c186a3eedefd429f850a34287cee4504f3818549be701a53e2574ed1e13a529c

General

Target

c186a3eedefd429f850a34287cee4504f3818549be701a53e2574ed1e13a529c.exe
Size

412KB
MD5

554b5fcbc2ead0aa00d2a0026be825d0
SHA1

4238f35d21b27ba86a71cf672f3e472948999b1e
SHA256

c186a3eedefd429f850a34287cee4504f3818549be701a53e2574ed1e13a529c
SHA512

12f17193933a7dcecae48da957d17f6514c412a866f884483d86369cbfba55368fc0f1b907b11c01e84f2d5287d7b785a0a4da1f20582b3689e1500b741a6477
SSDEEP

6144:TzASNI9UuWoxdqLaFHAyq/0FR7RthyKU/l7kKBI1HaYVfdyJefiQyY8yzAS:Ptc9RxMIHAkhyKyVkKB0HaXY3

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\lsass.exe	c186a3eedefd429f850a34287cee4504f3818549be701a53e2574ed1e13a529c.exe
File created	C:\Windows\SysWOW64\drivers\lsass.exe	lsass.exe

Executes dropped EXE 2 IoCs

pid	Process
1612	lsass.exe
1768	c186a3eedefd429f850a34287cee4504f3818549be701a53e2574ed1e13a529c.~tmp

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif	lsass.exe

Loads dropped DLL 3 IoCs

pid	Process
1672	c186a3eedefd429f850a34287cee4504f3818549be701a53e2574ed1e13a529c.exe
1672	c186a3eedefd429f850a34287cee4504f3818549be701a53e2574ed1e13a529c.exe
1672	c186a3eedefd429f850a34287cee4504f3818549be701a53e2574ed1e13a529c.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	lsass.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1672	c186a3eedefd429f850a34287cee4504f3818549be701a53e2574ed1e13a529c.exe
1672	c186a3eedefd429f850a34287cee4504f3818549be701a53e2574ed1e13a529c.exe
1612	lsass.exe
1612	lsass.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 1612	1672	c186a3eedefd429f850a34287cee4504f3818549be701a53e2574ed1e13a529c.exe	27
PID 1672 wrote to memory of 1612	1672	c186a3eedefd429f850a34287cee4504f3818549be701a53e2574ed1e13a529c.exe	27
PID 1672 wrote to memory of 1612	1672	c186a3eedefd429f850a34287cee4504f3818549be701a53e2574ed1e13a529c.exe	27
PID 1672 wrote to memory of 1612	1672	c186a3eedefd429f850a34287cee4504f3818549be701a53e2574ed1e13a529c.exe	27
PID 1672 wrote to memory of 1768	1672	c186a3eedefd429f850a34287cee4504f3818549be701a53e2574ed1e13a529c.exe	28
PID 1672 wrote to memory of 1768	1672	c186a3eedefd429f850a34287cee4504f3818549be701a53e2574ed1e13a529c.exe	28
PID 1672 wrote to memory of 1768	1672	c186a3eedefd429f850a34287cee4504f3818549be701a53e2574ed1e13a529c.exe	28
PID 1672 wrote to memory of 1768	1672	c186a3eedefd429f850a34287cee4504f3818549be701a53e2574ed1e13a529c.exe	28
PID 1672 wrote to memory of 1768	1672	c186a3eedefd429f850a34287cee4504f3818549be701a53e2574ed1e13a529c.exe	28
PID 1672 wrote to memory of 1768	1672	c186a3eedefd429f850a34287cee4504f3818549be701a53e2574ed1e13a529c.exe	28
PID 1672 wrote to memory of 1768	1672	c186a3eedefd429f850a34287cee4504f3818549be701a53e2574ed1e13a529c.exe	28

C:\Users\Admin\AppData\Local\Temp\c186a3eedefd429f850a34287cee4504f3818549be701a53e2574ed1e13a529c.exe
"C:\Users\Admin\AppData\Local\Temp\c186a3eedefd429f850a34287cee4504f3818549be701a53e2574ed1e13a529c.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Windows\SysWOW64\drivers\lsass.exe
  "C:\Windows\system32\drivers\lsass.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops startup file
  - Enumerates connected drives
  - Suspicious use of SetWindowsHookEx
  PID:1612
- C:\Users\Admin\AppData\Local\Temp\c186a3eedefd429f850a34287cee4504f3818549be701a53e2574ed1e13a529c.~tmp
  "C:\Users\Admin\AppData\Local\Temp\c186a3eedefd429f850a34287cee4504f3818549be701a53e2574ed1e13a529c.~tmp "
  2⤵
  - Executes dropped EXE
  PID:1768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c186a3eedefd429f850a34287cee4504f3818549be701a53e2574ed1e13a529c.~tmp

Filesize
348KB

MD5
8b35018697829325b0d60573e65498ad

SHA1
c3619cbb436741aef57ae0cff9541e30ed259854

SHA256
85141c647d4898666d378a69e2a2b62982f4640b32619997b48267beb90124c6

SHA512
39c416d2fbb3927f618e03dffa70d52d6425d86b7227a4dcbc38d5fff3b511405dde0b1a4ded7064d6fec6137df804f71a69d53b5e152e58ceed53d179289c03

Download Submit
C:\Windows\SysWOW64\drivers\lsass.exe

Filesize
32KB

MD5
669ffd1dd6fb7a0e4ddbc3ad3b76507b

SHA1
372820d6b9350ad629a489d49876d8bd422b8f31

SHA256
7dc487e762e55ffa601480c4bc7948f85fcd4f025665ff599060ec1f81d7e986

SHA512
cd69694ad3316c768dbe0d1514060870568c67a50785b38d402eb16e94740c5ae351eb6d47284630a2505fac50c9777bedef85608571c85385b1b9c1f12d73f5

Download Submit
C:\Windows\SysWOW64\drivers\lsass.exe

Filesize
32KB

MD5
669ffd1dd6fb7a0e4ddbc3ad3b76507b

SHA1
372820d6b9350ad629a489d49876d8bd422b8f31

SHA256
7dc487e762e55ffa601480c4bc7948f85fcd4f025665ff599060ec1f81d7e986

SHA512
cd69694ad3316c768dbe0d1514060870568c67a50785b38d402eb16e94740c5ae351eb6d47284630a2505fac50c9777bedef85608571c85385b1b9c1f12d73f5

Download Submit
\Users\Admin\AppData\Local\Temp\c186a3eedefd429f850a34287cee4504f3818549be701a53e2574ed1e13a529c.~tmp

Filesize
348KB

MD5
8b35018697829325b0d60573e65498ad

SHA1
c3619cbb436741aef57ae0cff9541e30ed259854

SHA256
85141c647d4898666d378a69e2a2b62982f4640b32619997b48267beb90124c6

SHA512
39c416d2fbb3927f618e03dffa70d52d6425d86b7227a4dcbc38d5fff3b511405dde0b1a4ded7064d6fec6137df804f71a69d53b5e152e58ceed53d179289c03

Download Submit
\Windows\SysWOW64\drivers\lsass.exe

Filesize
32KB

MD5
669ffd1dd6fb7a0e4ddbc3ad3b76507b

SHA1
372820d6b9350ad629a489d49876d8bd422b8f31

SHA256
7dc487e762e55ffa601480c4bc7948f85fcd4f025665ff599060ec1f81d7e986

SHA512
cd69694ad3316c768dbe0d1514060870568c67a50785b38d402eb16e94740c5ae351eb6d47284630a2505fac50c9777bedef85608571c85385b1b9c1f12d73f5

Download Submit
\Windows\SysWOW64\drivers\lsass.exe

Filesize
32KB

MD5
669ffd1dd6fb7a0e4ddbc3ad3b76507b

SHA1
372820d6b9350ad629a489d49876d8bd422b8f31

SHA256
7dc487e762e55ffa601480c4bc7948f85fcd4f025665ff599060ec1f81d7e986

SHA512
cd69694ad3316c768dbe0d1514060870568c67a50785b38d402eb16e94740c5ae351eb6d47284630a2505fac50c9777bedef85608571c85385b1b9c1f12d73f5

Download Submit
memory/1672-54-0x0000000075201000-0x0000000075203000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing