473205055776d3c4a9526ce7be852cbfbeffe9fd0a9c127011f869b571df6318

Analysis

max time kernel
65s
max time network
36s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
14/03/2023, 04:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

473205055776d3c4a9526ce7be852cbfbeffe9fd0a9c127011f869b571df6318.exe
Size

4.6MB
MD5

b5c320b3d2f4c382b97ccf8c36fda08d
SHA1

14f74a9160dccefd94a41c95425a709092236dbf
SHA256

473205055776d3c4a9526ce7be852cbfbeffe9fd0a9c127011f869b571df6318
SHA512

e7acb8917eaf709aea7a23728660cc653ee96f4375fdf2130a42916bd1157cc7d13ea8870b66f889eb0c2885c313b99877ddac3edc7cc63f5c3ec355df2af7b7
SSDEEP

98304:kFRP61hlce+gu3O+UHKZc+sRZvojwn6MTSrJ:kFRPQzceZHOc3RxAwZGV

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1492	MicrosoftDesktop-type4.5.5.6.exe
2044	MicrosoftDesktop-type4.5.5.6.exe

Loads dropped DLL 4 IoCs

pid	Process
1192	AppLaunch.exe
1192	AppLaunch.exe
1272	taskeng.exe
1272	taskeng.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1868	icacls.exe
576	icacls.exe
1420	icacls.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1992 set thread context of 1192	1992	473205055776d3c4a9526ce7be852cbfbeffe9fd0a9c127011f869b571df6318.exe	29

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
368	schtasks.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 1192	1992	473205055776d3c4a9526ce7be852cbfbeffe9fd0a9c127011f869b571df6318.exe	29
PID 1992 wrote to memory of 1192	1992	473205055776d3c4a9526ce7be852cbfbeffe9fd0a9c127011f869b571df6318.exe	29
PID 1992 wrote to memory of 1192	1992	473205055776d3c4a9526ce7be852cbfbeffe9fd0a9c127011f869b571df6318.exe	29
PID 1992 wrote to memory of 1192	1992	473205055776d3c4a9526ce7be852cbfbeffe9fd0a9c127011f869b571df6318.exe	29
PID 1992 wrote to memory of 1192	1992	473205055776d3c4a9526ce7be852cbfbeffe9fd0a9c127011f869b571df6318.exe	29
PID 1992 wrote to memory of 1192	1992	473205055776d3c4a9526ce7be852cbfbeffe9fd0a9c127011f869b571df6318.exe	29
PID 1992 wrote to memory of 1192	1992	473205055776d3c4a9526ce7be852cbfbeffe9fd0a9c127011f869b571df6318.exe	29
PID 1992 wrote to memory of 1192	1992	473205055776d3c4a9526ce7be852cbfbeffe9fd0a9c127011f869b571df6318.exe	29
PID 1992 wrote to memory of 1192	1992	473205055776d3c4a9526ce7be852cbfbeffe9fd0a9c127011f869b571df6318.exe	29
PID 1192 wrote to memory of 1868	1192	AppLaunch.exe	30
PID 1192 wrote to memory of 1868	1192	AppLaunch.exe	30
PID 1192 wrote to memory of 1868	1192	AppLaunch.exe	30
PID 1192 wrote to memory of 1868	1192	AppLaunch.exe	30
PID 1192 wrote to memory of 1868	1192	AppLaunch.exe	30
PID 1192 wrote to memory of 1868	1192	AppLaunch.exe	30
PID 1192 wrote to memory of 1868	1192	AppLaunch.exe	30
PID 1192 wrote to memory of 576	1192	AppLaunch.exe	31
PID 1192 wrote to memory of 576	1192	AppLaunch.exe	31
PID 1192 wrote to memory of 576	1192	AppLaunch.exe	31
PID 1192 wrote to memory of 576	1192	AppLaunch.exe	31
PID 1192 wrote to memory of 576	1192	AppLaunch.exe	31
PID 1192 wrote to memory of 576	1192	AppLaunch.exe	31
PID 1192 wrote to memory of 576	1192	AppLaunch.exe	31
PID 1192 wrote to memory of 1420	1192	AppLaunch.exe	34
PID 1192 wrote to memory of 1420	1192	AppLaunch.exe	34
PID 1192 wrote to memory of 1420	1192	AppLaunch.exe	34
PID 1192 wrote to memory of 1420	1192	AppLaunch.exe	34
PID 1192 wrote to memory of 1420	1192	AppLaunch.exe	34
PID 1192 wrote to memory of 1420	1192	AppLaunch.exe	34
PID 1192 wrote to memory of 1420	1192	AppLaunch.exe	34
PID 1192 wrote to memory of 368	1192	AppLaunch.exe	36
PID 1192 wrote to memory of 368	1192	AppLaunch.exe	36
PID 1192 wrote to memory of 368	1192	AppLaunch.exe	36
PID 1192 wrote to memory of 368	1192	AppLaunch.exe	36
PID 1192 wrote to memory of 368	1192	AppLaunch.exe	36
PID 1192 wrote to memory of 368	1192	AppLaunch.exe	36
PID 1192 wrote to memory of 368	1192	AppLaunch.exe	36
PID 1192 wrote to memory of 1492	1192	AppLaunch.exe	38
PID 1192 wrote to memory of 1492	1192	AppLaunch.exe	38
PID 1192 wrote to memory of 1492	1192	AppLaunch.exe	38
PID 1192 wrote to memory of 1492	1192	AppLaunch.exe	38
PID 1272 wrote to memory of 2044	1272	taskeng.exe	40
PID 1272 wrote to memory of 2044	1272	taskeng.exe	40
PID 1272 wrote to memory of 2044	1272	taskeng.exe	40

C:\Users\Admin\AppData\Local\Temp\473205055776d3c4a9526ce7be852cbfbeffe9fd0a9c127011f869b571df6318.exe
"C:\Users\Admin\AppData\Local\Temp\473205055776d3c4a9526ce7be852cbfbeffe9fd0a9c127011f869b571df6318.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1192
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\MicrosoftDesktop-type4.5.5.6" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:1868
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\MicrosoftDesktop-type4.5.5.6" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:576
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\MicrosoftDesktop-type4.5.5.6" /inheritance:e /deny "admin:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:1420
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /CREATE /TN "MicrosoftDesktop-type4.5.5.6\MicrosoftDesktop-type4.5.5.6" /TR "C:\ProgramData\MicrosoftDesktop-type4.5.5.6\MicrosoftDesktop-type4.5.5.6.exe" /SC MINUTE
    3⤵
    - Creates scheduled task(s)
    PID:368
- - C:\ProgramData\MicrosoftDesktop-type4.5.5.6\MicrosoftDesktop-type4.5.5.6.exe
    "C:\ProgramData\MicrosoftDesktop-type4.5.5.6\MicrosoftDesktop-type4.5.5.6.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Executes dropped EXE
    PID:1492

C:\Windows\system32\taskeng.exe
taskeng.exe {E72CBB75-4C12-433C-B973-E4F9268698F5} S-1-5-21-3499517378-2376672570-1134980332-1000:MLXLFKOI\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1272
- C:\ProgramData\MicrosoftDesktop-type4.5.5.6\MicrosoftDesktop-type4.5.5.6.exe
  C:\ProgramData\MicrosoftDesktop-type4.5.5.6\MicrosoftDesktop-type4.5.5.6.exe
  2⤵
  - Executes dropped EXE
  PID:2044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\MicrosoftDesktop-type4.5.5.6\MicrosoftDesktop-type4.5.5.6.exe

Filesize
573.8MB

MD5
4cbe2d14c8ff4c7c6e39c5196f832b08

SHA1
044885117cee0b00647185b204f56c50bb38f946

SHA256
1a6ded52840c9482ae2109680dc1383c915f4f551bfc7bdf2d99669e6030ee65

SHA512
b73f8e4a99c67b594ecc4f48106ad5899beb0645c37f6550cea7747bc54ddbe2db09564e4d983ca6a1fa65d2fbfac3dbb74df6e8abc9530c99d77b66df4b8b05

Download Submit
C:\ProgramData\MicrosoftDesktop-type4.5.5.6\MicrosoftDesktop-type4.5.5.6.exe

Filesize
540.4MB

MD5
6b1d677c1b3008011627fc8e7d834686

SHA1
fe0038f7cf002c75c2a9c7bd16f69f9f43060c35

SHA256
1c15dbf572675a6626a78a85f07cebdc5e36db3325f1d28d5139c482fa072dbd

SHA512
b9698f42f5c6e4093ca97188a5783ea5e2600c36432b28d3428ddebacc7c6740ce843852ab50768db403aef199144804fe9c6355969ab0ccaa372e59436d2464

Download Submit
C:\ProgramData\MicrosoftDesktop-type4.5.5.6\MicrosoftDesktop-type4.5.5.6.exe

Filesize
538.9MB

MD5
71a6f9ae1c1ea0b7c2141038ba4b096a

SHA1
9266eff5d46e8f077ee590bcfe257ad5d0dfdc17

SHA256
5a664f910572adf10a06ff017ab66183798556dc86cf41e8b84a648acad1d3ee

SHA512
4c93a04197823df4a93c31844ff97fa66f9744c5831672837dab24bec4e62f0b6ae88b94e94ae46956b408b1dfeef6016c500b904b5857dc00d900ab8acc835d

Download Submit
C:\ProgramData\MicrosoftDesktop-type4.5.5.6\MicrosoftDesktop-type4.5.5.6.exe

Filesize
425.8MB

MD5
b069e82e4c2c6aff670ca841f9730cab

SHA1
c6e2a7cea02049f9368012662173603ec6d70464

SHA256
cca5a80a9a96675b769b63e5806a99b69b3b8e9f04d695c03cc0399215017a98

SHA512
1ae9d08f62a64bcf00881c8229e6a57552c1e1716ee36f5bad60d55dd7af5b909b759c7de98d42461852e1d40472c079a024dcd679f1f8725793ed8612043004

Download Submit
\ProgramData\MicrosoftDesktop-type4.5.5.6\MicrosoftDesktop-type4.5.5.6.exe

Filesize
535.0MB

MD5
99dba98bb3fe9173e65ad0796c1088ee

SHA1
d83efe7e9fcb91040838fc09fd296a0b654ab8d6

SHA256
9878b1ba70e5129a80bf2c5e337a2306c5ee2531bf9b599a3ee5d1d0e6200703

SHA512
3922f992dc70a8139e9949452f06693a52ff128298f837247132ae26f65c5e72d45aae4db397a214e6d1bac39e40944f9dca0c1510a452d888c007bb93cae08a

Download Submit
\ProgramData\MicrosoftDesktop-type4.5.5.6\MicrosoftDesktop-type4.5.5.6.exe

Filesize
561.3MB

MD5
6034d25a617567387dab6f7d22eb6640

SHA1
ab8270b923bf5fb023e3bc388d0cd3453b40632a

SHA256
69900efe8d32a65c7e46d25e07043cb619d34e936715b3ac837790cdbba3b7cc

SHA512
a2cb392488bca4c8d48b6dcd149ce0390cd06749396cf78a81990e6cb91633f55b36979170927847b313e6bc8e45c37b1a987ddea91eefd826c6e6d4a7d3576d

Download Submit
\ProgramData\MicrosoftDesktop-type4.5.5.6\MicrosoftDesktop-type4.5.5.6.exe

Filesize
456.2MB

MD5
d9f1801b7c85154d010fe03daa2364ea

SHA1
3184281b7e1eebad3108bb5cc5cfe838e67902d4

SHA256
f7318e26892289c8e82a6be0b1057f70e9e90afbb022a3747e66a73bd7b730c3

SHA512
0d8a9abce68ddc068afde4fe05423aebf78d08d8394268ac98e854397c0cb087f3ab5eda8164c0d49ac355c731031180b118e0d49035ce8d850e3c12cec94b7f

Download Submit
\ProgramData\MicrosoftDesktop-type4.5.5.6\MicrosoftDesktop-type4.5.5.6.exe

Filesize
476.1MB

MD5
8ce541a8f573f382b29e7a0b51dca582

SHA1
e4d1631c041057232e022b05db909ae41a08d4e7

SHA256
d2a1a7d0a6dc98e16dd6b05acdfc1dca5a119b259e7879eccd0047d8faa098a8

SHA512
0462ed8824f1db335d729988dea4c82b45491d693d30a97494207ff780a65d9d0de8f4baa4683e6494fcad738da89894d2320256d651463f560f99a744b9bf26

Download Submit
memory/1192-63-0x0000000000400000-0x000000000088C000-memory.dmp

Filesize
4.5MB

Download
memory/1192-67-0x0000000005100000-0x0000000005140000-memory.dmp

Filesize
256KB

Download
memory/1192-66-0x0000000005100000-0x0000000005140000-memory.dmp

Filesize
256KB

Download
memory/1192-65-0x0000000005100000-0x0000000005140000-memory.dmp

Filesize
256KB

Download
memory/1192-64-0x0000000005100000-0x0000000005140000-memory.dmp

Filesize
256KB

Download
memory/1192-55-0x0000000000400000-0x000000000088C000-memory.dmp

Filesize
4.5MB

Download
memory/1192-62-0x0000000000400000-0x000000000088C000-memory.dmp

Filesize
4.5MB

Download
memory/1192-60-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1192-56-0x0000000000400000-0x000000000088C000-memory.dmp

Filesize
4.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads