661f0c82d9563217df5c786ed945744481d404411c2f1d4e025b68a439ee700e

General

Target

661f0c82d9563217df5c786ed945744481d404411c2f1d4e025b68a439ee700e.exe
Size

152KB
MD5

90e31939c16d7f4a491c682d43f64f00
SHA1

728372c8bcc98cbc75c0bff2df98fc2be526f1af
SHA256

661f0c82d9563217df5c786ed945744481d404411c2f1d4e025b68a439ee700e
SHA512

d80e0e95db706a70a118e7d3e791e819c4a5c889421769ffb5f083995e4c745b0d1ed95afa63d9f6b0bf4a602802df73652d82691be42df1d04f6bf40d7da17e
SSDEEP

3072:T4SAR8Ncw8bgKZh1JN1tysP68C4SAR8N:TzAScw8bgKZh/N1tysPXCzAS

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\lsass.exe	661f0c82d9563217df5c786ed945744481d404411c2f1d4e025b68a439ee700e.exe
File created	C:\Windows\SysWOW64\drivers\lsass.exe	lsass.exe

Executes dropped EXE 2 IoCs

pid	Process
912	lsass.exe
856	661f0c82d9563217df5c786ed945744481d404411c2f1d4e025b68a439ee700e.~tmp

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif	lsass.exe

Loads dropped DLL 3 IoCs

pid	Process
1112	661f0c82d9563217df5c786ed945744481d404411c2f1d4e025b68a439ee700e.exe
1112	661f0c82d9563217df5c786ed945744481d404411c2f1d4e025b68a439ee700e.exe
1112	661f0c82d9563217df5c786ed945744481d404411c2f1d4e025b68a439ee700e.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	lsass.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	661f0c82d9563217df5c786ed945744481d404411c2f1d4e025b68a439ee700e.~tmp

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1112	661f0c82d9563217df5c786ed945744481d404411c2f1d4e025b68a439ee700e.exe
1112	661f0c82d9563217df5c786ed945744481d404411c2f1d4e025b68a439ee700e.exe
912	lsass.exe
912	lsass.exe
856	661f0c82d9563217df5c786ed945744481d404411c2f1d4e025b68a439ee700e.~tmp
856	661f0c82d9563217df5c786ed945744481d404411c2f1d4e025b68a439ee700e.~tmp

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 912	1112	661f0c82d9563217df5c786ed945744481d404411c2f1d4e025b68a439ee700e.exe	26
PID 1112 wrote to memory of 912	1112	661f0c82d9563217df5c786ed945744481d404411c2f1d4e025b68a439ee700e.exe	26
PID 1112 wrote to memory of 912	1112	661f0c82d9563217df5c786ed945744481d404411c2f1d4e025b68a439ee700e.exe	26
PID 1112 wrote to memory of 912	1112	661f0c82d9563217df5c786ed945744481d404411c2f1d4e025b68a439ee700e.exe	26
PID 1112 wrote to memory of 856	1112	661f0c82d9563217df5c786ed945744481d404411c2f1d4e025b68a439ee700e.exe	27
PID 1112 wrote to memory of 856	1112	661f0c82d9563217df5c786ed945744481d404411c2f1d4e025b68a439ee700e.exe	27
PID 1112 wrote to memory of 856	1112	661f0c82d9563217df5c786ed945744481d404411c2f1d4e025b68a439ee700e.exe	27
PID 1112 wrote to memory of 856	1112	661f0c82d9563217df5c786ed945744481d404411c2f1d4e025b68a439ee700e.exe	27

C:\Users\Admin\AppData\Local\Temp\661f0c82d9563217df5c786ed945744481d404411c2f1d4e025b68a439ee700e.exe
"C:\Users\Admin\AppData\Local\Temp\661f0c82d9563217df5c786ed945744481d404411c2f1d4e025b68a439ee700e.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Windows\SysWOW64\drivers\lsass.exe
  "C:\Windows\system32\drivers\lsass.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops startup file
  - Enumerates connected drives
  - Suspicious use of SetWindowsHookEx
  PID:912
- C:\Users\Admin\AppData\Local\Temp\661f0c82d9563217df5c786ed945744481d404411c2f1d4e025b68a439ee700e.~tmp
  "C:\Users\Admin\AppData\Local\Temp\661f0c82d9563217df5c786ed945744481d404411c2f1d4e025b68a439ee700e.~tmp "
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\661f0c82d9563217df5c786ed945744481d404411c2f1d4e025b68a439ee700e.~tmp

Filesize
88KB

MD5
7711d4f36fbde3ceafd68fa4ab94be18

SHA1
0dbb30c5a764a3d14bb346682acd110d7d12f87e

SHA256
18d7b2c7b2e3cdd845f0dcf10ed79ca4c6b8eccd88bbc3f9a912008eebfa19e4

SHA512
90adfc31ac8791d09d59a3dd57c4efcae537e5171c07ce681ceff1f4ff825e7e13498cbd93e6803143412040e8574264e23985be9874988db71986cafa42f10b

Download Submit
C:\Users\Admin\AppData\Local\Temp\661f0c82d9563217df5c786ed945744481d404411c2f1d4e025b68a439ee700e.~tmp

Filesize
88KB

MD5
7711d4f36fbde3ceafd68fa4ab94be18

SHA1
0dbb30c5a764a3d14bb346682acd110d7d12f87e

SHA256
18d7b2c7b2e3cdd845f0dcf10ed79ca4c6b8eccd88bbc3f9a912008eebfa19e4

SHA512
90adfc31ac8791d09d59a3dd57c4efcae537e5171c07ce681ceff1f4ff825e7e13498cbd93e6803143412040e8574264e23985be9874988db71986cafa42f10b

Download Submit
C:\Windows\SysWOW64\drivers\lsass.exe

Filesize
32KB

MD5
669ffd1dd6fb7a0e4ddbc3ad3b76507b

SHA1
372820d6b9350ad629a489d49876d8bd422b8f31

SHA256
7dc487e762e55ffa601480c4bc7948f85fcd4f025665ff599060ec1f81d7e986

SHA512
cd69694ad3316c768dbe0d1514060870568c67a50785b38d402eb16e94740c5ae351eb6d47284630a2505fac50c9777bedef85608571c85385b1b9c1f12d73f5

Download Submit
C:\Windows\SysWOW64\drivers\lsass.exe

Filesize
32KB

MD5
669ffd1dd6fb7a0e4ddbc3ad3b76507b

SHA1
372820d6b9350ad629a489d49876d8bd422b8f31

SHA256
7dc487e762e55ffa601480c4bc7948f85fcd4f025665ff599060ec1f81d7e986

SHA512
cd69694ad3316c768dbe0d1514060870568c67a50785b38d402eb16e94740c5ae351eb6d47284630a2505fac50c9777bedef85608571c85385b1b9c1f12d73f5

Download Submit
\Users\Admin\AppData\Local\Temp\661f0c82d9563217df5c786ed945744481d404411c2f1d4e025b68a439ee700e.~tmp

Filesize
88KB

MD5
7711d4f36fbde3ceafd68fa4ab94be18

SHA1
0dbb30c5a764a3d14bb346682acd110d7d12f87e

SHA256
18d7b2c7b2e3cdd845f0dcf10ed79ca4c6b8eccd88bbc3f9a912008eebfa19e4

SHA512
90adfc31ac8791d09d59a3dd57c4efcae537e5171c07ce681ceff1f4ff825e7e13498cbd93e6803143412040e8574264e23985be9874988db71986cafa42f10b

Download Submit
\Windows\SysWOW64\drivers\lsass.exe

Filesize
32KB

MD5
669ffd1dd6fb7a0e4ddbc3ad3b76507b

SHA1
372820d6b9350ad629a489d49876d8bd422b8f31

SHA256
7dc487e762e55ffa601480c4bc7948f85fcd4f025665ff599060ec1f81d7e986

SHA512
cd69694ad3316c768dbe0d1514060870568c67a50785b38d402eb16e94740c5ae351eb6d47284630a2505fac50c9777bedef85608571c85385b1b9c1f12d73f5

Download Submit
\Windows\SysWOW64\drivers\lsass.exe

Filesize
32KB

MD5
669ffd1dd6fb7a0e4ddbc3ad3b76507b

SHA1
372820d6b9350ad629a489d49876d8bd422b8f31

SHA256
7dc487e762e55ffa601480c4bc7948f85fcd4f025665ff599060ec1f81d7e986

SHA512
cd69694ad3316c768dbe0d1514060870568c67a50785b38d402eb16e94740c5ae351eb6d47284630a2505fac50c9777bedef85608571c85385b1b9c1f12d73f5

Download Submit
memory/1112-54-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing