381d24190308f8d81d13daedd1e9192af95a8acfcf68ca277b63edbd98c73c8e

Analysis

max time kernel
163s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
12/10/2022, 16:00

Target

381d24190308f8d81d13daedd1e9192af95a8acfcf68ca277b63edbd98c73c8e.exe
Size

1.9MB
MD5

1e6364f57372a5498ffa053c4b94c2e4
SHA1

d0cd26a72718fd15c23f51af7c2a9e463eee02ce
SHA256

381d24190308f8d81d13daedd1e9192af95a8acfcf68ca277b63edbd98c73c8e
SHA512

ea49a4e1d0cd4f790d3806c07cb567ad51da96993d403ac4d31fab5564836613b98cefe0a6575eff82d265bcf695eb84bf37a00198707fc39c20f75cbab5f515
SSDEEP

49152:4IxzLHIIaGZ+EJTkQiona2Lxxa5+lSWjOkG3g47UuWKkAYT:OIaW+YTkQiona2LbplSWjwQ4IuWKkAY

Score

8^/10

Executes dropped EXE 1 IoCs

pid	Process
908	netlsa.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\netlsa.exe	381d24190308f8d81d13daedd1e9192af95a8acfcf68ca277b63edbd98c73c8e.exe
File created	C:\Windows\SysWOW64\netlsa.exe	381d24190308f8d81d13daedd1e9192af95a8acfcf68ca277b63edbd98c73c8e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	netlsa.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips = "0"	netlsa.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1956	381d24190308f8d81d13daedd1e9192af95a8acfcf68ca277b63edbd98c73c8e.exe
908	netlsa.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1956	381d24190308f8d81d13daedd1e9192af95a8acfcf68ca277b63edbd98c73c8e.exe
Token: SeChangeNotifyPrivilege	1956	381d24190308f8d81d13daedd1e9192af95a8acfcf68ca277b63edbd98c73c8e.exe
Token: SeDebugPrivilege	908	netlsa.exe
Token: SeChangeNotifyPrivilege	908	netlsa.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1956	381d24190308f8d81d13daedd1e9192af95a8acfcf68ca277b63edbd98c73c8e.exe
908	netlsa.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 908	1508	taskeng.exe	29
PID 1508 wrote to memory of 908	1508	taskeng.exe	29
PID 1508 wrote to memory of 908	1508	taskeng.exe	29
PID 1508 wrote to memory of 908	1508	taskeng.exe	29

C:\Windows\system32\taskeng.exe
taskeng.exe {2BB7F528-FA61-4242-846A-A6D2211E971B} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Windows\SysWOW64\netlsa.exe
  C:\Windows\SysWOW64\netlsa.exe vau
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:908

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Windows\SysWOW64\netlsa.exe

Filesize
1.9MB

MD5
c2fadf2611da75d13649e5e9479335ae

SHA1
af8463a27192578d99a8da87d237c3770d62e764

SHA256
1ad8019eec7279c935b18c5c3a060753d7548901681ea66f87395c696f05d40a

SHA512
4a5e89d73739fbdbb41803372c80d5c3515469f95c95fbe5793d85311618a6cc5ff1c1d3ed5aff60cb2f41644fbf2e9a8533b24075501df84c4b50dfc74853c1

Download Submit
C:\Windows\SysWOW64\netlsa.exe

Filesize
1.9MB

MD5
c2fadf2611da75d13649e5e9479335ae

SHA1
af8463a27192578d99a8da87d237c3770d62e764

SHA256
1ad8019eec7279c935b18c5c3a060753d7548901681ea66f87395c696f05d40a

SHA512
4a5e89d73739fbdbb41803372c80d5c3515469f95c95fbe5793d85311618a6cc5ff1c1d3ed5aff60cb2f41644fbf2e9a8533b24075501df84c4b50dfc74853c1

Download Submit
memory/908-61-0x0000000000400000-0x000000000058D000-memory.dmp

Filesize
1.6MB

Download
memory/908-62-0x0000000000400000-0x000000000058D000-memory.dmp

Filesize
1.6MB

Download
memory/1956-54-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download
memory/1956-55-0x0000000000400000-0x000000000058D000-memory.dmp

Filesize
1.6MB

Download
memory/1956-56-0x0000000000400000-0x000000000058D000-memory.dmp

Filesize
1.6MB

Download