Overview

overview

8

Static

static

Process La...er.exe

windows7-x64

1

Process La...er.exe

windows10-2004-x64

1

Process La...ts.exe

windows7-x64

1

Process La...ts.exe

windows10-2004-x64

1

Process La...er.exe

windows7-x64

1

Process La...er.exe

windows10-2004-x64

1

Process La...er.exe

windows7-x64

1

Process La...er.exe

windows10-2004-x64

1

Process La...or.exe

windows7-x64

1

Process La...or.exe

windows10-2004-x64

1

Process La...so.exe

windows7-x64

3

Process La...so.exe

windows10-2004-x64

3

Process La...er.exe

windows7-x64

3

Process La...er.exe

windows10-2004-x64

7

Process La...de.exe

windows7-x64

8

Process La...de.exe

windows10-2004-x64

8

Process La...er.exe

windows7-x64

1

Process La...er.exe

windows10-2004-x64

1

Process La...er.exe

windows7-x64

1

Process La...er.exe

windows10-2004-x64

1

Process La...ms.exe

windows7-x64

1

Process La...ms.exe

windows10-2004-x64

1

Process La...nt.exe

windows7-x64

1

Process La...nt.exe

windows10-2004-x64

1

Process La...pl.cmd

windows7-x64

8

Process La...pl.cmd

windows10-2004-x64

8

Process La...an.dll

windows7-x64

1

Process La...an.dll

windows10-2004-x64

1

Process La...se.dll

windows7-x64

1

Process La...se.dll

windows10-2004-x64

1

Process La...al.dll

windows7-x64

1

Process La...al.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    150s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-10-2022 14:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Process Lasso 11.1.1.26 #soft8 病毒 0 (111.10.14)/App/ProcessLasso/pl.cmd

  • Size

    77B

  • MD5

    aa54d58336d2565c369498d035737f8a

  • SHA1

    c6a8791264081a6f854b30ac11477bdd83a8cbee

  • SHA256

    9af8add66b2bb4a0252b65e0f13238055b601d689e8d29455d5b2c87f901fd7b

  • SHA512

    82d9eeab7cb95f012b55d531ba7af84546be650702f40ca294c74858eca5eadc0ed7a87bc65122df4093e483dffe1e04e306845871955b2dc4f5113f1cf34838

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Process Lasso 11.1.1.26 #soft8 病毒 0 (111.10.14)\App\ProcessLasso\pl.cmd"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3672
    • C:\Users\Admin\AppData\Local\Temp\Process Lasso 11.1.1.26 #soft8 病毒 0 (111.10.14)\App\ProcessLasso\InstallHelper.exe
      InstallHelper.exe /terminate
      2⤵
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3236
      • C:\Users\Admin\AppData\Local\Temp\Process Lasso 11.1.1.26 #soft8 病毒 0 (111.10.14)\App\ProcessLasso\bitsumms.exe
        "C:\Users\Admin\AppData\Local\Temp\Process Lasso 11.1.1.26 #soft8 病毒 0 (111.10.14)\App\ProcessLasso\bitsumms.exe" /name:ProcessGovernor /stop
        3⤵
          PID:4452
      • C:\Users\Admin\AppData\Local\Temp\Process Lasso 11.1.1.26 #soft8 病毒 0 (111.10.14)\App\ProcessLasso\ProcessLassoLauncher.exe
        ProcessLassoLauncher.exe /showwindow
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2320
        • C:\Users\Admin\AppData\Local\Temp\Process Lasso 11.1.1.26 #soft8 病毒 0 (111.10.14)\App\ProcessLasso\ProcessLasso.exe
          "C:\Users\Admin\AppData\Local\Temp\Process Lasso 11.1.1.26 #soft8 病毒 0 (111.10.14)\App\ProcessLasso\ProcessLasso.exe" "ProcessLassoLauncher.exe" "/showwindow"
          3⤵
          • Executes dropped EXE
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:4948
          • C:\Users\Admin\AppData\Local\Temp\Process Lasso 11.1.1.26 #soft8 病毒 0 (111.10.14)\App\ProcessLasso\processgovernor.exe
            "C:\Users\Admin\AppData\Local\Temp\Process Lasso 11.1.1.26 #soft8 病毒 0 (111.10.14)\App\ProcessLasso\processgovernor.exe"
            4⤵
            • Checks processor information in registry
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:4684

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\ProcessLasso\config\prolasso.ini
      Filesize

      7KB

      MD5

      736f41d2f35e6848cec5f81a083c32cf

      SHA1

      de983b61b0e002f0ae3d7a1e0fd1e7d66e287b15

      SHA256

      cc92b1ffc62962e1e8267a47df08f5817df148be90a20e984e87ccabf67b2ca9

      SHA512

      fd7ea4b7fd497d3052521bb20b92aed29c1317a33119f56627d37d3d29b9c016a66794893db22fe8952568dd98d58306734e5e03ccb5e88186d505b4098f2c92

      Download Submit

    • C:\Users\Admin\AppData\Local\ProcessLasso\logs\processlasso.log
      Filesize

      1KB

      MD5

      6b9bdfab657b837796e8c892b1bce481

      SHA1

      926935f6e0e0dbbd622790a0fc4d6db50092fd87

      SHA256

      6979eab9488ff4f067cbdf5788ec17790ff0ef27624b57466354d1725c8c2bc1

      SHA512

      253706c7926e6f24bfd8e4858f12f6bb7e393d86fac5874904f7a34952f606c554b66a32e6cf5e66d3c4e92bfcb178f6cdc1e8ad760ad7007aa92480f502536c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Process Lasso 11.1.1.26 #soft8 病毒 0 (111.10.14)\App\ProcessLasso\ProcessLasso.exe
      Filesize

      1.5MB

      MD5

      a61b53c263109b46baba47fc47a91889

      SHA1

      9b78e6b39051e9573367de084724eb16984bc291

      SHA256

      b10f6f81b153bce13fe126e23989aec9b632d8b44699b29797230b00b22c2bf6

      SHA512

      0f936631fc31dfa9086bf832d79cf96b56385ab0ddcbfc9b3b7d6c544daec04e8567b903644fe5a89c0f9dae7d17081e995c5df11deacee7e2fe1bd72793b4de

      Download Submit

    • memory/2320-134-0x0000000000000000-mapping.dmp

      Download

    • memory/3236-132-0x0000000000000000-mapping.dmp

      Download

    • memory/4452-133-0x0000000000000000-mapping.dmp

      Download

    • memory/4684-137-0x0000000000000000-mapping.dmp

      Download

    • memory/4948-135-0x0000000000000000-mapping.dmp

      Download