0df79ebcde62d0bd90cc22aacd642fef46c183fefae28de4a9e3a1c969b89c18

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2022, 14:47 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Process Lasso 11.1.1.26 #soft8 病毒 0 (111.10.14)/App/ProcessLasso/ProcessLassoLauncher.exe
Size

361KB
MD5

f6704098023e4955a2978d8e52c7ca2c
SHA1

85abb6e05f5dd24b85224a8aa7085ed08ac4afa2
SHA256

ff409cfff93b8fee19298093058b1d368097806faf772ca3298baa41c03863ab
SHA512

9f38b02eebf966b366749c6307ec4b6ee699a1f8192400691aa241bbb7523db2a54f503e2a397bae03ae524e30006cf4f42fb503bad5a6263b8c176c9bf5df1d
SSDEEP

3072:gRMGpueWlx0CvXBBFCPOsNkGYLsR1a9ILuGe7DBL+9/k7HoZ7WK7T1Cagou3xA:gRM6JWlxTHFC2uRYgR1t/7WGAfoh

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	ProcessLassoLauncher.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ProcessLasso.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ProcessLasso.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	processgovernor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	processgovernor.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
712	processgovernor.exe
712	processgovernor.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
712	processgovernor.exe
712	processgovernor.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
712	processgovernor.exe
712	processgovernor.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
712	processgovernor.exe
712	processgovernor.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
712	processgovernor.exe
712	processgovernor.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
712	processgovernor.exe
712	processgovernor.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
712	processgovernor.exe
712	processgovernor.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
712	processgovernor.exe
712	processgovernor.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
712	processgovernor.exe
712	processgovernor.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
712	processgovernor.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
712	processgovernor.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	1640	ProcessLasso.exe
Token: SeDebugPrivilege	1640	ProcessLasso.exe
Token: SeChangeNotifyPrivilege	1640	ProcessLasso.exe
Token: SeIncBasePriorityPrivilege	1640	ProcessLasso.exe
Token: SeIncreaseQuotaPrivilege	1640	ProcessLasso.exe
Token: SeCreateGlobalPrivilege	1640	ProcessLasso.exe
Token: SeProfSingleProcessPrivilege	1640	ProcessLasso.exe
Token: SeBackupPrivilege	1640	ProcessLasso.exe
Token: SeRestorePrivilege	1640	ProcessLasso.exe
Token: SeAssignPrimaryTokenPrivilege	712	processgovernor.exe
Token: SeDebugPrivilege	712	processgovernor.exe
Token: SeChangeNotifyPrivilege	712	processgovernor.exe
Token: SeIncBasePriorityPrivilege	712	processgovernor.exe
Token: SeIncreaseQuotaPrivilege	712	processgovernor.exe
Token: SeProfSingleProcessPrivilege	712	processgovernor.exe
Token: SeCreateGlobalPrivilege	712	processgovernor.exe
Token: SeBackupPrivilege	712	processgovernor.exe
Token: SeRestorePrivilege	712	processgovernor.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe
1640	ProcessLasso.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4968 wrote to memory of 1640	4968	ProcessLassoLauncher.exe	84
PID 4968 wrote to memory of 1640	4968	ProcessLassoLauncher.exe	84
PID 4968 wrote to memory of 1640	4968	ProcessLassoLauncher.exe	84
PID 1640 wrote to memory of 712	1640	ProcessLasso.exe	90
PID 1640 wrote to memory of 712	1640	ProcessLasso.exe	90
PID 1640 wrote to memory of 712	1640	ProcessLasso.exe	90

C:\Users\Admin\AppData\Local\Temp\Process Lasso 11.1.1.26 #soft8 病毒 0 (111.10.14)\App\ProcessLasso\ProcessLassoLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\Process Lasso 11.1.1.26 #soft8 病毒 0 (111.10.14)\App\ProcessLasso\ProcessLassoLauncher.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Users\Admin\AppData\Local\Temp\Process Lasso 11.1.1.26 #soft8 病毒 0 (111.10.14)\App\ProcessLasso\ProcessLasso.exe
  "C:\Users\Admin\AppData\Local\Temp\Process Lasso 11.1.1.26 #soft8 病毒 0 (111.10.14)\App\ProcessLasso\ProcessLasso.exe" "C:\Users\Admin\AppData\Local\Temp\Process Lasso 11.1.1.26 #soft8 病毒 0 (111.10.14)\App\ProcessLasso\ProcessLassoLauncher.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Users\Admin\AppData\Local\Temp\Process Lasso 11.1.1.26 #soft8 病毒 0 (111.10.14)\App\ProcessLasso\processgovernor.exe
    "C:\Users\Admin\AppData\Local\Temp\Process Lasso 11.1.1.26 #soft8 病毒 0 (111.10.14)\App\ProcessLasso\processgovernor.exe"
    3⤵
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:712

Network

No results found

8.238.110.126:80

http

46 B
88 B
1
1
13.78.111.198:443

322 B
7
8.238.110.126:80

322 B
7
88.221.25.155:80

322 B
7
88.221.25.155:80

322 B
7
8.238.110.126:80

322 B
7
8.247.211.254:80

322 B
7
204.79.197.203:80

322 B
7

No results found

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ProcessLasso\config\prolasso.ini

Filesize
7KB

MD5
736f41d2f35e6848cec5f81a083c32cf

SHA1
de983b61b0e002f0ae3d7a1e0fd1e7d66e287b15

SHA256
cc92b1ffc62962e1e8267a47df08f5817df148be90a20e984e87ccabf67b2ca9

SHA512
fd7ea4b7fd497d3052521bb20b92aed29c1317a33119f56627d37d3d29b9c016a66794893db22fe8952568dd98d58306734e5e03ccb5e88186d505b4098f2c92

Download Submit
C:\Users\Admin\AppData\Local\ProcessLasso\logs\processlasso.log

Filesize
1KB

MD5
7ebc3109d09c55c435654d942240245c

SHA1
802a33746d8e01085bf0a4d913bea3e0571f274a

SHA256
f760c208b6f794174ddc0f8ed8ac8ee8dde615f7db5d881db5b2036b31e30d53

SHA512
0e696a2804a37e6f0016a2b78ec8c52ccbcdb2ef4f53502aea5519ef9659073b251d9d311e8f41ad9e51caf6d36645b7c1ed19af9bea1c4a2f9f102bf8d03ad1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.