Analysis
-
max time kernel
45s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
02-10-2022 13:49
Static task
static1
Behavioral task
behavioral1
Sample
35e8cdcbb44d188053b8fd890e5e41fae8de9f7977bc981d137c336de74fcb94.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
35e8cdcbb44d188053b8fd890e5e41fae8de9f7977bc981d137c336de74fcb94.exe
Resource
win10v2004-20220812-en
General
-
Target
35e8cdcbb44d188053b8fd890e5e41fae8de9f7977bc981d137c336de74fcb94.exe
-
Size
138KB
-
MD5
70478ed4820b01390d1f287f877d0f64
-
SHA1
59e47f5784a026059815cfd7009d13033b474765
-
SHA256
35e8cdcbb44d188053b8fd890e5e41fae8de9f7977bc981d137c336de74fcb94
-
SHA512
8dad02ec2fbbed1cd561b35286cc93b6a58e2cac6d30a226b11e91ab1c4dbcb104408e0b37d8746770dff805845795feb6984d6487cc8bdfbbeb2d09f1b31a10
-
SSDEEP
1536:GgXG5iF/ccZu8AWenO81fdTd2dwuJlyyjEYzui3:Gg28FZu/WeOOuJzj
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1120 lsass.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 1412 netsh.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ef6805c25b5a2f877bc96e021971597e.exe lsass.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ef6805c25b5a2f877bc96e021971597e.exe lsass.exe -
Loads dropped DLL 1 IoCs
pid Process 1448 35e8cdcbb44d188053b8fd890e5e41fae8de9f7977bc981d137c336de74fcb94.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ef6805c25b5a2f877bc96e021971597e = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\lsass.exe\" .." lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ef6805c25b5a2f877bc96e021971597e = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\lsass.exe\" .." lsass.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1120 lsass.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1120 lsass.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1448 wrote to memory of 1120 1448 35e8cdcbb44d188053b8fd890e5e41fae8de9f7977bc981d137c336de74fcb94.exe 27 PID 1448 wrote to memory of 1120 1448 35e8cdcbb44d188053b8fd890e5e41fae8de9f7977bc981d137c336de74fcb94.exe 27 PID 1448 wrote to memory of 1120 1448 35e8cdcbb44d188053b8fd890e5e41fae8de9f7977bc981d137c336de74fcb94.exe 27 PID 1448 wrote to memory of 1120 1448 35e8cdcbb44d188053b8fd890e5e41fae8de9f7977bc981d137c336de74fcb94.exe 27 PID 1120 wrote to memory of 1412 1120 lsass.exe 28 PID 1120 wrote to memory of 1412 1120 lsass.exe 28 PID 1120 wrote to memory of 1412 1120 lsass.exe 28 PID 1120 wrote to memory of 1412 1120 lsass.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\35e8cdcbb44d188053b8fd890e5e41fae8de9f7977bc981d137c336de74fcb94.exe"C:\Users\Admin\AppData\Local\Temp\35e8cdcbb44d188053b8fd890e5e41fae8de9f7977bc981d137c336de74fcb94.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Users\Admin\AppData\Local\Temp\lsass.exe"C:\Users\Admin\AppData\Local\Temp\lsass.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\lsass.exe" "lsass.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:1412
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
138KB
MD570478ed4820b01390d1f287f877d0f64
SHA159e47f5784a026059815cfd7009d13033b474765
SHA25635e8cdcbb44d188053b8fd890e5e41fae8de9f7977bc981d137c336de74fcb94
SHA5128dad02ec2fbbed1cd561b35286cc93b6a58e2cac6d30a226b11e91ab1c4dbcb104408e0b37d8746770dff805845795feb6984d6487cc8bdfbbeb2d09f1b31a10
-
Filesize
138KB
MD570478ed4820b01390d1f287f877d0f64
SHA159e47f5784a026059815cfd7009d13033b474765
SHA25635e8cdcbb44d188053b8fd890e5e41fae8de9f7977bc981d137c336de74fcb94
SHA5128dad02ec2fbbed1cd561b35286cc93b6a58e2cac6d30a226b11e91ab1c4dbcb104408e0b37d8746770dff805845795feb6984d6487cc8bdfbbeb2d09f1b31a10
-
Filesize
138KB
MD570478ed4820b01390d1f287f877d0f64
SHA159e47f5784a026059815cfd7009d13033b474765
SHA25635e8cdcbb44d188053b8fd890e5e41fae8de9f7977bc981d137c336de74fcb94
SHA5128dad02ec2fbbed1cd561b35286cc93b6a58e2cac6d30a226b11e91ab1c4dbcb104408e0b37d8746770dff805845795feb6984d6487cc8bdfbbeb2d09f1b31a10