates-type2.6.5.2" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
      4⤵
      Modifies file permissions
      PID:1360
  - - C:\Windows\SysWOW64\icacls.exe
      "C:\Windows\System32\icacls.exe" "C:\ProgramData\TemplatesTemplates-type2.6.5.2" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
      4⤵
      Modifies file permissions
      PID:1768
  - - C:\Windows\SysWOW64\icacls.exe
      "C:\Windows\System32\icacls.exe" "C:\ProgramData\TemplatesTemplates-type2.6.5.2" /inheritance:e /deny "admin:(R,REA,RA,RD)"
      4⤵
      Modifies file permissions
      PID:1604
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /CREATE /TN "TemplatesTemplates-type2.6.5.2\TemplatesTemplates-type2.6.5.2" /TR "C:\ProgramData\TemplatesTemplates-type2.6.5.2\TemplatesTemplates-type2.6.5.2.exe" /SC MINUTE
      4⤵
      Creates scheduled task(s)
      PID:880
  - - C:\ProgramData\TemplatesTemplates-type2.6.5.2\TemplatesTemplates-type2.6.5.2.exe
      "C:\ProgramData\TemplatesTemplates-type2.6.5.2\TemplatesTemplates-type2.6.5.2.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      Executes dropped EXE
      PID:804

C:\Windows\system32\taskeng.exe
taskeng.exe {3614CCF5-9CD0-4FF4-9349-95605DB89FFD} S-1-5-21-3948302646-268491222-1934009652-1000:KXZDHPUW\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1048
- C:\ProgramData\TemplatesTemplates-type2.6.5.2\TemplatesTemplates-type2.6.5.2.exe
  C:\ProgramData\TemplatesTemplates-type2.6.5.2\TemplatesTemplates-type2.6.5.2.exe
  2⤵
  - Executes dropped EXE
  PID:1288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TemplatesTemplates-type2.6.5.2\TemplatesTemplates-type2.6.5.2.exe

Filesize
571.8MB

MD5
fbba4e25a76384ffb48933064cffab0c

SHA1
a360ae16fe1d1c79759b62cb06943ee8236aa33d

SHA256
4f53857fc3afa33de3fc9ca38e3400104b29799c5631e5c3dd86ff3eb0a06ef8

SHA512
a61a132a727a0759698a46af1629914e757772ba00556d12cc4faf4d720f12876041498c208aabfdc61adc667defe397890e39fc0bda69534b17daeaabb1027c

Download Submit
C:\ProgramData\TemplatesTemplates-type2.6.5.2\TemplatesTemplates-type2.6.5.2.exe

Filesize
586.6MB

MD5
c49e24e0fb1a22535f7c6a33925ab45a

SHA1
2c6f7d88d6880740a4698a57280e3bccafe1985d

SHA256
356b77db012db33a3f6a95c78ea7525794ff93904d656df5a5985f7b71214fa2

SHA512
9eaadbccfae551dcb236225941fbef6c77314bf7ceb4fc7ba6b03e908b244b8303c1ac1538f1265a556c4739a9594f647cad431ea021e6a66392bde009a3c35f

Download Submit
C:\ProgramData\TemplatesTemplates-type2.6.5.2\TemplatesTemplates-type2.6.5.2.exe

Filesize
581.5MB

MD5
88602a8055b7c8caa0fab0febca7c731

SHA1
f2e58d1f09ed6c64da19a53b246f99a70e1fa8cf

SHA256
73002edeba08d47f2f57eaba6477fd47357c40a1bb945799d384940a37d90954

SHA512
39f8933c4bf3e76b0b034cc676982781f267149726a7a8ed5d8136a79138e1d7ad00364a5ad966d0fbd2503245beb5c70369a5068c4954725065f4c5440335c4

Download Submit
C:\ProgramData\TemplatesTemplates-type2.6.5.2\TemplatesTemplates-type2.6.5.2.exe

Filesize
518.5MB

MD5
fc26b803b8e569c8deca1d5f306d3c4d

SHA1
49b1b435fdbf60d5b94859f68664b6d49c1fb6c4

SHA256
f2adc6ab8722d529f156c980e662ca7c6e4d0e5808791539c504ebdaebf8c909

SHA512
c5fc6407b4319cd0cd816f05d3320854f803b5036626946cbae1ce0434271dcac06ff5eb73aa2424ca696a3023fe045e8436ddc21fe0417fcb70191301f4f3c4

Download Submit
\ProgramData\TemplatesTemplates-type2.6.5.2\TemplatesTemplates-type2.6.5.2.exe

Filesize
570.3MB

MD5
32d6ce8c6bdec61f7671ac8b5d757ce0

SHA1
122333867e26c84c6c6a789847efe5abd70eab2f

SHA256
413a0f88c2b3b40f2ef4477740285233812491b5c25f7792dfc3e5863cb65bf4

SHA512
e70c2b436c9d35b089c34063ed29f16a612ddaf78751ab1d0b442c31f0bc9bc3560f97d6a29513dff74c7d8d3e2dcc937786621559445595e5393a498ba13a0b

Download Submit
\ProgramData\TemplatesTemplates-type2.6.5.2\TemplatesTemplates-type2.6.5.2.exe

Filesize
597.1MB

MD5
1a7cfb40d0e0913d99caeb49dcb939f6

SHA1
87f07c8076c301245bea4a47bb851eb907c6cc08

SHA256
3f11a9c9d25f7ab7a7c97105983533d2e44cb9c1a0baa26b336f6591ee1b4c2a

SHA512
972c8c3eab5a2105e8f1bd3446c900308a5b9741ab0a24cb314207f2260e16afe654f78c4ef682f574b16e654d1e2ce7b7dc32e7f011778ba7b0e8f2a168f88c

Download Submit
\ProgramData\TemplatesTemplates-type2.6.5.2\TemplatesTemplates-type2.6.5.2.exe

Filesize
464.6MB

MD5
df88cb010f79ce7a7559b8f0b242c629

SHA1
ce5bf03204927524a74492ea9d5ca4a6698295db

SHA256
602db9ed13cac7a85aa9203a1bafdc41780cc5c6be905e293a04483867063788

SHA512
e5a929837ea3f525c9179ff098ae8dcaeb944e3c3ce654e014a8bb882cd45305f641ecefe0bf6bab92b5221b6ba8f6afc958d4ff16d7bd46a311c1951e678159

Download Submit
\ProgramData\TemplatesTemplates-type2.6.5.2\TemplatesTemplates-type2.6.5.2.exe

Filesize
496.6MB

MD5
730218f6d53577dd6ec63019f35e97bd

SHA1
1c2a8ca2d344bea974c354915ba731defb8e09ed

SHA256
130a6b957e6096ee96ffa78f37282b40bc48036646a418cceb8f3e3eceabc502

SHA512
954a8dbff097ac4ef6bb032cbcd5afcc8c09ccd47553af27408b7d0c22ddd788f4b26977eea0390b3991f2e1ed1e7573e5cd165b368275a4e1f710d1a9802581

Download Submit
memory/1072-66-0x0000000000400000-0x000000000088C000-memory.dmp

Filesize
4.5MB

Download
memory/1072-75-0x0000000002B20000-0x0000000002B60000-memory.dmp

Filesize
256KB

Download
memory/1072-76-0x0000000002B20000-0x0000000002B60000-memory.dmp

Filesize
256KB

Download
memory/1072-77-0x0000000002B20000-0x0000000002B60000-memory.dmp

Filesize
256KB

Download
memory/1072-78-0x0000000002B20000-0x0000000002B60000-memory.dmp

Filesize
256KB

Download
memory/1072-74-0x0000000000400000-0x000000000088C000-memory.dmp

Filesize
4.5MB

Download
memory/1072-73-0x0000000000400000-0x000000000088C000-memory.dmp

Filesize
4.5MB

Download
memory/1072-67-0x0000000000400000-0x000000000088C000-memory.dmp

Filesize
4.5MB

Download
memory/1960-55-0x0000000000400000-0x00000000008A3000-memory.dmp

Filesize
4.6MB

Download
memory/1960-64-0x0000000000400000-0x00000000008A3000-memory.dmp

Filesize
4.6MB

Download
memory/1960-63-0x0000000000400000-0x00000000008A3000-memory.dmp

Filesize
4.6MB

Download
memory/1960-61-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1960-56-0x0000000000400000-0x00000000008A3000-memory.dmp

Filesize
4.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads