473205055776d3c4a9526ce7be852cbfbeffe9fd0a9c127011f869b571df6318

General

Target

473205055776d3c4a9526ce7be852cbfbeffe9fd0a9c127011f869b571df6318.exe
Size

4.6MB
MD5

b5c320b3d2f4c382b97ccf8c36fda08d
SHA1

14f74a9160dccefd94a41c95425a709092236dbf
SHA256

473205055776d3c4a9526ce7be852cbfbeffe9fd0a9c127011f869b571df6318
SHA512

e7acb8917eaf709aea7a23728660cc653ee96f4375fdf2130a42916bd1157cc7d13ea8870b66f889eb0c2885c313b99877ddac3edc7cc63f5c3ec355df2af7b7
SSDEEP

98304:kFRP61hlce+gu3O+UHKZc+sRZvojwn6MTSrJ:kFRPQzceZHOc3RxAwZGV

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2252	regid.1991-06.com.microsoftAdobe-type9.7.5.1.exe
4584	regid.1991-06.com.microsoftAdobe-type9.7.5.1.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1220	icacls.exe
2640	icacls.exe
4236	icacls.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4124 set thread context of 2496	4124	473205055776d3c4a9526ce7be852cbfbeffe9fd0a9c127011f869b571df6318.exe	67

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4380	schtasks.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4124 wrote to memory of 2496	4124	473205055776d3c4a9526ce7be852cbfbeffe9fd0a9c127011f869b571df6318.exe	67
PID 4124 wrote to memory of 2496	4124	473205055776d3c4a9526ce7be852cbfbeffe9fd0a9c127011f869b571df6318.exe	67
PID 4124 wrote to memory of 2496	4124	473205055776d3c4a9526ce7be852cbfbeffe9fd0a9c127011f869b571df6318.exe	67
PID 4124 wrote to memory of 2496	4124	473205055776d3c4a9526ce7be852cbfbeffe9fd0a9c127011f869b571df6318.exe	67
PID 4124 wrote to memory of 2496	4124	473205055776d3c4a9526ce7be852cbfbeffe9fd0a9c127011f869b571df6318.exe	67
PID 2496 wrote to memory of 1220	2496	AppLaunch.exe	68
PID 2496 wrote to memory of 1220	2496	AppLaunch.exe	68
PID 2496 wrote to memory of 1220	2496	AppLaunch.exe	68
PID 2496 wrote to memory of 2640	2496	AppLaunch.exe	70
PID 2496 wrote to memory of 2640	2496	AppLaunch.exe	70
PID 2496 wrote to memory of 2640	2496	AppLaunch.exe	70
PID 2496 wrote to memory of 4236	2496	AppLaunch.exe	72
PID 2496 wrote to memory of 4236	2496	AppLaunch.exe	72
PID 2496 wrote to memory of 4236	2496	AppLaunch.exe	72
PID 2496 wrote to memory of 4380	2496	AppLaunch.exe	74
PID 2496 wrote to memory of 4380	2496	AppLaunch.exe	74
PID 2496 wrote to memory of 4380	2496	AppLaunch.exe	74
PID 2496 wrote to memory of 2252	2496	AppLaunch.exe	76
PID 2496 wrote to memory of 2252	2496	AppLaunch.exe	76

C:\Users\Admin\AppData\Local\Temp\473205055776d3c4a9526ce7be852cbfbeffe9fd0a9c127011f869b571df6318.exe
"C:\Users\Admin\AppData\Local\Temp\473205055776d3c4a9526ce7be852cbfbeffe9fd0a9c127011f869b571df6318.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4124
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\regid.1991-06.com.microsoftAdobe-type9.7.5.1" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:1220
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\regid.1991-06.com.microsoftAdobe-type9.7.5.1" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:2640
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\regid.1991-06.com.microsoftAdobe-type9.7.5.1" /inheritance:e /deny "admin:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:4236
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /CREATE /TN "regid.1991-06.com.microsoftAdobe-type9.7.5.1\regid.1991-06.com.microsoftAdobe-type9.7.5.1" /TR "C:\ProgramData\regid.1991-06.com.microsoftAdobe-type9.7.5.1\regid.1991-06.com.microsoftAdobe-type9.7.5.1.exe" /SC MINUTE
    3⤵
    - Creates scheduled task(s)
    PID:4380
- - C:\ProgramData\regid.1991-06.com.microsoftAdobe-type9.7.5.1\regid.1991-06.com.microsoftAdobe-type9.7.5.1.exe
    "C:\ProgramData\regid.1991-06.com.microsoftAdobe-type9.7.5.1\regid.1991-06.com.microsoftAdobe-type9.7.5.1.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Executes dropped EXE
    PID:2252

C:\ProgramData\regid.1991-06.com.microsoftAdobe-type9.7.5.1\regid.1991-06.com.microsoftAdobe-type9.7.5.1.exe
C:\ProgramData\regid.1991-06.com.microsoftAdobe-type9.7.5.1\regid.1991-06.com.microsoftAdobe-type9.7.5.1.exe
1⤵
- Executes dropped EXE
PID:4584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\regid.1991-06.com.microsoftAdobe-type9.7.5.1\regid.1991-06.com.microsoftAdobe-type9.7.5.1.exe

Filesize
802.3MB

MD5
9c25aa640f602f9b5fe7fa3f8ffbe4e6

SHA1
2103885f81fe7b74bf7d827eea8292138878e506

SHA256
248e8ed567dbf782623c26ad4f299c1998469fc80505efdb0dd31251dafa53a7

SHA512
a443397d7c73b1c4c2bd6f571319d0b42bb3f06ac22acd98fd5b4bd27c91e9f58709aa3a85629b2da502b5b4c9a9d16a9d378bff00879f2c300437e0955ca35f

Download Submit
C:\ProgramData\regid.1991-06.com.microsoftAdobe-type9.7.5.1\regid.1991-06.com.microsoftAdobe-type9.7.5.1.exe

Filesize
802.3MB

MD5
9c25aa640f602f9b5fe7fa3f8ffbe4e6

SHA1
2103885f81fe7b74bf7d827eea8292138878e506

SHA256
248e8ed567dbf782623c26ad4f299c1998469fc80505efdb0dd31251dafa53a7

SHA512
a443397d7c73b1c4c2bd6f571319d0b42bb3f06ac22acd98fd5b4bd27c91e9f58709aa3a85629b2da502b5b4c9a9d16a9d378bff00879f2c300437e0955ca35f

Download Submit
C:\ProgramData\regid.1991-06.com.microsoftAdobe-type9.7.5.1\regid.1991-06.com.microsoftAdobe-type9.7.5.1.exe

Filesize
802.3MB

MD5
9c25aa640f602f9b5fe7fa3f8ffbe4e6

SHA1
2103885f81fe7b74bf7d827eea8292138878e506

SHA256
248e8ed567dbf782623c26ad4f299c1998469fc80505efdb0dd31251dafa53a7

SHA512
a443397d7c73b1c4c2bd6f571319d0b42bb3f06ac22acd98fd5b4bd27c91e9f58709aa3a85629b2da502b5b4c9a9d16a9d378bff00879f2c300437e0955ca35f

Download Submit
memory/2496-120-0x0000000004720000-0x0000000004BAC000-memory.dmp

Filesize
4.5MB

Download
memory/2496-127-0x00000000094D0000-0x00000000099CE000-memory.dmp

Filesize
5.0MB

Download
memory/2496-128-0x0000000009070000-0x0000000009102000-memory.dmp

Filesize
584KB

Download
memory/2496-129-0x0000000009030000-0x000000000903A000-memory.dmp

Filesize
40KB

Download
memory/2496-130-0x0000000009200000-0x0000000009210000-memory.dmp

Filesize
64KB

Download
memory/2496-131-0x0000000009200000-0x0000000009210000-memory.dmp

Filesize
64KB

Download
memory/2496-132-0x0000000009200000-0x0000000009210000-memory.dmp

Filesize
64KB

Download
memory/2496-133-0x0000000009200000-0x0000000009210000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads