Overview

overview

8

Static

static

cba36d73b9...12.exe

windows7-x64

8

cba36d73b9...12.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    49s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    06/11/2022, 07:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cba36d73b9dd17aa7a03dc845def76362852c5b6eb15551464e8d879657adb12.exe

  • Size

    489KB

  • MD5

    21f8e1a2a11b8a11d55f5010717d9f43

  • SHA1

    3b10060c544aa568c44f2bcaadad2900fc0b4240

  • SHA256

    cba36d73b9dd17aa7a03dc845def76362852c5b6eb15551464e8d879657adb12

  • SHA512

    b67b52228a2c9489d415ce2d28701f943ddb036612e9ad812859336f8ae73e473eff252c3d16c68f11bbd9bf7273aabab9093d5a84e024b2c9e628bda41db9ad

  • SSDEEP

    6144:uBapC9DUIYmO5Kv5Q7X/l/rYvkW1VxxfnzrV9UAH0ctkPfc92F8+SLpIh9jhlD:BpQD+mO5KWy/zrVbt4fcY7S9U9jvD

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cba36d73b9dd17aa7a03dc845def76362852c5b6eb15551464e8d879657adb12.exe
    "C:\Users\Admin\AppData\Local\Temp\cba36d73b9dd17aa7a03dc845def76362852c5b6eb15551464e8d879657adb12.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1492
    • C:\Windows\LSASS.exe
      "C:\Windows\LSASS.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1312
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
          PID:672
        • C:\Windows\SysWOW64\REG.exe
          REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
          3⤵
          • Adds Run key to start application
          PID:540
        • C:\Users\Admin\LSASS.exe
          "C:\Users\Admin\LSASS.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:1752
        • C:\Windows\SysWOW64\REG.exe
          REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
          3⤵
          • Adds Run key to start application
          PID:368
        • C:\Windows\SysWOW64\REG.exe
          REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
          3⤵
            PID:1900
          • C:\Windows\SysWOW64\REG.exe
            REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
            3⤵
            • Adds Run key to start application
            PID:552
          • C:\Windows\SysWOW64\REG.exe
            REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
            3⤵
            • Adds Run key to start application
            PID:1336
          • C:\Windows\SysWOW64\REG.exe
            REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
            3⤵
              PID:1908
            • C:\Windows\SysWOW64\REG.exe
              REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
              3⤵
                PID:756
              • C:\Windows\SysWOW64\REG.exe
                REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                3⤵
                • Adds Run key to start application
                PID:804
              • C:\Windows\SysWOW64\REG.exe
                REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                3⤵
                  PID:1760
                • C:\Windows\SysWOW64\REG.exe
                  REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                  3⤵
                  • Adds Run key to start application
                  PID:1012
                • C:\Windows\SysWOW64\REG.exe
                  REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                  3⤵
                  • Adds Run key to start application
                  PID:872
                • C:\Windows\SysWOW64\REG.exe
                  REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                  3⤵
                  • Adds Run key to start application
                  PID:1148
                • C:\Windows\SysWOW64\REG.exe
                  REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                  3⤵
                  • Adds Run key to start application
                  PID:1176
                • C:\Windows\SysWOW64\REG.exe
                  REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                  3⤵
                  • Adds Run key to start application
                  PID:1768
                • C:\Windows\SysWOW64\REG.exe
                  REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                  3⤵
                  • Adds Run key to start application
                  PID:1528
                • C:\Windows\SysWOW64\REG.exe
                  REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                  3⤵
                  • Adds Run key to start application
                  PID:1124
                • C:\Windows\SysWOW64\REG.exe
                  REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                  3⤵
                  • Adds Run key to start application
                  PID:1616
                • C:\Windows\SysWOW64\REG.exe
                  REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                  3⤵
                  • Adds Run key to start application
                  PID:1748
                • C:\Windows\SysWOW64\REG.exe
                  REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                  3⤵
                  • Adds Run key to start application
                  PID:1160
                • C:\Windows\SysWOW64\REG.exe
                  REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                  3⤵
                  • Adds Run key to start application
                  PID:636
                • C:\Windows\SysWOW64\REG.exe
                  REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                  3⤵
                    PID:540
                  • C:\Windows\SysWOW64\REG.exe
                    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                    3⤵
                    • Adds Run key to start application
                    PID:1164
                  • C:\Windows\SysWOW64\REG.exe
                    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                    3⤵
                    • Adds Run key to start application
                    PID:1032
                  • C:\Windows\SysWOW64\REG.exe
                    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                    3⤵
                      PID:684
                    • C:\Windows\SysWOW64\REG.exe
                      REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                      3⤵
                      • Adds Run key to start application
                      PID:616
                    • C:\Windows\SysWOW64\REG.exe
                      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                      3⤵
