Analysis
-
max time kernel
123s -
max time network
145s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
05-12-2021 01:03
Static task
static1
Behavioral task
behavioral1
Sample
å®å¦ˆåšä»»åŠ¡å•è¢«éª—27万èŠå¤©è®°å½•æ›å…‰.com.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
å®å¦ˆåšä»»åŠ¡å•è¢«éª—27万èŠå¤©è®°å½•æ›å…‰.com.exe
Resource
win10-en-20211104
General
-
Target
å®å¦ˆåšä»»åŠ¡å•è¢«éª—27万èŠå¤©è®°å½•æ›å…‰.com.exe
-
Size
820KB
-
MD5
11985a5f1baa69c64d43dd67eee3b95f
-
SHA1
a579cc38d40fbc39d9d14d4b290cdeec433b0c45
-
SHA256
8f83e16612f5fd5db6d74da7a9de542becd19a52b3916380235c32adbf50ee7e
-
SHA512
d40113b6b467d7b3890be76dd34d831e7141171e3253c6d724e9e92b4138dfb93af7bfa336a240e25a333546860dab856b9942c95b4fbfd8ca55dd79696ba2ce
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
lsassa.exelsassa.exepid process 1400 lsassa.exe 1384 lsassa.exe -
Processes:
resource yara_rule behavioral1/memory/1384-61-0x0000000000400000-0x0000000000534000-memory.dmp upx behavioral1/memory/1384-64-0x0000000000400000-0x0000000000534000-memory.dmp upx behavioral1/memory/1384-66-0x0000000000400000-0x0000000000534000-memory.dmp upx -
Loads dropped DLL 1 IoCs
Processes:
å®å¦ˆåšä»»åŠ¡å•è¢«éª—27万èŠå¤©è®°å½•æ›å…‰.com.exepid process 976 å®å¦ˆåšä»»åŠ¡å•è¢«éª—27万èŠå¤©è®°å½•æ›å…‰.com.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
å®å¦ˆåšä»»åŠ¡å•è¢«éª—27万èŠå¤©è®°å½•æ›å…‰.com.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run å®å¦ˆåšä»»åŠ¡å•è¢«éª—27万èŠå¤©è®°å½•æ›å…‰.com.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\googleÉý¼¶ = "C:\\Windows\\system32\\lsassa.exe" å®å¦ˆåšä»»åŠ¡å•è¢«éª—27万èŠå¤©è®°å½•æ›å…‰.com.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
lsassa.exedescription ioc process File opened (read-only) \??\G: lsassa.exe File opened (read-only) \??\L: lsassa.exe File opened (read-only) \??\M: lsassa.exe File opened (read-only) \??\U: lsassa.exe File opened (read-only) \??\V: lsassa.exe File opened (read-only) \??\Z: lsassa.exe File opened (read-only) \??\J: lsassa.exe File opened (read-only) \??\O: lsassa.exe File opened (read-only) \??\Q: lsassa.exe File opened (read-only) \??\F: lsassa.exe File opened (read-only) \??\I: lsassa.exe File opened (read-only) \??\K: lsassa.exe File opened (read-only) \??\P: lsassa.exe File opened (read-only) \??\R: lsassa.exe File opened (read-only) \??\T: lsassa.exe File opened (read-only) \??\X: lsassa.exe File opened (read-only) \??\Y: lsassa.exe File opened (read-only) \??\B: lsassa.exe File opened (read-only) \??\E: lsassa.exe File opened (read-only) \??\H: lsassa.exe File opened (read-only) \??\N: lsassa.exe File opened (read-only) \??\S: lsassa.exe File opened (read-only) \??\W: lsassa.exe -
