2db131a19b56e70ea942cc12d0ce7732c20a27284f1e44c25e7be8b164e6bcfd

Analysis

max time kernel
39s
max time network
103s
platform
windows10_x64
resource
win10v20201028
submitted
14-01-2021 02:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e000f7c6675b883ccd174048d767cd3d75d61b9a7f56bae0563b2aa7fd26968.exe
Size

960KB
MD5

e6d4229515f9061d7466938755882218
SHA1

f7e99f537877481d8d975b93254002401e8c9359
SHA256

4e000f7c6675b883ccd174048d767cd3d75d61b9a7f56bae0563b2aa7fd26968
SHA512

8235d7dd400c6f38074c8ded1204224271139314aae223f5feebdbc3da06c123eb284827fa6d8035a27104b543db517b96dc6cd34cd143c510f7bf4ff22a0bdf

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

lsass.comlsass.com

pid process

552 lsass.com
1372 lsass.com
Drops startup file 1 IoCs

Processes:

lsass.com

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tBUlzOSowZ.url lsass.com

pid	process
552	lsass.com
1372	lsass.com

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tBUlzOSowZ.url	lsass.com

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4e000f7c6675b883ccd174048d767cd3d75d61b9a7f56bae0563b2aa7fd26968.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	4e000f7c6675b883ccd174048d767cd3d75d61b9a7f56bae0563b2aa7fd26968.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4e000f7c6675b883ccd174048d767cd3d75d61b9a7f56bae0563b2aa7fd26968.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

lsass.com

description pid process target process

PID 1372 set thread context of 2556 1372 lsass.com nslookup.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

192 PING.EXE
2608 PING.EXE

description	pid	process	target process
PID 1372 set thread context of 2556	1372	lsass.com	nslookup.exe

pid	process
192	PING.EXE
2608	PING.EXE

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

4e000f7c6675b883ccd174048d767cd3d75d61b9a7f56bae0563b2aa7fd26968.execmd.execmd.exelsass.comlsass.com

description	pid	process	target process
PID 672 wrote to memory of 3940	672	4e000f7c6675b883ccd174048d767cd3d75d61b9a7f56bae0563b2aa7fd26968.exe	cmd.exe
PID 672 wrote to memory of 3940	672	4e000f7c6675b883ccd174048d767cd3d75d61b9a7f56bae0563b2aa7fd26968.exe	cmd.exe
PID 672 wrote to memory of 3940	672	4e000f7c6675b883ccd174048d767cd3d75d61b9a7f56bae0563b2aa7fd26968.exe	cmd.exe
PID 672 wrote to memory of 1664	672	4e000f7c6675b883ccd174048d767cd3d75d61b9a7f56bae0563b2aa7fd26968.exe	cmd.exe
PID 672 wrote to memory of 1664	672	4e000f7c6675b883ccd174048d767cd3d75d61b9a7f56bae0563b2aa7fd26968.exe	cmd.exe
PID 672 wrote to memory of 1664	672	4e000f7c6675b883ccd174048d767cd3d75d61b9a7f56bae0563b2aa7fd26968.exe	cmd.exe
PID 1664 wrote to memory of 492	1664	cmd.exe	certutil.exe
PID 1664 wrote to memory of 492	1664	cmd.exe	certutil.exe
PID 1664 wrote to memory of 492	1664	cmd.exe	certutil.exe
PID 1664 wrote to memory of 3608	1664	cmd.exe	cmd.exe
PID 1664 wrote to memory of 3608	1664	cmd.exe	cmd.exe
PID 1664 wrote to memory of 3608	1664	cmd.exe	cmd.exe
PID 3608 wrote to memory of 192	3608	cmd.exe	PING.EXE
PID 3608 wrote to memory of 192	3608	cmd.exe	PING.EXE
PID 3608 wrote to memory of 192	3608	cmd.exe	PING.EXE
PID 3608 wrote to memory of 2436	3608	cmd.exe	findstr.exe
PID 3608 wrote to memory of 2436	3608	cmd.exe	findstr.exe
PID 3608 wrote to memory of 2436	3608	cmd.exe	findstr.exe
PID 3608 wrote to memory of 1012	3608	cmd.exe	certutil.exe
PID 3608 wrote to memory of 1012	3608	cmd.exe	certutil.exe
PID 3608 wrote to memory of 1012	3608	cmd.exe	certutil.exe
PID 3608 wrote to memory of 552	3608	cmd.exe	lsass.com
PID 3608 wrote to memory of 552	3608	cmd.exe	lsass.com
PID 3608 wrote to memory of 552	3608	cmd.exe	lsass.com
PID 3608 wrote to memory of 2608	3608	cmd.exe	PING.EXE
PID 3608 wrote to memory of 2608	3608	cmd.exe	PING.EXE
PID 3608 wrote to memory of 2608	3608	cmd.exe	PING.EXE
PID 552 wrote to memory of 1372	552	lsass.com	lsass.com
PID 552 wrote to memory of 1372	552	lsass.com	lsass.com
PID 552 wrote to memory of 1372	552	lsass.com	lsass.com
PID 1372 wrote to memory of 2556	1372	lsass.com	nslookup.exe
PID 1372 wrote to memory of 2556	1372	lsass.com	nslookup.exe
PID 1372 wrote to memory of 2556	1372	lsass.com	nslookup.exe
PID 1372 wrote to memory of 2556	1372	lsass.com	nslookup.exe
PID 1372 wrote to memory of 2556	1372	lsass.com	nslookup.exe

C:\Users\Admin\AppData\Local\Temp\4e000f7c6675b883ccd174048d767cd3d75d61b9a7f56bae0563b2aa7fd26968.exe
"C:\Users\Admin\AppData\Local\Temp\4e000f7c6675b883ccd174048d767cd3d75d61b9a7f56bae0563b2aa7fd26968.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:672

C:\Windows\SysWOW64\cmd.exe
cmd /c lmtcaWth
2⤵
PID:3940

C:\Windows\SysWOW64\cmd.exe
cmd /c certutil -decode 42-03 34-9 & cmd < 34-9
2⤵
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\SysWOW64\certutil.exe
certutil -decode 42-03 34-9
3⤵
PID:492

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Suspicious use of WriteProcessMemory
PID:3608

C:\Windows\SysWOW64\PING.EXE
ping -n 1 HtqjBNqxf.HtqjBNqxf
4⤵
- Runs ping.exe
PID:192

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^CCVOzizPTUoekqaUifh$" 9-1
4⤵
PID:2436

C:\Windows\SysWOW64\certutil.exe
certutil -decode 89-53 e
4⤵
PID:1012

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lsass.com
lsass.com e
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:552

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lsass.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lsass.com e
5⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1372

C:\Windows\SysWOW64\nslookup.exe
C:\Windows\SysWOW64\nslookup.exe
6⤵
PID:2556

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
4⤵
- Runs ping.exe
PID:2608

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\34-9
MD5
50691e97ae9e6ac4837801abefda3825

SHA1
ae7ad550a4cfb71b6ed55da11e599188d59b9c9a

SHA256
107588b53b8a3a3130f334c828dde58ba7ad05cb1cf78f3c240070f12bf3416d

SHA512
d862d19c03c689fb5d4cd9891e77d6bc3aa0d6b3f124c4c0a090a2e0e15d49c94990dde55b383625a35486a4c7844dadd62e73a5ee9d1aa69d874edf1f6177de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\42-03
MD5
5b86346c5a8a96c7accd4355c1ea03ff

SHA1
41ef2172c4db9796e73c59b739122da62190f036

SHA256
13a54b380ecccc6b34804550c1f73b852e56dbdbe6596e4127fbbbf9c99f28b0

SHA512
a6492f8431fd4f150c31860f1688788cafe4843b450b36f4c2e94b45af106f48c853b3d5aa73cd6d843f76403dc3a4106cd97f34e5bf3447fdfe6addf2dd7cf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5-2
MD5
ecfc8457ae5cbf338d3508dccee97242

SHA1
530976c9bd3e564f37640469763a30b5efce3b0c

SHA256
cac3cb83790a8380e8d4faf38d2de2ed6fdfd9d389e165d62d134f8f66fac00c

SHA512
c687973a02a3f327ef2ea5279b9fd88ee4262290b4574859df040ae3a05cc63c92ac87f38e4a1efaa5a8fdd0c00b8d6cb30dd4ad287abc59bea20489d032d7fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\89-53
MD5
b32dbbac3a8f6d1e91fca799d50c1862

SHA1
2626914a646e5e2c21ffd074382ecd9933978572

SHA256
97e71d8aaa6c0fef82c5f86f148e87167c9529c040c443a092d50f454dc4dc75

SHA512
06d53477144d301dc501bbd7cbd9cb96d918f58a598bac1f983337eca965abb7bcb147c03edc1290c35efcaa8c65fbedf81dbed5fc817472bb624f1a72b39dd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\9-1
MD5
05036d83a2ea0eafaf52cd00f2e6d8cb

SHA1
60d2f75932ac957d6467447dd0e55b95f719230d

SHA256
4b3d802abcc9a86fb71f459eee9ee77a1011b417c82ea277a1cfd9cea5f73af8

SHA512
bcad7b8c5d0a61d8b62179ef59f8b3f6c5fb53aab7402ed36252db244d8b0ea219ebc9a911b075fbf2a6232658d386eacc0632e3d01e9bfa0cb469bfaaab983e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e
MD5
27a4e4c135c0ce60dbf64cf6ebf75c91

SHA1
9529ba99654a974dd1e4542cd9cd3ec6cb8385c0

SHA256
d95dfffc52815bd58431a0b467dfd7a7bd647ab683b94371a4383d735ebaf593

SHA512
e23426e1147d53eee2613c7183df0f4cd5700ff20f65e652653375c8dca42044cc29bc27f0e9d7e66cd35fa9232b05f8b1367a67482523c1edd81b05cdc2c63e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lsass.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lsass.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lsass.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
memory/192-8-0x0000000000000000-mapping.dmp

Download
memory/492-4-0x0000000000000000-mapping.dmp

Download
memory/552-13-0x0000000000000000-mapping.dmp

Download
memory/1012-11-0x0000000000000000-mapping.dmp

Download
memory/1372-17-0x0000000000000000-mapping.dmp

Download
memory/1664-3-0x0000000000000000-mapping.dmp

Download
memory/2436-9-0x0000000000000000-mapping.dmp

Download
memory/2556-21-0x0000000000F00000-0x0000000000F07000-memory.dmp

Filesize
28KB

Download
memory/2556-23-0x0000000000F00000-0x0000000000F07000-memory.dmp

Filesize
28KB

Download
memory/2608-15-0x0000000000000000-mapping.dmp

Download
memory/3608-7-0x0000000000000000-mapping.dmp

Download
memory/3940-2-0x0000000000000000-mapping.dmp

Download