                      • Adds Run key to start application
                      PID:844
                    • C:\Windows\SysWOW64\REG.exe
                      REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                      3⤵
                      • Adds Run key to start application
                      PID:1080
                    • C:\Windows\SysWOW64\REG.exe
                      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                      3⤵
                      • Adds Run key to start application
                      PID:1916
                    • C:\Windows\SysWOW64\REG.exe
                      REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                      3⤵
                      • Adds Run key to start application
                      PID:1908
                    • C:\Windows\SysWOW64\REG.exe
                      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                      3⤵
                      • Adds Run key to start application
                      PID:1968
                    • C:\Windows\SysWOW64\REG.exe
                      REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                      3⤵
                      • Adds Run key to start application
                      PID:2044
                    • C:\Windows\SysWOW64\REG.exe
                      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                      3⤵
                      • Adds Run key to start application
                      PID:1652
                    • C:\Windows\SysWOW64\REG.exe
                      REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                      3⤵
                      • Adds Run key to start application
                      PID:1852
                    • C:\Windows\SysWOW64\REG.exe
                      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                      3⤵
                      • Adds Run key to start application
                      PID:1628
                    • C:\Windows\SysWOW64\REG.exe
                      REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                      3⤵
                      • Adds Run key to start application
                      PID:1028
                    • C:\Windows\SysWOW64\REG.exe
                      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                      3⤵
                      • Adds Run key to start application
                      PID:728
                    • C:\Windows\SysWOW64\REG.exe
                      REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                      3⤵
                      • Adds Run key to start application
                      PID:1348
                    • C:\Windows\SysWOW64\REG.exe
                      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                      3⤵
                      • Adds Run key to start application
                      PID:1940
                    • C:\Windows\SysWOW64\REG.exe
                      REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                      3⤵
                      • Adds Run key to start application
                      PID:1152
                    • C:\Windows\SysWOW64\REG.exe
                      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                      3⤵
                      • Adds Run key to start application
                      PID:1492
                    • C:\Windows\SysWOW64\REG.exe
                      REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                      3⤵
                      • Adds Run key to start application
                      PID:1416
                    • C:\Windows\SysWOW64\REG.exe
                      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                      3⤵
                      • Adds Run key to start application
                      PID:320
                    • C:\Windows\SysWOW64\REG.exe
                      REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                      3⤵
                      • Adds Run key to start application
                      PID:636
                    • C:\Windows\SysWOW64\REG.exe
                      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                      3⤵
                      • Adds Run key to start application
                      PID:1356
                    • C:\Windows\SysWOW64\REG.exe
                      REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                      3⤵
                        PID:1840
                      • C:\Windows\SysWOW64\REG.exe
                        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                        3⤵
                        • Adds Run key to start application
                        PID:368
                      • C:\Windows\SysWOW64\REG.exe
                        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                        3⤵
                        • Adds Run key to start application
                        PID:932
                      • C:\Windows\SysWOW64\REG.exe
                        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                        3⤵
                        • Adds Run key to start application
                        PID:1676
                      • C:\Windows\SysWOW64\REG.exe
                        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                        3⤵
                        • Adds Run key to start application
                        PID:1104
                      • C:\Windows\SysWOW64\REG.exe
                        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                        3⤵
                        • Adds Run key to start application
                        PID:1904
                      • C:\Windows\SysWOW64\REG.exe
                        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                        3⤵
                        • Adds Run key to start application
                        PID:1896
                      • C:\Windows\SysWOW64\REG.exe
                        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                        3⤵
                        • Adds Run key to start application
                        PID:1508
                      • C:\Windows\SysWOW64\REG.exe
                        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                        3⤵
                        • Adds Run key to start application
                        PID:568

                  Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\LSASS.exe
                    Filesize

                    489KB

                    MD5

                    8e6ca608268f646bc37966d864fe55c6

                    SHA1

                    d965d7fffc22209738e133cfb923b6d807ed16a8

                    SHA256

                    b88ef1a2f81cb0a8d434bf9c76df0ff4787790e7636fe81f42384762fb0d6d2c

                    SHA512

                    55aa1e9bf35791fe18e9a7a3f6645fcc1309e27b47ccd1db398e1e3b991ea3fcaeae030f074105e8a6c5db3e3a736877a4c577d2b7791e6bfe657dc76b7b9329

                    Download Submit

                  • C:\Windows\LSASS.exe
                    Filesize

                    489KB

                    MD5

                    3f0eb6408ce50b41a7d34ac4335c5fb7

                    SHA1

                    9e458c071eb1494f619e0039488868ab1b2c5d2e

                    SHA256

                    ab5465d9579426a402b05de22ed77860964ba70c3324d544a059cdfaf33d45b0

                    SHA512

                    30eec6a8ec62c9d8bade384c0fce8910917b89f614e69e97ebcc21a14b2bd520da95855d36cc301652694e4184d86931726c4fe80228ba99a085a6436774f260

                    Download Submit

                  • C:\Windows\LSASS.exe
                    Filesize

                    489KB

                    MD5

                    3f0eb6408ce50b41a7d34ac4335c5fb7

                    SHA1

                    9e458c071eb1494f619e0039488868ab1b2c5d2e

                    SHA256

                    ab5465d9579426a402b05de22ed77860964ba70c3324d544a059cdfaf33d45b0

                    SHA512

                    30eec6a8ec62c9d8bade384c0fce8910917b89f614e69e97ebcc21a14b2bd520da95855d36cc301652694e4184d86931726c4fe80228ba99a085a6436774f260

                    Download Submit

                  • \Users\Admin\LSASS.exe
                    Filesize

                    489KB

                    MD5

                    8e6ca608268f646bc37966d864fe55c6

                    SHA1

                    d965d7fffc22209738e133cfb923b6d807ed16a8

                    SHA256

                    b88ef1a2f81cb0a8d434bf9c76df0ff4787790e7636fe81f42384762fb0d6d2c

                    SHA512

                    55aa1e9bf35791fe18e9a7a3f6645fcc1309e27b47ccd1db398e1e3b991ea3fcaeae030f074105e8a6c5db3e3a736877a4c577d2b7791e6bfe657dc76b7b9329

                    Download Submit

                  • \Users\Admin\LSASS.exe
                    Filesize

                    489KB

                    MD5

                    8e6ca608268f646bc37966d864fe55c6

                    SHA1

                    d965d7fffc22209738e133cfb923b6d807ed16a8

                    SHA256

                    b88ef1a2f81cb0a8d434bf9c76df0ff4787790e7636fe81f42384762fb0d6d2c

                    SHA512

                    55aa1e9bf35791fe18e9a7a3f6645fcc1309e27b47ccd1db398e1e3b991ea3fcaeae030f074105e8a6c5db3e3a736877a4c577d2b7791e6bfe657dc76b7b9329

                    Download Submit

                  • memory/1492-54-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

                    Filesize

                    8KB

                    Download