Overview

overview

8

Static

static

cba36d73b9...12.exe

windows7-x64

8

cba36d73b9...12.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    167s
  • max time network
    185s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/11/2022, 07:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cba36d73b9dd17aa7a03dc845def76362852c5b6eb15551464e8d879657adb12.exe

  • Size

    489KB

  • MD5

    21f8e1a2a11b8a11d55f5010717d9f43

  • SHA1

    3b10060c544aa568c44f2bcaadad2900fc0b4240

  • SHA256

    cba36d73b9dd17aa7a03dc845def76362852c5b6eb15551464e8d879657adb12

  • SHA512

    b67b52228a2c9489d415ce2d28701f943ddb036612e9ad812859336f8ae73e473eff252c3d16c68f11bbd9bf7273aabab9093d5a84e024b2c9e628bda41db9ad

  • SSDEEP

    6144:uBapC9DUIYmO5Kv5Q7X/l/rYvkW1VxxfnzrV9UAH0ctkPfc92F8+SLpIh9jhlD:BpQD+mO5KWy/zrVbt4fcY7S9U9jvD

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 64 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cba36d73b9dd17aa7a03dc845def76362852c5b6eb15551464e8d879657adb12.exe
    "C:\Users\Admin\AppData\Local\Temp\cba36d73b9dd17aa7a03dc845def76362852c5b6eb15551464e8d879657adb12.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3112
    • C:\Windows\LSASS.exe
      "C:\Windows\LSASS.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1204
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:1016
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:2160
      • C:\Users\Admin\LSASS.exe
        "C:\Users\Admin\LSASS.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:2324
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:2192
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:2224
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
          PID:3716
        • C:\Windows\SysWOW64\REG.exe
          REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
          3⤵
          • Adds Run key to start application
          PID:1260
        • C:\Windows\SysWOW64\REG.exe
          REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
          3⤵
          • Adds Run key to start application
          PID:4656
        • C:\Windows\SysWOW64\REG.exe
          REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
          3⤵
          • Adds Run key to start application
          PID:3552
        • C:\Windows\SysWOW64\REG.exe
          REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
          3⤵
          • Adds Run key to start application
          PID:5016
        • C:\Windows\SysWOW64\REG.exe
          REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
          3⤵
          • Adds Run key to start application
          PID:4272
        • C:\Windows\SysWOW64\REG.exe
          REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
          3⤵
            PID:1640
          • C:\Windows\SysWOW64\REG.exe
            REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
            3⤵
            • Adds Run key to start application
            PID:4424
          • C:\Windows\SysWOW64\REG.exe
            REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
            3⤵
            • Adds Run key to start application
            PID:3188
          • C:\Windows\SysWOW64\REG.exe
            REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
            3⤵
            • Adds Run key to start application
            PID:4996
          • C:\Windows\SysWOW64\REG.exe
            REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
            3⤵
            • Adds Run key to start application
            PID:796
          • C:\Windows\SysWOW64\REG.exe
            REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
            3⤵
            • Adds Run key to start application
            PID:4156
          • C:\Windows\SysWOW64\REG.exe
            REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
            3⤵
            • Adds Run key to start application
            PID:4452
          • C:\Windows\SysWOW64\REG.exe
            REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
            3⤵
            • Adds Run key to start application
            PID:2940
          • C:\Windows\SysWOW64\REG.exe
            REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
            3⤵
            • Adds Run key to start application
            PID:520
          • C:\Windows\SysWOW64\REG.exe
            REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
            3⤵
              PID:4280
            • C:\Windows\SysWOW64\REG.exe
              REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
              3⤵
              • Adds Run key to start application
              PID:3316
            • C:\Windows\SysWOW64\REG.exe
              REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
              3⤵
              • Adds Run key to start application
              PID:4556
            • C:\Windows\SysWOW64\REG.exe
              REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
              3⤵
              • Adds Run key to start application
              PID:2220
            • C:\Windows\SysWOW64\REG.exe
              REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
              3⤵
              • Adds Run key to start application
              PID:4124
            • C:\Windows\SysWOW64\REG.exe
              REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
              3⤵
              • Adds Run key to start application
              PID:1588
            • C:\Windows\SysWOW64\REG.exe
              REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
              3⤵
              • Adds Run key to start application
              PID:4764
            • C:\Windows\SysWOW64\REG.exe
              REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
              3⤵
              • Adds Run key to start application
              PID:2324
            • C:\Windows\SysWOW64\REG.exe
              REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
              3⤵
              • Adds Run key to start application
              PID:3824
            • C:\Windows\SysWOW64\REG.exe
              REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
              3⤵
              • Adds Run key to start application
              PID:3828
            • C:\Windows\SysWOW64\REG.exe
              REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
              3⤵
                PID:4040
              • C:\Windows\SysWOW64\REG.exe
                REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                3⤵
                • Adds Run key to start application
                PID:2464
              • C:\Windows\SysWOW64\REG.exe
                REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                3⤵
                • Adds Run key to start application
                PID:5072
              • C:\Windows\SysWOW64\REG.exe
                REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                3⤵
                • Adds Run key to start application
                PID:1212
              • C:\Windows\SysWOW64\REG.exe
                REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                3⤵
                • Adds Run key to start application
                PID:4672
              • C:\Windows\SysWOW64\REG.exe
                REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                3⤵
                • Adds Run key to start application
                PID:5016
              • C:\Windows\SysWOW64\REG.exe
                REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                3⤵
                • Adds Run key to start application
                PID:1008
              • C:\Windows\SysWOW64\REG.exe
                REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                3⤵
                • Adds Run key to start application
                PID:2880
              • C:\Windows\SysWOW64\REG.exe
                REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                3⤵
                • Adds Run key to start application
                PID:4348
              • C:\Windows\SysWOW64\REG.exe
                REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                3⤵
                • Adds Run key to start application
                PID:3396
              • C:\Windows\SysWOW64\REG.exe
                REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                3⤵
                • Adds Run key to start application
                PID:3648
              • C:\Windows\SysWOW64\REG.exe
                REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                3⤵
                • Adds Run key to start application
                PID:2928
              • C:\Windows\SysWOW64\REG.exe
                REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                3⤵
                • Adds Run key to start application
                PID:3144
              • C:\Windows\SysWOW64\REG.exe
                REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                3⤵
                  PID:2344
                • C:\Windows\SysWOW64\REG.exe
                  REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                  3⤵
                  • Adds Run key to start application
                  PID:4660
                • C:\Windows\SysWOW64\REG.exe
                  REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                  3⤵
                  • Adds Run key to start application
                  PID:1556
                • C:\Windows\SysWOW64\REG.exe
                  REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                  3⤵
                  • Adds Run key to start application
                  PID:2724
                • C:\Windows\SysWOW64\REG.exe
                  REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                  3⤵
                  • Adds Run key to start application
                  PID:536
                • C:\Windows\SysWOW64\REG.exe
                  REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                  3⤵
                  • Adds Run key to start application
                  PID:2852
                • C:\Windows\SysWOW64\REG.exe
                  REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                  3⤵
                    PID:3900
                  • C:\Windows\SysWOW64\REG.exe
                    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                    3⤵
                    • Adds Run key to start application
                    PID:1032
                  • C:\Windows\SysWOW64\REG.exe
                    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                    3⤵
                    • Adds Run key to start application
                    PID:1128
                  • C:\Windows\SysWOW64\REG.exe
                    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
                    3⤵
                      PID:1112

                Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\LSASS.exe
                  Filesize

                  489KB

                  MD5

                  696e754c5e50ad8a2b1a4dfe3d623a86

                  SHA1

                  3ec3873d4c7805df2c6421b89c69e348930b839c

                  SHA256

                  b49407aa458bbe6cc64bfebf4740faf6b3d9a66e1469951732152b917713b48d

                  SHA512

                  2241c9a7e6089243b88a7129ebdc92a067b953da16b31d6c345ddfb1e353252970bf561f234bb273f9cf2a287a722acc157b8c36616cc54f4277795647b326ac

                  Download Submit

                • C:\Users\Admin\LSASS.exe
                  Filesize

                  489KB

                  MD5

                  696e754c5e50ad8a2b1a4dfe3d623a86

                  SHA1

                  3ec3873d4c7805df2c6421b89c69e348930b839c

                  SHA256

                  b49407aa458bbe6cc64bfebf4740faf6b3d9a66e1469951732152b917713b48d

                  SHA512

                  2241c9a7e6089243b88a7129ebdc92a067b953da16b31d6c345ddfb1e353252970bf561f234bb273f9cf2a287a722acc157b8c36616cc54f4277795647b326ac

                  Download Submit

                • C:\Windows\LSASS.exe
                  Filesize

                  489KB

                  MD5

                  a0c5559df29f2dd2abf03901966364a2

                  SHA1

                  71825c3f5fe84664115a3862154cdc234ee8064b

                  SHA256

                  554d08852a76091732144fda304ea621c768f2b8b3a3f2c9e4a2e6c508961fdf

                  SHA512

                  09b053480b14147c36fce3cf6cc3b3bfd257111127347b33a3fbdbe028d272de0c80102480badcb7b859cd33d1a85f32b35f05441d3b3561a783d81994702762

                  Download Submit

                • C:\Windows\LSASS.exe
                  Filesize

                  489KB

                  MD5

                  a0c5559df29f2dd2abf03901966364a2

                  SHA1

                  71825c3f5fe84664115a3862154cdc234ee8064b

                  SHA256

                  554d08852a76091732144fda304ea621c768f2b8b3a3f2c9e4a2e6c508961fdf

                  SHA512

                  09b053480b14147c36fce3cf6cc3b3bfd257111127347b33a3fbdbe028d272de0c80102480badcb7b859cd33d1a85f32b35f05441d3b3561a783d81994702762

                  Download Submit