a121587e76f7ab2c542262abbb0904500e9924a44fd2fa89cc9406f9e385ac3e

General

Target

kFZL7Q3b.exe
Size

29KB
MD5

05a677cf02b11ca26d30e538dc56001f
SHA1

b82536b603be4f7a9a0231db925129c9efbc777b
SHA256

a121587e76f7ab2c542262abbb0904500e9924a44fd2fa89cc9406f9e385ac3e
SHA512

408d5697ffe5c567d06faf28a0f85419696dc2e23eb528f92464192c234cadb5c3fcd867c8107defe3f5da90e0eee76634b175ce2c1f6b54e5a43cc62017826f

Score

8^/10

evasion

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

lahana.exe

pid process

1236 lahana.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Loads dropped DLL 1 IoCs

Processes:

kFZL7Q3b.exe

pid process

1640 kFZL7Q3b.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1640	kFZL7Q3b.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

lahana.exe

pid	process
1236	lahana.exe
1236	lahana.exe
1236	lahana.exe
1236	lahana.exe
1236	lahana.exe
1236	lahana.exe
1236	lahana.exe
1236	lahana.exe
1236	lahana.exe
1236	lahana.exe
1236	lahana.exe
1236	lahana.exe
1236	lahana.exe
1236	lahana.exe
1236	lahana.exe
1236	lahana.exe
1236	lahana.exe
1236	lahana.exe
1236	lahana.exe
1236	lahana.exe
1236	lahana.exe
1236	lahana.exe
1236	lahana.exe
1236	lahana.exe
1236	lahana.exe
1236	lahana.exe
1236	lahana.exe
1236	lahana.exe
1236	lahana.exe
1236	lahana.exe
1236	lahana.exe
1236	lahana.exe
1236	lahana.exe
1236	lahana.exe
1236	lahana.exe
1236	lahana.exe
1236	lahana.exe
1236	lahana.exe
1236	lahana.exe
1236	lahana.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

lahana.exe

description pid process

Token: SeDebugPrivilege 1236 lahana.exe

description	pid	process
Token: SeDebugPrivilege	1236	lahana.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

kFZL7Q3b.exelahana.exe

description	pid	process	target process
PID 1640 wrote to memory of 1236	1640	kFZL7Q3b.exe	lahana.exe
PID 1640 wrote to memory of 1236	1640	kFZL7Q3b.exe	lahana.exe
PID 1640 wrote to memory of 1236	1640	kFZL7Q3b.exe	lahana.exe
PID 1640 wrote to memory of 1236	1640	kFZL7Q3b.exe	lahana.exe
PID 1236 wrote to memory of 1760	1236	lahana.exe	netsh.exe
PID 1236 wrote to memory of 1760	1236	lahana.exe	netsh.exe
PID 1236 wrote to memory of 1760	1236	lahana.exe	netsh.exe
PID 1236 wrote to memory of 1760	1236	lahana.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\kFZL7Q3b.exe
"C:\Users\Admin\AppData\Local\Temp\kFZL7Q3b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1640

C:\Users\Admin\AppData\Local\Temp\lahana.exe
"C:\Users\Admin\AppData\Local\Temp\lahana.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1236

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\lahana.exe" "lahana.exe" ENABLE
3⤵
PID:1760

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lahana.exe
MD5
05a677cf02b11ca26d30e538dc56001f

SHA1
b82536b603be4f7a9a0231db925129c9efbc777b

SHA256
a121587e76f7ab2c542262abbb0904500e9924a44fd2fa89cc9406f9e385ac3e

SHA512
408d5697ffe5c567d06faf28a0f85419696dc2e23eb528f92464192c234cadb5c3fcd867c8107defe3f5da90e0eee76634b175ce2c1f6b54e5a43cc62017826f

Download Submit
C:\Users\Admin\AppData\Local\Temp\lahana.exe
MD5
05a677cf02b11ca26d30e538dc56001f

SHA1
b82536b603be4f7a9a0231db925129c9efbc777b

SHA256
a121587e76f7ab2c542262abbb0904500e9924a44fd2fa89cc9406f9e385ac3e

SHA512
408d5697ffe5c567d06faf28a0f85419696dc2e23eb528f92464192c234cadb5c3fcd867c8107defe3f5da90e0eee76634b175ce2c1f6b54e5a43cc62017826f

Download Submit
\Users\Admin\AppData\Local\Temp\lahana.exe
MD5
05a677cf02b11ca26d30e538dc56001f

SHA1
b82536b603be4f7a9a0231db925129c9efbc777b

SHA256
a121587e76f7ab2c542262abbb0904500e9924a44fd2fa89cc9406f9e385ac3e

SHA512
408d5697ffe5c567d06faf28a0f85419696dc2e23eb528f92464192c234cadb5c3fcd867c8107defe3f5da90e0eee76634b175ce2c1f6b54e5a43cc62017826f

Download Submit
memory/1236-61-0x0000000000000000-mapping.dmp

Download
memory/1236-66-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1236-69-0x0000000000321000-0x0000000000322000-memory.dmp

Filesize
4KB

Download
memory/1236-70-0x0000000000326000-0x0000000000337000-memory.dmp

Filesize
68KB

Download
memory/1640-59-0x0000000075631000-0x0000000075633000-memory.dmp

Filesize
8KB

Download
memory/1640-65-0x00000000020E0000-0x00000000020E1000-memory.dmp

Filesize
4KB

Download
memory/1760-67-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing