Overview
overview
8Static
static
Process La...er.exe
windows7-x64
1Process La...er.exe
windows10-2004-x64
1Process La...ts.exe
windows7-x64
1Process La...ts.exe
windows10-2004-x64
1Process La...er.exe
windows7-x64
1Process La...er.exe
windows10-2004-x64
1Process La...er.exe
windows7-x64
1Process La...er.exe
windows10-2004-x64
1Process La...or.exe
windows7-x64
1Process La...or.exe
windows10-2004-x64
1Process La...so.exe
windows7-x64
3Process La...so.exe
windows10-2004-x64
3Process La...er.exe
windows7-x64
3Process La...er.exe
windows10-2004-x64
7Process La...de.exe
windows7-x64
8Process La...de.exe
windows10-2004-x64
8Process La...er.exe
windows7-x64
1Process La...er.exe
windows10-2004-x64
1Process La...er.exe
windows7-x64
1Process La...er.exe
windows10-2004-x64
1Process La...ms.exe
windows7-x64
1Process La...ms.exe
windows10-2004-x64
1Process La...nt.exe
windows7-x64
1Process La...nt.exe
windows10-2004-x64
1Process La...pl.cmd
windows7-x64
8Process La...pl.cmd
windows10-2004-x64
8Process La...an.dll
windows7-x64
1Process La...an.dll
windows10-2004-x64
1Process La...se.dll
windows7-x64
1Process La...se.dll
windows10-2004-x64
1Process La...al.dll
windows7-x64
1Process La...al.dll
windows10-2004-x64
1Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
14-10-2022 14:47
Static task
static1
Behavioral task
behavioral1
Sample
Process Lasso 11.1.1.26 #soft8 病毒 0 (111.10.14)/App/ProcessLasso/CPUEater.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral2
Sample
Process Lasso 11.1.1.26 #soft8 病毒 0 (111.10.14)/App/ProcessLasso/CPUEater.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Process Lasso 11.1.1.26 #soft8 病毒 0 (111.10.14)/App/ProcessLasso/Insights.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral4
Sample
Process Lasso 11.1.1.26 #soft8 病毒 0 (111.10.14)/App/ProcessLasso/Insights.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
Process Lasso 11.1.1.26 #soft8 病毒 0 (111.10.14)/App/ProcessLasso/InstallHelper.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral6
Sample
Process Lasso 11.1.1.26 #soft8 病毒 0 (111.10.14)/App/ProcessLasso/InstallHelper.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
Process Lasso 11.1.1.26 #soft8 病毒 0 (111.10.14)/App/ProcessLasso/LogViewer.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral8
Sample
Process Lasso 11.1.1.26 #soft8 病毒 0 (111.10.14)/App/ProcessLasso/LogViewer.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
Process Lasso 11.1.1.26 #soft8 病毒 0 (111.10.14)/App/ProcessLasso/ProcessGovernor.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral10
Sample
Process Lasso 11.1.1.26 #soft8 病毒 0 (111.10.14)/App/ProcessLasso/ProcessGovernor.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
Process Lasso 11.1.1.26 #soft8 病毒 0 (111.10.14)/App/ProcessLasso/ProcessLasso.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral12
Sample
Process Lasso 11.1.1.26 #soft8 病毒 0 (111.10.14)/App/ProcessLasso/ProcessLasso.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
Process Lasso 11.1.1.26 #soft8 病毒 0 (111.10.14)/App/ProcessLasso/ProcessLassoLauncher.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral14
Sample
Process Lasso 11.1.1.26 #soft8 病毒 0 (111.10.14)/App/ProcessLasso/ProcessLassoLauncher.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
Process Lasso 11.1.1.26 #soft8 病毒 0 (111.10.14)/App/ProcessLasso/QuickUpgrade.exe
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral16
Sample
Process Lasso 11.1.1.26 #soft8 病毒 0 (111.10.14)/App/ProcessLasso/QuickUpgrade.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
Process Lasso 11.1.1.26 #soft8 病毒 0 (111.10.14)/App/ProcessLasso/ThreadRacer.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral18
Sample
Process Lasso 11.1.1.26 #soft8 病毒 0 (111.10.14)/App/ProcessLasso/ThreadRacer.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
Process Lasso 11.1.1.26 #soft8 病毒 0 (111.10.14)/App/ProcessLasso/TweakScheduler.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral20
Sample
Process Lasso 11.1.1.26 #soft8 病毒 0 (111.10.14)/App/ProcessLasso/TweakScheduler.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
Process Lasso 11.1.1.26 #soft8 病毒 0 (111.10.14)/App/ProcessLasso/bitsumms.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral22
Sample
Process Lasso 11.1.1.26 #soft8 病毒 0 (111.10.14)/App/ProcessLasso/bitsumms.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
Process Lasso 11.1.1.26 #soft8 病毒 0 (111.10.14)/App/ProcessLasso/bitsumsessionagent.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral24
Sample
Process Lasso 11.1.1.26 #soft8 病毒 0 (111.10.14)/App/ProcessLasso/bitsumsessionagent.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
Process Lasso 11.1.1.26 #soft8 病毒 0 (111.10.14)/App/ProcessLasso/pl.cmd
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral26
Sample
Process Lasso 11.1.1.26 #soft8 病毒 0 (111.10.14)/App/ProcessLasso/pl.cmd
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
Process Lasso 11.1.1.26 #soft8 病毒 0 (111.10.14)/App/ProcessLasso/pl_rsrc_bulgarian.dll
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral28
Sample
Process Lasso 11.1.1.26 #soft8 病毒 0 (111.10.14)/App/ProcessLasso/pl_rsrc_bulgarian.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
Process Lasso 11.1.1.26 #soft8 病毒 0 (111.10.14)/App/ProcessLasso/pl_rsrc_chinese.dll
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral30
Sample
Process Lasso 11.1.1.26 #soft8 病毒 0 (111.10.14)/App/ProcessLasso/pl_rsrc_chinese.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
Process Lasso 11.1.1.26 #soft8 病毒 0 (111.10.14)/App/ProcessLasso/pl_rsrc_chinese_traditional.dll
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral32
Sample
Process Lasso 11.1.1.26 #soft8 病毒 0 (111.10.14)/App/ProcessLasso/pl_rsrc_chinese_traditional.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
General
-
Target
Process Lasso 11.1.1.26 #soft8 病毒 0 (111.10.14)/App/ProcessLasso/ProcessLassoLauncher.exe
-
Size
361KB
-
MD5
f6704098023e4955a2978d8e52c7ca2c
-
SHA1
85abb6e05f5dd24b85224a8aa7085ed08ac4afa2
-
SHA256
ff409cfff93b8fee19298093058b1d368097806faf772ca3298baa41c03863ab
-
SHA512
9f38b02eebf966b366749c6307ec4b6ee699a1f8192400691aa241bbb7523db2a54f503e2a397bae03ae524e30006cf4f42fb503bad5a6263b8c176c9bf5df1d
-
SSDEEP
3072:gRMGpueWlx0CvXBBFCPOsNkGYLsR1a9ILuGe7DBL+9/k7HoZ7WK7T1Cagou3xA:gRM6JWlxTHFC2uRYgR1t/7WGAfoh
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation ProcessLassoLauncher.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ProcessLasso.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ProcessLasso.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 processgovernor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString processgovernor.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 712 processgovernor.exe 712 processgovernor.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 712 processgovernor.exe 712 processgovernor.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 712 processgovernor.exe 712 processgovernor.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 712 processgovernor.exe 712 processgovernor.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 712 processgovernor.exe 712 processgovernor.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 712 processgovernor.exe 712 processgovernor.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 712 processgovernor.exe 712 processgovernor.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 712 processgovernor.exe 712 processgovernor.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 712 processgovernor.exe 712 processgovernor.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 712 processgovernor.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 712 processgovernor.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 1640 ProcessLasso.exe Token: SeDebugPrivilege 1640 ProcessLasso.exe Token: SeChangeNotifyPrivilege 1640 ProcessLasso.exe Token: SeIncBasePriorityPrivilege 1640 ProcessLasso.exe Token: SeIncreaseQuotaPrivilege 1640 ProcessLasso.exe Token: SeCreateGlobalPrivilege 1640 ProcessLasso.exe Token: SeProfSingleProcessPrivilege 1640 ProcessLasso.exe Token: SeBackupPrivilege 1640 ProcessLasso.exe Token: SeRestorePrivilege 1640 ProcessLasso.exe Token: SeAssignPrimaryTokenPrivilege 712 processgovernor.exe Token: SeDebugPrivilege 712 processgovernor.exe Token: SeChangeNotifyPrivilege 712 processgovernor.exe Token: SeIncBasePriorityPrivilege 712 processgovernor.exe Token: SeIncreaseQuotaPrivilege 712 processgovernor.exe Token: SeProfSingleProcessPrivilege 712 processgovernor.exe Token: SeCreateGlobalPrivilege 712 processgovernor.exe Token: SeBackupPrivilege 712 processgovernor.exe Token: SeRestorePrivilege 712 processgovernor.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe 1640 ProcessLasso.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4968 wrote to memory of 1640 4968 ProcessLassoLauncher.exe 84 PID 4968 wrote to memory of 1640 4968 ProcessLassoLauncher.exe 84 PID 4968 wrote to memory of 1640 4968 ProcessLassoLauncher.exe 84 PID 1640 wrote to memory of 712 1640 ProcessLasso.exe 90 PID 1640 wrote to memory of 712 1640 ProcessLasso.exe 90 PID 1640 wrote to memory of 712 1640 ProcessLasso.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\Process Lasso 11.1.1.26 #soft8 病毒 0 (111.10.14)\App\ProcessLasso\ProcessLassoLauncher.exe"C:\Users\Admin\AppData\Local\Temp\Process Lasso 11.1.1.26 #soft8 病毒 0 (111.10.14)\App\ProcessLasso\ProcessLassoLauncher.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Users\Admin\AppData\Local\Temp\Process Lasso 11.1.1.26 #soft8 病毒 0 (111.10.14)\App\ProcessLasso\ProcessLasso.exe"C:\Users\Admin\AppData\Local\Temp\Process Lasso 11.1.1.26 #soft8 病毒 0 (111.10.14)\App\ProcessLasso\ProcessLasso.exe" "C:\Users\Admin\AppData\Local\Temp\Process Lasso 11.1.1.26 #soft8 病毒 0 (111.10.14)\App\ProcessLasso\ProcessLassoLauncher.exe"2⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Users\Admin\AppData\Local\Temp\Process Lasso 11.1.1.26 #soft8 病毒 0 (111.10.14)\App\ProcessLasso\processgovernor.exe"C:\Users\Admin\AppData\Local\Temp\Process Lasso 11.1.1.26 #soft8 病毒 0 (111.10.14)\App\ProcessLasso\processgovernor.exe"3⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:712
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5736f41d2f35e6848cec5f81a083c32cf
SHA1de983b61b0e002f0ae3d7a1e0fd1e7d66e287b15
SHA256cc92b1ffc62962e1e8267a47df08f5817df148be90a20e984e87ccabf67b2ca9
SHA512fd7ea4b7fd497d3052521bb20b92aed29c1317a33119f56627d37d3d29b9c016a66794893db22fe8952568dd98d58306734e5e03ccb5e88186d505b4098f2c92
-
Filesize
1KB
MD57ebc3109d09c55c435654d942240245c
SHA1802a33746d8e01085bf0a4d913bea3e0571f274a
SHA256f760c208b6f794174ddc0f8ed8ac8ee8dde615f7db5d881db5b2036b31e30d53
SHA5120e696a2804a37e6f0016a2b78ec8c52ccbcdb2ef4f53502aea5519ef9659073b251d9d311e8f41ad9e51caf6d36645b7c1ed19af9bea1c4a2f9f102bf8d03ad1