64929a535c0745e37e4952f82a4a383d7a5dd13b9fbd31c8979378959169594f

Analysis

max time kernel
166s
max time network
56s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/10/2022, 22:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64929a535c0745e37e4952f82a4a383d7a5dd13b9fbd31c8979378959169594f.exe
Size

47KB
MD5

90aecba4ccafea3fccecaea76b579260
SHA1

9cbcd1f4f2ded454d3dd7a925b357a6c1976079d
SHA256

64929a535c0745e37e4952f82a4a383d7a5dd13b9fbd31c8979378959169594f
SHA512

6cdb1ff552f9100b53b12522bd15dd3414bbd36fdd2b6d348d4368f7ff89a35167c2945ff0fe49983a335a00e5f411d74ae2d877692bc79f97e897b9ff3c920e
SSDEEP

768:V9XQtkO8Zxuq43gxre8fvT/g+rLNljZOWvSq49tUtlE2japO0fUWaqDHBV70c4KJ:VdSE75xre8fvT/fPjZOW6162Mp07uy7f

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1220	lsass.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe	64929a535c0745e37e4952f82a4a383d7a5dd13b9fbd31c8979378959169594f.exe

Loads dropped DLL 2 IoCs

pid	Process
1076	64929a535c0745e37e4952f82a4a383d7a5dd13b9fbd31c8979378959169594f.exe
1076	64929a535c0745e37e4952f82a4a383d7a5dd13b9fbd31c8979378959169594f.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1296	Process not Found
1296	Process not Found

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
1220	lsass.exe
1412	explorer.exe
1296	Process not Found
1296	Process not Found

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1076	64929a535c0745e37e4952f82a4a383d7a5dd13b9fbd31c8979378959169594f.exe
Token: SeDebugPrivilege	1220	lsass.exe
Token: SeDebugPrivilege	1296	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1296	Process not Found
1296	Process not Found

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1296	Process not Found
1296	Process not Found

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1076 wrote to memory of 1220	1076	64929a535c0745e37e4952f82a4a383d7a5dd13b9fbd31c8979378959169594f.exe	27
PID 1076 wrote to memory of 1220	1076	64929a535c0745e37e4952f82a4a383d7a5dd13b9fbd31c8979378959169594f.exe	27
PID 1076 wrote to memory of 1220	1076	64929a535c0745e37e4952f82a4a383d7a5dd13b9fbd31c8979378959169594f.exe	27
PID 1076 wrote to memory of 1220	1076	64929a535c0745e37e4952f82a4a383d7a5dd13b9fbd31c8979378959169594f.exe	27
PID 1220 wrote to memory of 1412	1220	lsass.exe	28
PID 1220 wrote to memory of 1412	1220	lsass.exe	28
PID 1220 wrote to memory of 1412	1220	lsass.exe	28
PID 1220 wrote to memory of 1412	1220	lsass.exe	28

C:\Users\Admin\AppData\Local\Temp\64929a535c0745e37e4952f82a4a383d7a5dd13b9fbd31c8979378959169594f.exe
"C:\Users\Admin\AppData\Local\Temp\64929a535c0745e37e4952f82a4a383d7a5dd13b9fbd31c8979378959169594f.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1220
- - C:\Windows\explorer.exe
    C:\Windows\explorer.exe
    3⤵
    - Suspicious behavior: MapViewOfSection
    PID:1412

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe

Filesize
47KB

MD5
90aecba4ccafea3fccecaea76b579260

SHA1
9cbcd1f4f2ded454d3dd7a925b357a6c1976079d

SHA256
64929a535c0745e37e4952f82a4a383d7a5dd13b9fbd31c8979378959169594f

SHA512
6cdb1ff552f9100b53b12522bd15dd3414bbd36fdd2b6d348d4368f7ff89a35167c2945ff0fe49983a335a00e5f411d74ae2d877692bc79f97e897b9ff3c920e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe

Filesize
47KB

MD5
90aecba4ccafea3fccecaea76b579260

SHA1
9cbcd1f4f2ded454d3dd7a925b357a6c1976079d

SHA256
64929a535c0745e37e4952f82a4a383d7a5dd13b9fbd31c8979378959169594f

SHA512
6cdb1ff552f9100b53b12522bd15dd3414bbd36fdd2b6d348d4368f7ff89a35167c2945ff0fe49983a335a00e5f411d74ae2d877692bc79f97e897b9ff3c920e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe

Filesize
47KB

MD5
90aecba4ccafea3fccecaea76b579260

SHA1
9cbcd1f4f2ded454d3dd7a925b357a6c1976079d

SHA256
64929a535c0745e37e4952f82a4a383d7a5dd13b9fbd31c8979378959169594f

SHA512
6cdb1ff552f9100b53b12522bd15dd3414bbd36fdd2b6d348d4368f7ff89a35167c2945ff0fe49983a335a00e5f411d74ae2d877692bc79f97e897b9ff3c920e

Download Submit
memory/1076-54-0x0000000075141000-0x0000000075143000-memory.dmp

Filesize
8KB

Download
memory/1140-65-0x0000000000410000-0x0000000000437000-memory.dmp

Filesize
156KB

Download
memory/1220-61-0x0000000000190000-0x00000000001B7000-memory.dmp

Filesize
156KB

Download
memory/1240-66-0x0000000001CE0000-0x0000000001D07000-memory.dmp

Filesize
156KB

Download
memory/1296-63-0x00000000029D0000-0x00000000029F7000-memory.dmp

Filesize
156KB

Download
memory/1296-64-0x0000000002A00000-0x0000000002A12000-memory.dmp

Filesize
72KB

Download
memory/1412-62-0x0000000000060000-0x0000000000087000-memory.dmp

Filesize
156KB

Download