Analysis
-
max time kernel
124s -
max time network
146s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
05-12-2021 01:03
Static task
static1
Behavioral task
behavioral1
Sample
å®å¦ˆåšä»»åŠ¡å•è¢«éª—27万èŠå¤©è®°å½•æ›å…‰.com.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
å®å¦ˆåšä»»åŠ¡å•è¢«éª—27万èŠå¤©è®°å½•æ›å…‰.com.exe
Resource
win10-en-20211104
General
-
Target
å®å¦ˆåšä»»åŠ¡å•è¢«éª—27万èŠå¤©è®°å½•æ›å…‰.com.exe
-
Size
820KB
-
MD5
11985a5f1baa69c64d43dd67eee3b95f
-
SHA1
a579cc38d40fbc39d9d14d4b290cdeec433b0c45
-
SHA256
8f83e16612f5fd5db6d74da7a9de542becd19a52b3916380235c32adbf50ee7e
-
SHA512
d40113b6b467d7b3890be76dd34d831e7141171e3253c6d724e9e92b4138dfb93af7bfa336a240e25a333546860dab856b9942c95b4fbfd8ca55dd79696ba2ce
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
lsassa.exelsassa.exepid process 4076 lsassa.exe 4196 lsassa.exe -
Processes:
resource yara_rule behavioral2/memory/4196-122-0x0000000000400000-0x0000000000534000-memory.dmp upx behavioral2/memory/4196-125-0x0000000000400000-0x0000000000534000-memory.dmp upx behavioral2/memory/4196-126-0x0000000000400000-0x0000000000534000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
å®å¦ˆåšä»»åŠ¡å•è¢«éª—27万èŠå¤©è®°å½•æ›å…‰.com.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\googleÉý¼¶ = "C:\\Windows\\system32\\lsassa.exe" å®å¦ˆåšä»»åŠ¡å•è¢«éª—27万èŠå¤©è®°å½•æ›å…‰.com.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run å®å¦ˆåšä»»åŠ¡å•è¢«éª—27万èŠå¤©è®°å½•æ›å…‰.com.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
lsassa.exedescription ioc process File opened (read-only) \??\R: lsassa.exe File opened (read-only) \??\S: lsassa.exe File opened (read-only) \??\Y: lsassa.exe File opened (read-only) \??\K: lsassa.exe File opened (read-only) \??\O: lsassa.exe File opened (read-only) \??\U: lsassa.exe File opened (read-only) \??\W: lsassa.exe File opened (read-only) \??\H: lsassa.exe File opened (read-only) \??\F: lsassa.exe File opened (read-only) \??\G: lsassa.exe File opened (read-only) \??\J: lsassa.exe File opened (read-only) \??\L: lsassa.exe File opened (read-only) \??\N: lsassa.exe File opened (read-only) \??\Q: lsassa.exe File opened (read-only) \??\T: lsassa.exe File opened (read-only) \??\B: lsassa.exe File opened (read-only) \??\Z: lsassa.exe File opened (read-only) \??\I: lsassa.exe File opened (read-only) \??\M: lsassa.exe File opened (read-only) \??\P: lsassa.exe File opened (read-only) \??\V: lsassa.exe File opened (read-only) \??\X: lsassa.exe File opened (read-only) \??\E: lsassa.exe -
Drops file in System32 directory 2 IoCs
Processes:
å®å¦ˆåšä»»åŠ¡å•è¢«éª—27万èŠå¤©è®°å½•æ›å…‰.com.exedescription ioc process File created C:\Windows\SysWOW64\md5.png å®å¦ˆåšä»»åŠ¡å•è¢«éª—27万èŠå¤©è®°å½•æ›å…‰.com.exe File created C:\Windows\SysWOW64\lsassa.exe å®å¦ˆåšä»»åŠ¡å•è¢«éª—27万èŠå¤©è®°å½•æ›å…‰.com.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
lsassa.exedescription pid process target process PID 4076 set thread context of 4196 4076 lsassa.exe lsassa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
lsassa.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 lsassa.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz lsassa.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
å®å¦ˆåšä»»åŠ¡å•è¢«éª—27万èŠå¤©è®°å½•æ›å…‰.com.exelsassa.exepid process 2720 å®å¦ˆåšä»»åŠ¡å•è¢«éª—27万èŠå¤©è®°å½•æ›å…‰.com.exe 2720 å®å¦ˆåšä»»åŠ¡å•è¢«éª—27万èŠå¤©è®°å½•æ›å…‰.com.exe 2720 å®å¦ˆåšä»»åŠ¡å•è¢«éª—27万èŠå¤©è®°å½•æ›å…‰.com.exe 2720 å®å¦ˆåšä»»åŠ¡å•è¢«éª—27万èŠå¤©è®°å½•æ›å…‰.com.exe 2720 å®å¦ˆåšä»»åŠ¡å•è¢«éª—27万èŠå¤©è®°å½•æ›å…‰.com.exe 2720 å®å¦ˆåšä»»åŠ¡å•è¢«éª—27万èŠå¤©è®°å½•æ›å…‰.com.exe 4196 lsassa.exe 4196 lsassa.exe 4196 lsassa.exe 4196 lsassa.exe 4196 lsassa.exe 4196 lsassa.exe 4196 lsassa.exe 4196 lsassa.exe 4196 lsassa.exe 4196 lsassa.exe 4196 lsassa.exe 4196 lsassa.exe 4196 lsassa.exe 4196 lsassa.exe 4196 lsassa.exe 4196 lsassa.exe 4196 lsassa.exe 4196 lsassa.exe 4196 lsassa.exe 4196 lsassa.exe 4196 lsassa.exe 4196 lsassa.exe 4196 lsassa.exe 4196 lsassa.exe 4196 lsassa.exe 4196 lsassa.exe 4196 lsassa.exe 4196 lsassa.exe 4196 lsassa.exe 4196 lsassa.exe 4196 lsassa.exe 4196 lsassa.exe 4196 lsassa.exe 4196 lsassa.exe 4196 lsassa.exe 4196 lsassa.exe 4196 lsassa.exe 4196 lsassa.exe 4196 lsassa.exe 4196 lsassa.exe 4196 lsassa.exe 4196 lsassa.exe 4196 lsassa.exe 4196 lsassa.exe 4196 lsassa.exe 4196 lsassa.exe 4196 lsassa.exe 4196 lsassa.exe 4196 lsassa.exe 4196 lsassa.exe 4196 lsassa.exe 4196 lsassa.exe 4196 lsassa.exe 4196 lsassa.exe 4196 lsassa.exe 4196 lsassa.exe 4196 lsassa.exe 4196 lsassa.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
lsassa.exedescription pid process Token: 33 4196 lsassa.exe Token: SeIncBasePriorityPrivilege 4196 lsassa.exe Token: 33 4196 lsassa.exe Token: SeIncBasePriorityPrivilege 4196 lsassa.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
å®å¦ˆåšä»»åŠ¡å•è¢«éª—27万èŠå¤©è®°å½•æ›å…‰.com.exepid process 2720 å®å¦ˆåšä»»åŠ¡å•è¢«éª—27万èŠå¤©è®°å½•æ›å…‰.com.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
å®å¦ˆåšä»»åŠ¡å•è¢«éª—27万èŠå¤©è®°å½•æ›å…‰.com.exelsassa.exedescription pid process target process PID 2720 wrote to memory of 4076 2720 å®å¦ˆåšä»»åŠ¡å•è¢«éª—27万èŠå¤©è®°å½•æ›å…‰.com.exe lsassa.exe PID 2720 wrote to memory of 4076 2720 å®å¦ˆåšä»»åŠ¡å•è¢«éª—27万èŠå¤©è®°å½•æ›å…‰.com.exe lsassa.exe PID 2720 wrote to memory of 4076 2720 å®å¦ˆåšä»»åŠ¡å•è¢«éª—27万èŠå¤©è®°å½•æ›å…‰.com.exe lsassa.exe PID 4076 wrote to memory of 4196 4076 lsassa.exe lsassa.exe PID 4076 wrote to memory of 4196 4076 lsassa.exe lsassa.exe PID 4076 wrote to memory of 4196 4076 lsassa.exe lsassa.exe PID 4076 wrote to memory of 4196 4076 lsassa.exe lsassa.exe PID 4076 wrote to memory of 4196 4076 lsassa.exe lsassa.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\å®å¦ˆåšä»»åŠ¡å•è¢«éª—27万èŠå¤©è®°å½•æ›å…‰.com.exe"C:\Users\Admin\AppData\Local\Temp\å®å¦ˆåšä»»åŠ¡å•è¢«éª—27万èŠå¤©è®°å½•æ›å…‰.com.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\lsassa.exe"C:\Windows\system32\lsassa.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\lsassa.exeC:\Windows\SysWOW64\lsassa.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\lsassa.exeMD5
9a407574432270a19ec46ddf1c6dbe5d
SHA1e38e2827a57dc2ebd37acb6a62aa11c46f242ef5
SHA256f911f21b819fe3de51f8f880abb7a7a921e38fdf5618462f8a5ff2feca2f4800
SHA5126401f5386a0b944e606fa1fd194a5f22bc83b102abdb04324be5a7a5fed7161a7a8a8fb90306a556c6922200f5558a3434cf72fecdecc5eae156db667059f5c6
-
C:\Windows\SysWOW64\lsassa.exeMD5
9a407574432270a19ec46ddf1c6dbe5d
SHA1e38e2827a57dc2ebd37acb6a62aa11c46f242ef5
SHA256f911f21b819fe3de51f8f880abb7a7a921e38fdf5618462f8a5ff2feca2f4800
SHA5126401f5386a0b944e606fa1fd194a5f22bc83b102abdb04324be5a7a5fed7161a7a8a8fb90306a556c6922200f5558a3434cf72fecdecc5eae156db667059f5c6
-
C:\Windows\SysWOW64\lsassa.exeMD5
9a407574432270a19ec46ddf1c6dbe5d
SHA1e38e2827a57dc2ebd37acb6a62aa11c46f242ef5
SHA256f911f21b819fe3de51f8f880abb7a7a921e38fdf5618462f8a5ff2feca2f4800
SHA5126401f5386a0b944e606fa1fd194a5f22bc83b102abdb04324be5a7a5fed7161a7a8a8fb90306a556c6922200f5558a3434cf72fecdecc5eae156db667059f5c6
-
C:\Windows\SysWOW64\md5.pngMD5
047bbdd42c244b7aa2c15d48fff96a29
SHA1e658b8abebb77ee1d8d3458f314a226d56d0f9b8
SHA256f9cfa36f4bde6457ea5138f4ded1ba18d05e31950c3de119e25e540c3dc5efcf
SHA512e37e64d5ef56799b3982e7dcb6c18270d9301859afa8b4ecf6a48d399168b061f0ab99b84cbb77e0b50dfc93802595f052202447d4a971afb56a3296c70fc8c5
-
memory/4076-118-0x0000000000000000-mapping.dmp
-
memory/4196-123-0x0000000000530D30-mapping.dmp
-
memory/4196-122-0x0000000000400000-0x0000000000534000-memory.dmpFilesize
1.2MB
-
memory/4196-125-0x0000000000400000-0x0000000000534000-memory.dmpFilesize
1.2MB
-
memory/4196-126-0x0000000000400000-0x0000000000534000-memory.dmpFilesize
1.2MB
-
memory/4196-128-0x0000000010096000-0x0000000010099000-memory.dmpFilesize
12KB
-
memory/4196-127-0x0000000010001000-0x0000000010096000-memory.dmpFilesize
596KB
-
memory/4196-129-0x0000000010099000-0x00000000100B4000-memory.dmpFilesize
108KB
-
memory/4196-130-0x00000000100B4000-0x00000000100F6000-memory.dmpFilesize
264KB
-
memory/4196-131-0x0000000010183000-0x0000000010187000-memory.dmpFilesize
16KB