Overview

overview

7

Static

static

1

winprofile

windows7-x64

7

winprofile

windows10-1703-x64

7

Analysis

  • max time kernel
    56s
  • max time network
    177s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    15/03/2023, 05:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e25a1050eba1d2800e12178ec056082cb84e4825dfab58c3a44a173b6f9c1792.exe

  • Size

    4.7MB

  • MD5

    e51f56cff8d20eabff2f5097e89617f0

  • SHA1

    bb44250f7c7b658e0b004d1a50e8311401047f74

  • SHA256

    e25a1050eba1d2800e12178ec056082cb84e4825dfab58c3a44a173b6f9c1792

  • SHA512

    a8db7f2e6ded80f4052d91083ff3ba5bb26af14cea16378cb840924792be42628b1770f0c977530383c8929c5fadb47c40a557012fb2aeeae53384f8c50ea7b3

  • SSDEEP

    98304:XrNDnifgPgjhcObmRCevTu6QDiU98WJONhZ9gsb0jJu/2vJYL4oo2:XFBMuOCTpDLaqiRYLv

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Modifies file permissions 1 TTPs 3 IoCs
    discovery
  • Suspicious use of SetThreadContext 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e25a1050eba1d2800e12178ec056082cb84e4825dfab58c3a44a173b6f9c1792.exe
    "C:\Users\Admin\AppData\Local\Temp\e25a1050eba1d2800e12178ec056082cb84e4825dfab58c3a44a173b6f9c1792.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1608
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1420
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3212
        • C:\Windows\SysWOW64\icacls.exe
          "C:\Windows\System32\icacls.exe" "C:\ProgramData\MicrosoftTemplates-type3.7.0.7" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
          4⤵
          • Modifies file permissions
          PID:4776
        • C:\Windows\SysWOW64\icacls.exe
          "C:\Windows\System32\icacls.exe" "C:\ProgramData\MicrosoftTemplates-type3.7.0.7" /inheritance:e /deny "admin:(R,REA,RA,RD)"
          4⤵
          • Modifies file permissions
          PID:3068
        • C:\Windows\SysWOW64\icacls.exe
          "C:\Windows\System32\icacls.exe" "C:\ProgramData\MicrosoftTemplates-type3.7.0.7" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
          4⤵
          • Modifies file permissions
          PID:4784
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /CREATE /TN "MicrosoftTemplates-type3.7.0.7\MicrosoftTemplates-type3.7.0.7" /TR "C:\ProgramData\MicrosoftTemplates-type3.7.0.7\MicrosoftTemplates-type3.7.0.7.exe" /SC MINUTE
          4⤵
          • Creates scheduled task(s)
          PID:4604
        • C:\ProgramData\MicrosoftTemplates-type3.7.0.7\MicrosoftTemplates-type3.7.0.7.exe
          "C:\ProgramData\MicrosoftTemplates-type3.7.0.7\MicrosoftTemplates-type3.7.0.7.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
          • Executes dropped EXE
          PID:4848
  • C:\ProgramData\MicrosoftTemplates-type3.7.0.7\MicrosoftTemplates-type3.7.0.7.exe
    C:\ProgramData\MicrosoftTemplates-type3.7.0.7\MicrosoftTemplates-type3.7.0.7.exe
    1⤵
    • Executes dropped EXE
    PID:4432

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\MicrosoftTemplates-type3.7.0.7\MicrosoftTemplates-type3.7.0.7.exe
    Filesize

    669.9MB

    MD5

    d058ea6fc59fe839c33efa809feea861

    SHA1

    5f7b3bd5e26a9fe89601a868a83b7a274060e78f

    SHA256

    5cee2821d2150b6d92ffacbd3d7884ccaef2a93d5fe26ebe706d546789d53301

    SHA512

    26b2c48f4c1e314c1f579d7d4c853bd6864a97e0d9fee97be46780702ff9762bba084d90260a646b2a0f1c2f243ec419628b2523322d764dea335e11f9188320

    Download Submit

  • C:\ProgramData\MicrosoftTemplates-type3.7.0.7\MicrosoftTemplates-type3.7.0.7.exe
    Filesize

    652.1MB

    MD5

    e592fbf19e4eac4df09dd4d549ee120b

    SHA1

    55c0b5a16d1954bf924920b89fbd911bf2bc8f2c

    SHA256

    c3e4ac9ba5ea23e7ce32ec89559a553a8e95d8aec22df04e2556d5c471d1e9c9

    SHA512

    42f4b1e96f026db39b00ba298161e0e03eb027a025f6e524188d9ab03ab5391e3739f1056485c9cdb431fec66835bb4ddd2d2768b686847e38116c4031dea84a

    Download Submit

  • C:\ProgramData\MicrosoftTemplates-type3.7.0.7\MicrosoftTemplates-type3.7.0.7.exe
    Filesize

    427.8MB

    MD5

    5bffdefc3c68c781cab44a5104e68fa5

    SHA1

    eb94d05c9264b3e637409138045443583ab4ae8d

    SHA256

    45c6c959a95f828dbd25c6dc0580511785bf13814c8fa2042ebd1f934d5b503d

    SHA512

    904fabf0f00252297873ad9ada979502b0f7684e34f397959edab1bf9e7b940c1fb60b21fd7a41c6b0f64e437ab210fe54fdef40403854c9b18e970d65253592

    Download Submit

  • memory/1420-121-0x0000000000400000-0x00000000008A3000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/1420-129-0x0000000000400000-0x00000000008A3000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/3212-131-0x0000000000530000-0x00000000009BC000-memory.dmp

    Filesize

    4.5MB

    Download

  • memory/3212-138-0x0000000009480000-0x000000000997E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/3212-139-0x0000000008EB0000-0x0000000008F42000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3212-140-0x0000000008E60000-0x0000000008E6A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3212-141-0x0000000009040000-0x0000000009050000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3212-142-0x0000000009040000-0x0000000009050000-memory.dmp

    Filesize

    64KB

    Download