Drops file in System32 directory 2 IoCs
Processes:
å®å¦ˆåšä»»åŠ¡å•è¢«éª—27万èŠå¤©è®°å½•æ›å…‰.com.exedescription ioc process File created C:\Windows\SysWOW64\md5.png å®å¦ˆåšä»»åŠ¡å•è¢«éª—27万èŠå¤©è®°å½•æ›å…‰.com.exe File created C:\Windows\SysWOW64\lsassa.exe å®å¦ˆåšä»»åŠ¡å•è¢«éª—27万èŠå¤©è®°å½•æ›å…‰.com.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
lsassa.exedescription pid process target process PID 1400 set thread context of 1384 1400 lsassa.exe lsassa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
lsassa.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 lsassa.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz lsassa.exe -
Suspicious behavior: EnumeratesProcesses 36 IoCs
Processes:
å®å¦ˆåšä»»åŠ¡å•è¢«éª—27万èŠå¤©è®°å½•æ›å…‰.com.exelsassa.exepid process 976 å®å¦ˆåšä»»åŠ¡å•è¢«éª—27万èŠå¤©è®°å½•æ›å…‰.com.exe 976 å®å¦ˆåšä»»åŠ¡å•è¢«éª—27万èŠå¤©è®°å½•æ›å…‰.com.exe 976 å®å¦ˆåšä»»åŠ¡å•è¢«éª—27万èŠå¤©è®°å½•æ›å…‰.com.exe 1384 lsassa.exe 1384 lsassa.exe 1384 lsassa.exe 1384 lsassa.exe 1384 lsassa.exe 1384 lsassa.exe 1384 lsassa.exe 1384 lsassa.exe 1384 lsassa.exe 1384 lsassa.exe 1384 lsassa.exe 1384 lsassa.exe 1384 lsassa.exe 1384 lsassa.exe 1384 lsassa.exe 1384 lsassa.exe 1384 lsassa.exe 1384 lsassa.exe 1384 lsassa.exe 1384 lsassa.exe 1384 lsassa.exe 1384 lsassa.exe 1384 lsassa.exe 1384 lsassa.exe 1384 lsassa.exe 1384 lsassa.exe 1384 lsassa.exe 1384 lsassa.exe 1384 lsassa.exe 1384 lsassa.exe 1384 lsassa.exe 1384 lsassa.exe 1384 lsassa.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
lsassa.exedescription pid process Token: 33 1384 lsassa.exe Token: SeIncBasePriorityPrivilege 1384 lsassa.exe Token: 33 1384 lsassa.exe Token: SeIncBasePriorityPrivilege 1384 lsassa.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
å®å¦ˆåšä»»åŠ¡å•è¢«éª—27万èŠå¤©è®°å½•æ›å…‰.com.exepid process 976 å®å¦ˆåšä»»åŠ¡å•è¢«éª—27万èŠå¤©è®°å½•æ›å…‰.com.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
å®å¦ˆåšä»»åŠ¡å•è¢«éª—27万èŠå¤©è®°å½•æ›å…‰.com.exelsassa.exedescription pid process target process PID 976 wrote to memory of 1400 976 å®å¦ˆåšä»»åŠ¡å•è¢«éª—27万èŠå¤©è®°å½•æ›å…‰.com.exe lsassa.exe PID 976 wrote to memory of 1400 976 å®å¦ˆåšä»»åŠ¡å•è¢«éª—27万èŠå¤©è®°å½•æ›å…‰.com.exe lsassa.exe PID 976 wrote to memory of 1400 976 å®å¦ˆåšä»»åŠ¡å•è¢«éª—27万èŠå¤©è®°å½•æ›å…‰.com.exe lsassa.exe PID 976 wrote to memory of 1400 976 å®å¦ˆåšä»»åŠ¡å•è¢«éª—27万èŠå¤©è®°å½•æ›å…‰.com.exe lsassa.exe PID 1400 wrote to memory of 1384 1400 lsassa.exe lsassa.exe PID 1400 wrote to memory of 1384 1400 lsassa.exe lsassa.exe PID 1400 wrote to memory of 1384 1400 lsassa.exe lsassa.exe PID 1400 wrote to memory of 1384 1400 lsassa.exe lsassa.exe PID 1400 wrote to memory of 1384 1400 lsassa.exe lsassa.exe PID 1400 wrote to memory of 1384 1400 lsassa.exe lsassa.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\å®å¦ˆåšä»»åŠ¡å•è¢«éª—27万èŠå¤©è®°å½•æ›å…‰.com.exe"C:\Users\Admin\AppData\Local\Temp\å®å¦ˆåšä»»åŠ¡å•è¢«éª—27万èŠå¤©è®°å½•æ›å…‰.com.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\lsassa.exe"C:\Windows\system32\lsassa.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\lsassa.exeC:\Windows\SysWOW64\lsassa.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\lsassa.exeMD5
9a407574432270a19ec46ddf1c6dbe5d
SHA1e38e2827a57dc2ebd37acb6a62aa11c46f242ef5
SHA256f911f21b819fe3de51f8f880abb7a7a921e38fdf5618462f8a5ff2feca2f4800
SHA5126401f5386a0b944e606fa1fd194a5f22bc83b102abdb04324be5a7a5fed7161a7a8a8fb90306a556c6922200f5558a3434cf72fecdecc5eae156db667059f5c6
-
C:\Windows\SysWOW64\lsassa.exeMD5
9a407574432270a19ec46ddf1c6dbe5d
SHA1e38e2827a57dc2ebd37acb6a62aa11c46f242ef5
SHA256f911f21b819fe3de51f8f880abb7a7a921e38fdf5618462f8a5ff2feca2f4800
SHA5126401f5386a0b944e606fa1fd194a5f22bc83b102abdb04324be5a7a5fed7161a7a8a8fb90306a556c6922200f5558a3434cf72fecdecc5eae156db667059f5c6
-
C:\Windows\SysWOW64\md5.pngMD5
047bbdd42c244b7aa2c15d48fff96a29
SHA1e658b8abebb77ee1d8d3458f314a226d56d0f9b8
SHA256f9cfa36f4bde6457ea5138f4ded1ba18d05e31950c3de119e25e540c3dc5efcf
SHA512e37e64d5ef56799b3982e7dcb6c18270d9301859afa8b4ecf6a48d399168b061f0ab99b84cbb77e0b50dfc93802595f052202447d4a971afb56a3296c70fc8c5
-
\Windows\SysWOW64\lsassa.exeMD5
9a407574432270a19ec46ddf1c6dbe5d
SHA1e38e2827a57dc2ebd37acb6a62aa11c46f242ef5
SHA256f911f21b819fe3de51f8f880abb7a7a921e38fdf5618462f8a5ff2feca2f4800
SHA5126401f5386a0b944e606fa1fd194a5f22bc83b102abdb04324be5a7a5fed7161a7a8a8fb90306a556c6922200f5558a3434cf72fecdecc5eae156db667059f5c6
-
memory/976-55-0x0000000076341000-0x0000000076343000-memory.dmpFilesize
8KB
-
memory/1384-61-0x0000000000400000-0x0000000000534000-memory.dmpFilesize
1.2MB
-
memory/1384-62-0x0000000000530D30-mapping.dmp
-
memory/1384-64-0x0000000000400000-0x0000000000534000-memory.dmpFilesize
1.2MB
-
memory/1384-60-0x0000000000400000-0x0000000000534000-memory.dmpFilesize
1.2MB
-
memory/1384-66-0x0000000000400000-0x0000000000534000-memory.dmpFilesize
1.2MB
-
memory/1384-69-0x0000000010099000-0x00000000100B4000-memory.dmpFilesize
108KB
-
memory/1384-71-0x0000000010183000-0x0000000010187000-memory.dmpFilesize
16KB
-
memory/1384-70-0x00000000100B4000-0x00000000100F6000-memory.dmpFilesize
264KB
-
memory/1384-68-0x0000000010096000-0x0000000010099000-memory.dmpFilesize
12KB
-
memory/1384-67-0x0000000010001000-0x0000000010096000-memory.dmpFilesize
596KB
-
memory/1400-57-0x0000000000000000-mapping.dmp