c3f7b822ad7d7144461b2a2917e76dd6872acefdb9a068215f5e41c30797da34

General

Target

c3f7b822ad7d7144461b2a2917e76dd6872acefdb9a068215f5e41c30797da34.exe
Size

729KB
MD5

20c6dc83a481bd920b9b9bcb7f0b5979
SHA1

ac5834f7bff1eea2bbd2753bbeeca69dff687f58
SHA256

c3f7b822ad7d7144461b2a2917e76dd6872acefdb9a068215f5e41c30797da34
SHA512

9c5571f18252ee879e30ac02bd8b721055fcdbf85579c516592c81c062475c36540a43eb8c8e46392af1565ce83c8def8fa4bb463060a1d33b812b9ea8b690f2
SSDEEP

12288:lN/Hs8Q48W5glu2igm8Yaimes/0ft9yIJ:lppQ4V52uBTm7EtAIJ

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
300	lsass.exe
340	lsass.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe	c3f7b822ad7d7144461b2a2917e76dd6872acefdb9a068215f5e41c30797da34.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe	lsass.exe

Loads dropped DLL 2 IoCs

pid	Process
1164	c3f7b822ad7d7144461b2a2917e76dd6872acefdb9a068215f5e41c30797da34.exe
1164	c3f7b822ad7d7144461b2a2917e76dd6872acefdb9a068215f5e41c30797da34.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2016 set thread context of 1164	2016	c3f7b822ad7d7144461b2a2917e76dd6872acefdb9a068215f5e41c30797da34.exe	28
PID 300 set thread context of 340	300	lsass.exe	30

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1200	Process not Found
1200	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1200	Process not Found

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
340	lsass.exe
1928	explorer.exe
1200	Process not Found
1200	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1164	c3f7b822ad7d7144461b2a2917e76dd6872acefdb9a068215f5e41c30797da34.exe
Token: SeDebugPrivilege	340	lsass.exe
Token: SeDebugPrivilege	1200	Process not Found
Token: SeShutdownPrivilege	1200	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1200	Process not Found
1200	Process not Found

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1200	Process not Found
1200	Process not Found

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2016	c3f7b822ad7d7144461b2a2917e76dd6872acefdb9a068215f5e41c30797da34.exe
300	lsass.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 1164	2016	c3f7b822ad7d7144461b2a2917e76dd6872acefdb9a068215f5e41c30797da34.exe	28
PID 2016 wrote to memory of 1164	2016	c3f7b822ad7d7144461b2a2917e76dd6872acefdb9a068215f5e41c30797da34.exe	28
PID 2016 wrote to memory of 1164	2016	c3f7b822ad7d7144461b2a2917e76dd6872acefdb9a068215f5e41c30797da34.exe	28
PID 2016 wrote to memory of 1164	2016	c3f7b822ad7d7144461b2a2917e76dd6872acefdb9a068215f5e41c30797da34.exe	28
PID 2016 wrote to memory of 1164	2016	c3f7b822ad7d7144461b2a2917e76dd6872acefdb9a068215f5e41c30797da34.exe	28
PID 2016 wrote to memory of 1164	2016	c3f7b822ad7d7144461b2a2917e76dd6872acefdb9a068215f5e41c30797da34.exe	28
PID 2016 wrote to memory of 1164	2016	c3f7b822ad7d7144461b2a2917e76dd6872acefdb9a068215f5e41c30797da34.exe	28
PID 1164 wrote to memory of 300	1164	c3f7b822ad7d7144461b2a2917e76dd6872acefdb9a068215f5e41c30797da34.exe	29
PID 1164 wrote to memory of 300	1164	c3f7b822ad7d7144461b2a2917e76dd6872acefdb9a068215f5e41c30797da34.exe	29
PID 1164 wrote to memory of 300	1164	c3f7b822ad7d7144461b2a2917e76dd6872acefdb9a068215f5e41c30797da34.exe	29
PID 1164 wrote to memory of 300	1164	c3f7b822ad7d7144461b2a2917e76dd6872acefdb9a068215f5e41c30797da34.exe	29
PID 300 wrote to memory of 340	300	lsass.exe	30
PID 300 wrote to memory of 340	300	lsass.exe	30
PID 300 wrote to memory of 340	300	lsass.exe	30
PID 300 wrote to memory of 340	300	lsass.exe	30
PID 300 wrote to memory of 340	300	lsass.exe	30
PID 300 wrote to memory of 340	300	lsass.exe	30
PID 300 wrote to memory of 340	300	lsass.exe	30
PID 340 wrote to memory of 1928	340	lsass.exe	31
PID 340 wrote to memory of 1928	340	lsass.exe	31
PID 340 wrote to memory of 1928	340	lsass.exe	31
PID 340 wrote to memory of 1928	340	lsass.exe	31

C:\Users\Admin\AppData\Local\Temp\c3f7b822ad7d7144461b2a2917e76dd6872acefdb9a068215f5e41c30797da34.exe
"C:\Users\Admin\AppData\Local\Temp\c3f7b822ad7d7144461b2a2917e76dd6872acefdb9a068215f5e41c30797da34.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Users\Admin\AppData\Local\Temp\c3f7b822ad7d7144461b2a2917e76dd6872acefdb9a068215f5e41c30797da34.exe
  "C:\Users\Admin\AppData\Local\Temp\c3f7b822ad7d7144461b2a2917e76dd6872acefdb9a068215f5e41c30797da34.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1164
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Drops startup file
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:300
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:340
    - - C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe
        5⤵
        Suspicious behavior: MapViewOfSection
        
        PID:1928

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe

Filesize
729KB

MD5
20c6dc83a481bd920b9b9bcb7f0b5979

SHA1
ac5834f7bff1eea2bbd2753bbeeca69dff687f58

SHA256
c3f7b822ad7d7144461b2a2917e76dd6872acefdb9a068215f5e41c30797da34

SHA512
9c5571f18252ee879e30ac02bd8b721055fcdbf85579c516592c81c062475c36540a43eb8c8e46392af1565ce83c8def8fa4bb463060a1d33b812b9ea8b690f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe

Filesize
729KB

MD5
20c6dc83a481bd920b9b9bcb7f0b5979

SHA1
ac5834f7bff1eea2bbd2753bbeeca69dff687f58

SHA256
c3f7b822ad7d7144461b2a2917e76dd6872acefdb9a068215f5e41c30797da34

SHA512
9c5571f18252ee879e30ac02bd8b721055fcdbf85579c516592c81c062475c36540a43eb8c8e46392af1565ce83c8def8fa4bb463060a1d33b812b9ea8b690f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe

Filesize
729KB

MD5
20c6dc83a481bd920b9b9bcb7f0b5979

SHA1
ac5834f7bff1eea2bbd2753bbeeca69dff687f58

SHA256
c3f7b822ad7d7144461b2a2917e76dd6872acefdb9a068215f5e41c30797da34

SHA512
9c5571f18252ee879e30ac02bd8b721055fcdbf85579c516592c81c062475c36540a43eb8c8e46392af1565ce83c8def8fa4bb463060a1d33b812b9ea8b690f2

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe

Filesize
729KB

MD5
20c6dc83a481bd920b9b9bcb7f0b5979

SHA1
ac5834f7bff1eea2bbd2753bbeeca69dff687f58

SHA256
c3f7b822ad7d7144461b2a2917e76dd6872acefdb9a068215f5e41c30797da34

SHA512
9c5571f18252ee879e30ac02bd8b721055fcdbf85579c516592c81c062475c36540a43eb8c8e46392af1565ce83c8def8fa4bb463060a1d33b812b9ea8b690f2

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe

Filesize
729KB

MD5
20c6dc83a481bd920b9b9bcb7f0b5979

SHA1
ac5834f7bff1eea2bbd2753bbeeca69dff687f58

SHA256
c3f7b822ad7d7144461b2a2917e76dd6872acefdb9a068215f5e41c30797da34

SHA512
9c5571f18252ee879e30ac02bd8b721055fcdbf85579c516592c81c062475c36540a43eb8c8e46392af1565ce83c8def8fa4bb463060a1d33b812b9ea8b690f2

Download Submit
memory/340-78-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/340-79-0x00000000002B0000-0x00000000002D7000-memory.dmp

Filesize
156KB

Download
memory/1120-83-0x0000000000420000-0x0000000000447000-memory.dmp

Filesize
156KB

Download
memory/1164-57-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1164-59-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1164-61-0x0000000075671000-0x0000000075673000-memory.dmp

Filesize
8KB

Download
memory/1164-65-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1164-56-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1172-84-0x0000000001B40000-0x0000000001B67000-memory.dmp

Filesize
156KB

Download
memory/1200-81-0x0000000002940000-0x0000000002967000-memory.dmp

Filesize
156KB

Download
memory/1200-82-0x0000000002970000-0x0000000002982000-memory.dmp

Filesize
72KB

Download
memory/1928-80-0x0000000000060000-0x0000000000087000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing