Analysis
-
max time kernel
123s -
max time network
144s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
05-12-2021 01:02
Static task
static1
Behavioral task
behavioral1
Sample
?? ?? ?????????doc.com.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
?? ?? ?????????doc.com.exe
Resource
win10-en-20211014
General
-
Target
?? ?? ?????????doc.com.exe
-
Size
848KB
-
MD5
06559a48b54cc741ec37f24c437cd199
-
SHA1
daa15a2ed47960179c9611ba84520bc5f8002873
-
SHA256
2b7062e20c674dd25059533ecfbb5a66ab3ecda2e01c30e8c9a81cc4290b8f11
-
SHA512
8d8325f6e9b29201861a28eaf6fe26f3013bf2b64be514e1b5dc329c986a41abe7a4fc5210e7c5b5e8f0dffc0521bd1d005b7260ec6ed699bb407b66d6ae66df
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
lsassa.exelsassa.exepid process 284 lsassa.exe 1484 lsassa.exe -
Processes:
resource yara_rule behavioral1/memory/1484-59-0x0000000000400000-0x0000000000534000-memory.dmp upx behavioral1/memory/1484-62-0x0000000000400000-0x0000000000534000-memory.dmp upx behavioral1/memory/1484-69-0x0000000000400000-0x0000000000534000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
__ __ _________doc.com.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run __ __ _________doc.com.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\googleÉý¼¶ = "C:\\Users\\Admin\\Documents\\lsassa.exe" __ __ _________doc.com.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
lsassa.exedescription ioc process File opened (read-only) \??\J: lsassa.exe File opened (read-only) \??\L: lsassa.exe File opened (read-only) \??\R: lsassa.exe File opened (read-only) \??\S: lsassa.exe File opened (read-only) \??\V: lsassa.exe File opened (read-only) \??\Z: lsassa.exe File opened (read-only) \??\G: lsassa.exe File opened (read-only) \??\I: lsassa.exe File opened (read-only) \??\N: lsassa.exe File opened (read-only) \??\T: lsassa.exe File opened (read-only) \??\U: lsassa.exe File opened (read-only) \??\X: lsassa.exe File opened (read-only) \??\E: lsassa.exe File opened (read-only) \??\Q: lsassa.exe File opened (read-only) \??\Y: lsassa.exe File opened (read-only) \??\O: lsassa.exe File opened (read-only) \??\F: lsassa.exe File opened (read-only) \??\H: lsassa.exe File opened (read-only) \??\K: lsassa.exe File opened (read-only) \??\M: lsassa.exe File opened (read-only) \??\P: lsassa.exe File opened (read-only) \??\W: lsassa.exe File opened (read-only) \??\B: lsassa.exe -
Drops file in System32 directory 1 IoCs
Processes:
lsassa.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat lsassa.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
lsassa.exedescription pid process target process PID 284 set thread context of 1484 284 lsassa.exe lsassa.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
lsassa.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 lsassa.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz lsassa.exe -
Modifies data under HKEY_USERS 12 IoCs
Processes:
lsassa.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum lsassa.exe Key created \REGISTRY\USER\.DEFAULT\Software lsassa.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings lsassa.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 lsassa.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings lsassa.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections lsassa.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 lsassa.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" lsassa.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft lsassa.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie lsassa.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum lsassa.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7" lsassa.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
Processes:
__ __ _________doc.com.exelsassa.exepid process 1648 __ __ _________doc.com.exe 1648 __ __ _________doc.com.exe 1648 __ __ _________doc.com.exe 1648 __ __ _________doc.com.exe 1484 lsassa.exe 1484 lsassa.exe 1484 lsassa.exe 1484 lsassa.exe 1484 lsassa.exe 1484 lsassa.exe 1484 lsassa.exe 1484 lsassa.exe 1484 lsassa.exe 1484 lsassa.exe 1484 lsassa.exe 1484 lsassa.exe 1484 lsassa.exe 1484 lsassa.exe 1484 lsassa.exe 1484 lsassa.exe 1484 lsassa.exe 1484 lsassa.exe 1484 lsassa.exe 1484 lsassa.exe 1484 lsassa.exe 1484 lsassa.exe 1484 lsassa.exe 1484 lsassa.exe 1484 lsassa.exe 1484 lsassa.exe 1484 lsassa.exe 1484 lsassa.exe 1484 lsassa.exe 1484 lsassa.exe 1484 lsassa.exe 1484 lsassa.exe 1484 lsassa.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
__ __ _________doc.com.exelsassa.exedescription pid process Token: SeDebugPrivilege 1648 __ __ _________doc.com.exe Token: 33 1484 lsassa.exe Token: SeIncBasePriorityPrivilege 1484 lsassa.exe Token: 33 1484 lsassa.exe Token: SeIncBasePriorityPrivilege 1484 lsassa.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
__ __ _________doc.com.exepid process 1648 __ __ _________doc.com.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
lsassa.exedescription pid process target process PID 284 wrote to memory of 1484 284 lsassa.exe lsassa.exe PID 284 wrote to memory of 1484 284 lsassa.exe lsassa.exe PID 284 wrote to memory of 1484 284 lsassa.exe lsassa.exe PID 284 wrote to memory of 1484 284 lsassa.exe lsassa.exe PID 284 wrote to memory of 1484 284 lsassa.exe lsassa.exe PID 284 wrote to memory of 1484 284 lsassa.exe lsassa.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\__ __ _________doc.com.exe"C:\Users\Admin\AppData\Local\Temp\__ __ _________doc.com.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\lsassa.exe"C:\Users\Admin\Documents\lsassa.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\lsassa.exeC:\Users\Admin\Documents\lsassa.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\lsassa.exeMD5
9a407574432270a19ec46ddf1c6dbe5d
SHA1e38e2827a57dc2ebd37acb6a62aa11c46f242ef5
SHA256f911f21b819fe3de51f8f880abb7a7a921e38fdf5618462f8a5ff2feca2f4800
SHA5126401f5386a0b944e606fa1fd194a5f22bc83b102abdb04324be5a7a5fed7161a7a8a8fb90306a556c6922200f5558a3434cf72fecdecc5eae156db667059f5c6
-
C:\Users\Admin\Documents\lsassa.exeMD5
9a407574432270a19ec46ddf1c6dbe5d
SHA1e38e2827a57dc2ebd37acb6a62aa11c46f242ef5
SHA256f911f21b819fe3de51f8f880abb7a7a921e38fdf5618462f8a5ff2feca2f4800
SHA5126401f5386a0b944e606fa1fd194a5f22bc83b102abdb04324be5a7a5fed7161a7a8a8fb90306a556c6922200f5558a3434cf72fecdecc5eae156db667059f5c6
-
C:\Users\Admin\Documents\md5.pngMD5
047bbdd42c244b7aa2c15d48fff96a29
SHA1e658b8abebb77ee1d8d3458f314a226d56d0f9b8
SHA256f9cfa36f4bde6457ea5138f4ded1ba18d05e31950c3de119e25e540c3dc5efcf
SHA512e37e64d5ef56799b3982e7dcb6c18270d9301859afa8b4ecf6a48d399168b061f0ab99b84cbb77e0b50dfc93802595f052202447d4a971afb56a3296c70fc8c5
-
memory/1484-62-0x0000000000400000-0x0000000000534000-memory.dmpFilesize
1.2MB
-
memory/1484-59-0x0000000000400000-0x0000000000534000-memory.dmpFilesize
1.2MB
-
memory/1484-60-0x0000000000530D30-mapping.dmp
-
memory/1484-58-0x0000000000400000-0x0000000000534000-memory.dmpFilesize
1.2MB
-
memory/1484-65-0x0000000010096000-0x0000000010099000-memory.dmpFilesize
12KB
-
memory/1484-64-0x0000000010001000-0x0000000010096000-memory.dmpFilesize
596KB
-
memory/1484-66-0x0000000010099000-0x00000000100B4000-memory.dmpFilesize
108KB
-
memory/1484-67-0x00000000100B4000-0x00000000100F6000-memory.dmpFilesize
264KB
-
memory/1484-68-0x0000000010183000-0x0000000010187000-memory.dmpFilesize
16KB
-
memory/1484-69-0x0000000000400000-0x0000000000534000-memory.dmpFilesize
1.2MB
-
memory/1648-55-0x0000000075491000-0x0000000075493000-memory.dmpFilesize
8KB