Analysis
-
max time kernel
24s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19/10/2022, 22:42
Static task
static1
Behavioral task
behavioral1
Sample
64929a535c0745e37e4952f82a4a383d7a5dd13b9fbd31c8979378959169594f.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
64929a535c0745e37e4952f82a4a383d7a5dd13b9fbd31c8979378959169594f.exe
Resource
win10v2004-20220812-en
General
-
Target
64929a535c0745e37e4952f82a4a383d7a5dd13b9fbd31c8979378959169594f.exe
-
Size
47KB
-
MD5
90aecba4ccafea3fccecaea76b579260
-
SHA1
9cbcd1f4f2ded454d3dd7a925b357a6c1976079d
-
SHA256
64929a535c0745e37e4952f82a4a383d7a5dd13b9fbd31c8979378959169594f
-
SHA512
6cdb1ff552f9100b53b12522bd15dd3414bbd36fdd2b6d348d4368f7ff89a35167c2945ff0fe49983a335a00e5f411d74ae2d877692bc79f97e897b9ff3c920e
-
SSDEEP
768:V9XQtkO8Zxuq43gxre8fvT/g+rLNljZOWvSq49tUtlE2japO0fUWaqDHBV70c4KJ:VdSE75xre8fvT/fPjZOW6162Mp07uy7f
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4856 lsass.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe 64929a535c0745e37e4952f82a4a383d7a5dd13b9fbd31c8979378959169594f.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 4856 lsass.exe 4936 explorer.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 524 64929a535c0745e37e4952f82a4a383d7a5dd13b9fbd31c8979378959169594f.exe Token: SeDebugPrivilege 4856 lsass.exe Token: SeDebugPrivilege 600 Process not Found -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 524 wrote to memory of 4856 524 64929a535c0745e37e4952f82a4a383d7a5dd13b9fbd31c8979378959169594f.exe 81 PID 524 wrote to memory of 4856 524 64929a535c0745e37e4952f82a4a383d7a5dd13b9fbd31c8979378959169594f.exe 81 PID 524 wrote to memory of 4856 524 64929a535c0745e37e4952f82a4a383d7a5dd13b9fbd31c8979378959169594f.exe 81 PID 4856 wrote to memory of 4936 4856 lsass.exe 82 PID 4856 wrote to memory of 4936 4856 lsass.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\64929a535c0745e37e4952f82a4a383d7a5dd13b9fbd31c8979378959169594f.exe"C:\Users\Admin\AppData\Local\Temp\64929a535c0745e37e4952f82a4a383d7a5dd13b9fbd31c8979378959169594f.exe"1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\explorer.exeC:\Windows\explorer.exe3⤵
- Suspicious behavior: MapViewOfSection
PID:4936
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
47KB
MD590aecba4ccafea3fccecaea76b579260
SHA19cbcd1f4f2ded454d3dd7a925b357a6c1976079d
SHA25664929a535c0745e37e4952f82a4a383d7a5dd13b9fbd31c8979378959169594f
SHA5126cdb1ff552f9100b53b12522bd15dd3414bbd36fdd2b6d348d4368f7ff89a35167c2945ff0fe49983a335a00e5f411d74ae2d877692bc79f97e897b9ff3c920e
-
Filesize
47KB
MD590aecba4ccafea3fccecaea76b579260
SHA19cbcd1f4f2ded454d3dd7a925b357a6c1976079d
SHA25664929a535c0745e37e4952f82a4a383d7a5dd13b9fbd31c8979378959169594f
SHA5126cdb1ff552f9100b53b12522bd15dd3414bbd36fdd2b6d348d4368f7ff89a35167c2945ff0fe49983a335a00e5f411d74ae2d877692bc79f97e897b9ff3c920e