5c3ad0ed491dd2b003d9037187a8e06845b85ab418f0426b866eb6779b90af44

General

Target

5c3ad0ed491dd2b003d9037187a8e06845b85ab418f0426b866eb6779b90af44.exe
Size

186KB
MD5

c575e868cfda9c54c652520116399024
SHA1

6cd5e110d88d549581710da849345fac4d1bdbc7
SHA256

5c3ad0ed491dd2b003d9037187a8e06845b85ab418f0426b866eb6779b90af44
SHA512

ec3fe0067e3adf7b38441347a67c8679157cf5f43bfbc882a3c83643131c35353db9031f35ec680da076ab8186189cdbf00fa3c6f52b61bcac8c872a200a3a73

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Taskinglore.exelsm.exe

pid process

1460 Taskinglore.exe
3736 lsm.exe

pid	process
1460	Taskinglore.exe
3736	lsm.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5c3ad0ed491dd2b003d9037187a8e06845b85ab418f0426b866eb6779b90af44.exeTaskinglore.exelsm.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Taskinglore = "C:\\Users\\Admin\\AppData\\Local\\Taskinglore\\Taskinglore.exe"	5c3ad0ed491dd2b003d9037187a8e06845b85ab418f0426b866eb6779b90af44.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Taskinglore = "C:\\Users\\Admin\\AppData\\Local\\Taskinglore\\Taskinglore.exe"	Taskinglore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDef = "C:\\Users\\Admin\\AppData\\Roaming\\pmBXeMbWQGWRq4XUdLx7BrWElj1n.exe"	lsm.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Taskinglore.exelsm.exe

description	pid	process	target process
PID 1460 set thread context of 3736	1460	Taskinglore.exe	lsm.exe
PID 3736 set thread context of 612	3736	lsm.exe	explorer.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2252 PING.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

Taskinglore.exeexplorer.exe

pid process

1460 Taskinglore.exe
612 explorer.exe
612 explorer.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

lsm.exe

pid process

3736 lsm.exe

pid	process
2252	PING.EXE

pid	process
1460	Taskinglore.exe
612	explorer.exe
612	explorer.exe

pid	process
3736	lsm.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

5c3ad0ed491dd2b003d9037187a8e06845b85ab418f0426b866eb6779b90af44.exeTaskinglore.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	60	5c3ad0ed491dd2b003d9037187a8e06845b85ab418f0426b866eb6779b90af44.exe
Token: SeDebugPrivilege	1460	Taskinglore.exe
Token: SeDebugPrivilege	612	explorer.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

5c3ad0ed491dd2b003d9037187a8e06845b85ab418f0426b866eb6779b90af44.execmd.exeTaskinglore.exelsm.exe

description	pid	process	target process
PID 60 wrote to memory of 1420	60	5c3ad0ed491dd2b003d9037187a8e06845b85ab418f0426b866eb6779b90af44.exe	cmd.exe
PID 60 wrote to memory of 1420	60	5c3ad0ed491dd2b003d9037187a8e06845b85ab418f0426b866eb6779b90af44.exe	cmd.exe
PID 60 wrote to memory of 1420	60	5c3ad0ed491dd2b003d9037187a8e06845b85ab418f0426b866eb6779b90af44.exe	cmd.exe
PID 1420 wrote to memory of 2252	1420	cmd.exe	PING.EXE
PID 1420 wrote to memory of 2252	1420	cmd.exe	PING.EXE
PID 1420 wrote to memory of 2252	1420	cmd.exe	PING.EXE
PID 1420 wrote to memory of 1460	1420	cmd.exe	Taskinglore.exe
PID 1420 wrote to memory of 1460	1420	cmd.exe	Taskinglore.exe
PID 1420 wrote to memory of 1460	1420	cmd.exe	Taskinglore.exe
PID 1460 wrote to memory of 3736	1460	Taskinglore.exe	lsm.exe
PID 1460 wrote to memory of 3736	1460	Taskinglore.exe	lsm.exe
PID 1460 wrote to memory of 3736	1460	Taskinglore.exe	lsm.exe
PID 1460 wrote to memory of 3736	1460	Taskinglore.exe	lsm.exe
PID 1460 wrote to memory of 3736	1460	Taskinglore.exe	lsm.exe
PID 1460 wrote to memory of 3736	1460	Taskinglore.exe	lsm.exe
PID 1460 wrote to memory of 3736	1460	Taskinglore.exe	lsm.exe
PID 1460 wrote to memory of 3736	1460	Taskinglore.exe	lsm.exe
PID 1460 wrote to memory of 3736	1460	Taskinglore.exe	lsm.exe
PID 3736 wrote to memory of 612	3736	lsm.exe	explorer.exe
PID 3736 wrote to memory of 612	3736	lsm.exe	explorer.exe
PID 3736 wrote to memory of 612	3736	lsm.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\5c3ad0ed491dd2b003d9037187a8e06845b85ab418f0426b866eb6779b90af44.exe
"C:\Users\Admin\AppData\Local\Temp\5c3ad0ed491dd2b003d9037187a8e06845b85ab418f0426b866eb6779b90af44.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:60

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\5c3ad0ed491dd2b003d9037187a8e06845b85ab418f0426b866eb6779b90af44.exe" & start "" C:\Users\Admin\AppData\Local\Taskinglore\Taskinglore.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1420

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:2252

C:\Users\Admin\AppData\Local\Taskinglore\Taskinglore.exe
C:\Users\Admin\AppData\Local\Taskinglore\Taskinglore.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1460

C:\Users\Admin\AppData\Local\Temp\0483692eb3b4\lsm.exe
"C:\Users\Admin\AppData\Local\Temp\0483692eb3b4\lsm.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3736

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\system32\explorer.exe"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:612

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Taskinglore\Taskinglore.exe
Filesize
186KB

MD5
c575e868cfda9c54c652520116399024

SHA1
6cd5e110d88d549581710da849345fac4d1bdbc7

SHA256
5c3ad0ed491dd2b003d9037187a8e06845b85ab418f0426b866eb6779b90af44

SHA512
ec3fe0067e3adf7b38441347a67c8679157cf5f43bfbc882a3c83643131c35353db9031f35ec680da076ab8186189cdbf00fa3c6f52b61bcac8c872a200a3a73

Download Submit
C:\Users\Admin\AppData\Local\Taskinglore\Taskinglore.exe
Filesize
186KB

MD5
c575e868cfda9c54c652520116399024

SHA1
6cd5e110d88d549581710da849345fac4d1bdbc7

SHA256
5c3ad0ed491dd2b003d9037187a8e06845b85ab418f0426b866eb6779b90af44

SHA512
ec3fe0067e3adf7b38441347a67c8679157cf5f43bfbc882a3c83643131c35353db9031f35ec680da076ab8186189cdbf00fa3c6f52b61bcac8c872a200a3a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\0483692eb3b4\lsm.exe
Filesize
32KB

MD5
7342395a464b55c0d63f73bde9835ead

SHA1
f4793c7736153a688fc5026e8049031b2c1d8075

SHA256
7b1c83de2997fd96d29c7b69ba40e03bc7ba9aa085fa8662eb4d71d78c5aa9bb

SHA512
192142af6e3fabc2d74decd1a824ac985e74d6d6319f6b19ae6f880363108a8a70e9766ed31f610577b788d3eed194791e3c404667a693a5f80b92c031a60492

Download Submit
C:\Users\Admin\AppData\Local\Temp\0483692eb3b4\lsm.exe
Filesize
32KB

MD5
7342395a464b55c0d63f73bde9835ead

SHA1
f4793c7736153a688fc5026e8049031b2c1d8075

SHA256
7b1c83de2997fd96d29c7b69ba40e03bc7ba9aa085fa8662eb4d71d78c5aa9bb

SHA512
192142af6e3fabc2d74decd1a824ac985e74d6d6319f6b19ae6f880363108a8a70e9766ed31f610577b788d3eed194791e3c404667a693a5f80b92c031a60492

Download Submit
memory/60-131-0x0000000007430000-0x00000000074CC000-memory.dmp

Filesize
624KB

Download
memory/60-132-0x0000000007A80000-0x0000000008024000-memory.dmp

Filesize
5.6MB

Download
memory/60-130-0x00000000005A0000-0x00000000005D4000-memory.dmp

Filesize
208KB

Download
memory/612-146-0x0000000000A20000-0x0000000000A33000-memory.dmp

Filesize
76KB

Download
memory/612-143-0x0000000000000000-mapping.dmp

Download
memory/612-145-0x0000000000A20000-0x0000000000A33000-memory.dmp

Filesize
76KB

Download
memory/1420-133-0x0000000000000000-mapping.dmp

Download
memory/1460-135-0x0000000000000000-mapping.dmp

Download
memory/2252-134-0x0000000000000000-mapping.dmp

Download
memory/3736-138-0x0000000000000000-mapping.dmp

Download
memory/3736-144-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3736-142-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3736-139-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads