cba36d73b9dd17aa7a03dc845def76362852c5b6eb15551464e8d879657adb12

Analysis

max time kernel
167s
max time network
185s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2022, 07:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cba36d73b9dd17aa7a03dc845def76362852c5b6eb15551464e8d879657adb12.exe
Size

489KB
MD5

21f8e1a2a11b8a11d55f5010717d9f43
SHA1

3b10060c544aa568c44f2bcaadad2900fc0b4240
SHA256

cba36d73b9dd17aa7a03dc845def76362852c5b6eb15551464e8d879657adb12
SHA512

b67b52228a2c9489d415ce2d28701f943ddb036612e9ad812859336f8ae73e473eff252c3d16c68f11bbd9bf7273aabab9093d5a84e024b2c9e628bda41db9ad
SSDEEP

6144:uBapC9DUIYmO5Kv5Q7X/l/rYvkW1VxxfnzrV9UAH0ctkPfc92F8+SLpIh9jhlD:BpQD+mO5KWy/zrVbt4fcY7S9U9jvD

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1204	LSASS.exe
2324	LSASS.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	LSASS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	cba36d73b9dd17aa7a03dc845def76362852c5b6eb15551464e8d879657adb12.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	REG.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	REG.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	REG.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	REG.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	LSASS.exe
File opened (read-only)	\??\I:	LSASS.exe
File opened (read-only)	\??\L:	LSASS.exe
File opened (read-only)	\??\M:	LSASS.exe
File opened (read-only)	\??\R:	LSASS.exe
File opened (read-only)	\??\E:	LSASS.exe
File opened (read-only)	\??\F:	LSASS.exe
File opened (read-only)	\??\K:	LSASS.exe
File opened (read-only)	\??\N:	LSASS.exe
File opened (read-only)	\??\O:	LSASS.exe
File opened (read-only)	\??\Q:	LSASS.exe
File opened (read-only)	\??\S:	LSASS.exe
File opened (read-only)	\??\V:	LSASS.exe
File opened (read-only)	\??\H:	LSASS.exe
File opened (read-only)	\??\P:	LSASS.exe
File opened (read-only)	\??\T:	LSASS.exe
File opened (read-only)	\??\U:	LSASS.exe
File opened (read-only)	\??\W:	LSASS.exe
File opened (read-only)	\??\J:	LSASS.exe
File opened (read-only)	\??\X:	LSASS.exe
File opened (read-only)	\??\Y:	LSASS.exe
File opened (read-only)	\??\Z:	LSASS.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	LSASS.exe
File opened for modification	C:\autorun.inf	LSASS.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\LSASS.exe	cba36d73b9dd17aa7a03dc845def76362852c5b6eb15551464e8d879657adb12.exe
File opened for modification	C:\Windows\LSASS.exe	cba36d73b9dd17aa7a03dc845def76362852c5b6eb15551464e8d879657adb12.exe
File opened for modification	C:\Windows\LSASS.exe	LSASS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	cba36d73b9dd17aa7a03dc845def76362852c5b6eb15551464e8d879657adb12.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	LSASS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3112	cba36d73b9dd17aa7a03dc845def76362852c5b6eb15551464e8d879657adb12.exe
3112	cba36d73b9dd17aa7a03dc845def76362852c5b6eb15551464e8d879657adb12.exe
3112	cba36d73b9dd17aa7a03dc845def76362852c5b6eb15551464e8d879657adb12.exe
3112	cba36d73b9dd17aa7a03dc845def76362852c5b6eb15551464e8d879657adb12.exe
1204	LSASS.exe
1204	LSASS.exe
1204	LSASS.exe
1204	LSASS.exe
1204	LSASS.exe
1204	LSASS.exe
1204	LSASS.exe
1204	LSASS.exe
2324	LSASS.exe
2324	LSASS.exe
1204	LSASS.exe
1204	LSASS.exe
1204	LSASS.exe
1204	LSASS.exe
1204	LSASS.exe
1204	LSASS.exe
1204	LSASS.exe
1204	LSASS.exe
1204	LSASS.exe
1204	LSASS.exe
1204	LSASS.exe
1204	LSASS.exe
1204	LSASS.exe
1204	LSASS.exe
1204	LSASS.exe
1204	LSASS.exe
1204	LSASS.exe
1204	LSASS.exe
1204	LSASS.exe
1204	LSASS.exe
1204	LSASS.exe
1204	LSASS.exe
1204	LSASS.exe
1204	LSASS.exe
1204	LSASS.exe
1204	LSASS.exe
1204	LSASS.exe
1204	LSASS.exe
1204	LSASS.exe
1204	LSASS.exe
1204	LSASS.exe
1204	LSASS.exe
1204	LSASS.exe
1204	LSASS.exe
1204	LSASS.exe
1204	LSASS.exe
1204	LSASS.exe
1204	LSASS.exe
1204	LSASS.exe
1204	LSASS.exe
1204	LSASS.exe
1204	LSASS.exe
1204	LSASS.exe
1204	LSASS.exe
1204	LSASS.exe
1204	LSASS.exe
1204	LSASS.exe
1204	LSASS.exe
1204	LSASS.exe
1204	LSASS.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3112 wrote to memory of 1204	3112	cba36d73b9dd17aa7a03dc845def76362852c5b6eb15551464e8d879657adb12.exe	82
PID 3112 wrote to memory of 1204	3112	cba36d73b9dd17aa7a03dc845def76362852c5b6eb15551464e8d879657adb12.exe	82
PID 3112 wrote to memory of 1204	3112	cba36d73b9dd17aa7a03dc845def76362852c5b6eb15551464e8d879657adb12.exe	82
PID 1204 wrote to memory of 1016	1204	LSASS.exe	83
PID 1204 wrote to memory of 1016	1204	LSASS.exe	83
PID 1204 wrote to memory of 1016	1204	LSASS.exe	83
PID 1204 wrote to memory of 2160	1204	LSASS.exe	84
PID 1204 wrote to memory of 2160	1204	LSASS.exe	84
PID 1204 wrote to memory of 2160	1204	LSASS.exe	84
PID 1204 wrote to memory of 2324	1204	LSASS.exe	87
PID 1204 wrote to memory of 2324	1204	LSASS.exe	87
PID 1204 wrote to memory of 2324	1204	LSASS.exe	87
PID 1204 wrote to memory of 2192	1204	LSASS.exe	88
PID 1204 wrote to memory of 2192	1204	LSASS.exe	88
PID 1204 wrote to memory of 2192	1204	LSASS.exe	88
PID 1204 wrote to memory of 2224	1204	LSASS.exe	90
PID 1204 wrote to memory of 2224	1204	LSASS.exe	90
PID 1204 wrote to memory of 2224	1204	LSASS.exe	90
PID 1204 wrote to memory of 3716	1204	LSASS.exe	92
PID 1204 wrote to memory of 3716	1204	LSASS.exe	92
PID 1204 wrote to memory of 3716	1204	LSASS.exe	92
PID 1204 wrote to memory of 1260	1204	LSASS.exe	94
PID 1204 wrote to memory of 1260	1204	LSASS.exe	94
PID 1204 wrote to memory of 1260	1204	LSASS.exe	94
PID 1204 wrote to memory of 4656	1204	LSASS.exe	96
PID 1204 wrote to memory of 4656	1204	LSASS.exe	96
PID 1204 wrote to memory of 4656	1204	LSASS.exe	96
PID 1204 wrote to memory of 3552	1204	LSASS.exe	98
PID 1204 wrote to memory of 3552	1204	LSASS.exe	98
PID 1204 wrote to memory of 3552	1204	LSASS.exe	98
PID 1204 wrote to memory of 5016	1204	LSASS.exe	100
PID 1204 wrote to memory of 5016	1204	LSASS.exe	100
PID 1204 wrote to memory of 5016	1204	LSASS.exe	100
PID 1204 wrote to memory of 4272	1204	LSASS.exe	102
PID 1204 wrote to memory of 4272	1204	LSASS.exe	102
PID 1204 wrote to memory of 4272	1204	LSASS.exe	102
PID 1204 wrote to memory of 1640	1204	LSASS.exe	104
PID 1204 wrote to memory of 1640	1204	LSASS.exe	104
PID 1204 wrote to memory of 1640	1204	LSASS.exe	104
PID 1204 wrote to memory of 4424	1204	LSASS.exe	106
PID 1204 wrote to memory of 4424	1204	LSASS.exe	106
PID 1204 wrote to memory of 4424	1204	LSASS.exe	106
PID 1204 wrote to memory of 3188	1204	LSASS.exe	108
PID 1204 wrote to memory of 3188	1204	LSASS.exe	108
PID 1204 wrote to memory of 3188	1204	LSASS.exe	108
PID 1204 wrote to memory of 4996	1204	LSASS.exe	110
PID 1204 wrote to memory of 4996	1204	LSASS.exe	110
PID 1204 wrote to memory of 4996	1204	LSASS.exe	110
PID 1204 wrote to memory of 796	1204	LSASS.exe	112
PID 1204 wrote to memory of 796	1204	LSASS.exe	112
PID 1204 wrote to memory of 796	1204	LSASS.exe	112
PID 1204 wrote to memory of 4156	1204	LSASS.exe	114
PID 1204 wrote to memory of 4156	1204	LSASS.exe	114
PID 1204 wrote to memory of 4156	1204	LSASS.exe	114
PID 1204 wrote to memory of 4452	1204	LSASS.exe	116
PID 1204 wrote to memory of 4452	1204	LSASS.exe	116
PID 1204 wrote to memory of 4452	1204	LSASS.exe	116
PID 1204 wrote to memory of 2940	1204	LSASS.exe	118
PID 1204 wrote to memory of 2940	1204	LSASS.exe	118
PID 1204 wrote to memory of 2940	1204	LSASS.exe	118
PID 1204 wrote to memory of 520	1204	LSASS.exe	120
PID 1204 wrote to memory of 520	1204	LSASS.exe	120
PID 1204 wrote to memory of 520	1204	LSASS.exe	120
PID 1204 wrote to memory of 4280	1204	LSASS.exe	122

C:\Users\Admin\AppData\Local\Temp\cba36d73b9dd17aa7a03dc845def76362852c5b6eb15551464e8d879657adb12.exe
"C:\Users\Admin\AppData\Local\Temp\cba36d73b9dd17aa7a03dc845def76362852c5b6eb15551464e8d879657adb12.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3112
- C:\Windows\LSASS.exe
  "C:\Windows\LSASS.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1204
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1016
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2160
- - C:\Users\Admin\LSASS.exe
    "C:\Users\Admin\LSASS.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2324
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2192
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2224
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    PID:3716
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1260
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:4656
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:3552
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:5016
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:4272
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:4424
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:3188
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:4996
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:796
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:4156
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:4452
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2940
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:520
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    PID:4280
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:3316
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:4556
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2220
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:4124
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1588
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:4764
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2324
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:3824
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:3828
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    PID:4040
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2464
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:5072
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1212
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:4672
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:5016
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1008
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2880
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:4348
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:3396
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:3648
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2928
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:3144
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    PID:2344
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:4660
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1556
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2724
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:536
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2852
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    PID:3900
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1032
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1128
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    PID:1112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\LSASS.exe

Filesize
489KB

MD5
696e754c5e50ad8a2b1a4dfe3d623a86

SHA1
3ec3873d4c7805df2c6421b89c69e348930b839c

SHA256
b49407aa458bbe6cc64bfebf4740faf6b3d9a66e1469951732152b917713b48d

SHA512
2241c9a7e6089243b88a7129ebdc92a067b953da16b31d6c345ddfb1e353252970bf561f234bb273f9cf2a287a722acc157b8c36616cc54f4277795647b326ac

Download Submit
C:\Users\Admin\LSASS.exe

Filesize
489KB

MD5
696e754c5e50ad8a2b1a4dfe3d623a86

SHA1
3ec3873d4c7805df2c6421b89c69e348930b839c

SHA256
b49407aa458bbe6cc64bfebf4740faf6b3d9a66e1469951732152b917713b48d

SHA512
2241c9a7e6089243b88a7129ebdc92a067b953da16b31d6c345ddfb1e353252970bf561f234bb273f9cf2a287a722acc157b8c36616cc54f4277795647b326ac

Download Submit
C:\Windows\LSASS.exe

Filesize
489KB

MD5
a0c5559df29f2dd2abf03901966364a2

SHA1
71825c3f5fe84664115a3862154cdc234ee8064b

SHA256
554d08852a76091732144fda304ea621c768f2b8b3a3f2c9e4a2e6c508961fdf

SHA512
09b053480b14147c36fce3cf6cc3b3bfd257111127347b33a3fbdbe028d272de0c80102480badcb7b859cd33d1a85f32b35f05441d3b3561a783d81994702762

Download Submit
C:\Windows\LSASS.exe

Filesize
489KB

MD5
a0c5559df29f2dd2abf03901966364a2

SHA1
71825c3f5fe84664115a3862154cdc234ee8064b

SHA256
554d08852a76091732144fda304ea621c768f2b8b3a3f2c9e4a2e6c508961fdf

SHA512
09b053480b14147c36fce3cf6cc3b3bfd257111127347b33a3fbdbe028d272de0c80102480badcb7b859cd33d1a85f32b35f05441d3b3561a783d81994702762

Download Submit