c3f7b822ad7d7144461b2a2917e76dd6872acefdb9a068215f5e41c30797da34

General

Target

c3f7b822ad7d7144461b2a2917e76dd6872acefdb9a068215f5e41c30797da34.exe
Size

729KB
MD5

20c6dc83a481bd920b9b9bcb7f0b5979
SHA1

ac5834f7bff1eea2bbd2753bbeeca69dff687f58
SHA256

c3f7b822ad7d7144461b2a2917e76dd6872acefdb9a068215f5e41c30797da34
SHA512

9c5571f18252ee879e30ac02bd8b721055fcdbf85579c516592c81c062475c36540a43eb8c8e46392af1565ce83c8def8fa4bb463060a1d33b812b9ea8b690f2
SSDEEP

12288:lN/Hs8Q48W5glu2igm8Yaimes/0ft9yIJ:lppQ4V52uBTm7EtAIJ

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
220	lsass.exe
4104	lsass.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe	c3f7b822ad7d7144461b2a2917e76dd6872acefdb9a068215f5e41c30797da34.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe	lsass.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3384 set thread context of 1440	3384	c3f7b822ad7d7144461b2a2917e76dd6872acefdb9a068215f5e41c30797da34.exe	82
PID 220 set thread context of 4104	220	lsass.exe	84

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1952	Process not Found
1952	Process not Found

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
4104	lsass.exe
4060	explorer.exe
1952	Process not Found
1952	Process not Found
1952	Process not Found

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1440	c3f7b822ad7d7144461b2a2917e76dd6872acefdb9a068215f5e41c30797da34.exe
Token: SeDebugPrivilege	4104	lsass.exe
Token: SeDebugPrivilege	1952	Process not Found

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3384	c3f7b822ad7d7144461b2a2917e76dd6872acefdb9a068215f5e41c30797da34.exe
220	lsass.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3384 wrote to memory of 1440	3384	c3f7b822ad7d7144461b2a2917e76dd6872acefdb9a068215f5e41c30797da34.exe	82
PID 3384 wrote to memory of 1440	3384	c3f7b822ad7d7144461b2a2917e76dd6872acefdb9a068215f5e41c30797da34.exe	82
PID 3384 wrote to memory of 1440	3384	c3f7b822ad7d7144461b2a2917e76dd6872acefdb9a068215f5e41c30797da34.exe	82
PID 3384 wrote to memory of 1440	3384	c3f7b822ad7d7144461b2a2917e76dd6872acefdb9a068215f5e41c30797da34.exe	82
PID 3384 wrote to memory of 1440	3384	c3f7b822ad7d7144461b2a2917e76dd6872acefdb9a068215f5e41c30797da34.exe	82
PID 3384 wrote to memory of 1440	3384	c3f7b822ad7d7144461b2a2917e76dd6872acefdb9a068215f5e41c30797da34.exe	82
PID 1440 wrote to memory of 220	1440	c3f7b822ad7d7144461b2a2917e76dd6872acefdb9a068215f5e41c30797da34.exe	83
PID 1440 wrote to memory of 220	1440	c3f7b822ad7d7144461b2a2917e76dd6872acefdb9a068215f5e41c30797da34.exe	83
PID 1440 wrote to memory of 220	1440	c3f7b822ad7d7144461b2a2917e76dd6872acefdb9a068215f5e41c30797da34.exe	83
PID 220 wrote to memory of 4104	220	lsass.exe	84
PID 220 wrote to memory of 4104	220	lsass.exe	84
PID 220 wrote to memory of 4104	220	lsass.exe	84
PID 220 wrote to memory of 4104	220	lsass.exe	84
PID 220 wrote to memory of 4104	220	lsass.exe	84
PID 220 wrote to memory of 4104	220	lsass.exe	84
PID 4104 wrote to memory of 4060	4104	lsass.exe	85
PID 4104 wrote to memory of 4060	4104	lsass.exe	85

C:\Users\Admin\AppData\Local\Temp\c3f7b822ad7d7144461b2a2917e76dd6872acefdb9a068215f5e41c30797da34.exe
"C:\Users\Admin\AppData\Local\Temp\c3f7b822ad7d7144461b2a2917e76dd6872acefdb9a068215f5e41c30797da34.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3384
- C:\Users\Admin\AppData\Local\Temp\c3f7b822ad7d7144461b2a2917e76dd6872acefdb9a068215f5e41c30797da34.exe
  "C:\Users\Admin\AppData\Local\Temp\c3f7b822ad7d7144461b2a2917e76dd6872acefdb9a068215f5e41c30797da34.exe"
  2⤵
  - Drops startup file
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Drops startup file
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:220
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4104
    - - C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe
        5⤵
        Suspicious behavior: MapViewOfSection
        
        PID:4060

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe

Filesize
729KB

MD5
20c6dc83a481bd920b9b9bcb7f0b5979

SHA1
ac5834f7bff1eea2bbd2753bbeeca69dff687f58

SHA256
c3f7b822ad7d7144461b2a2917e76dd6872acefdb9a068215f5e41c30797da34

SHA512
9c5571f18252ee879e30ac02bd8b721055fcdbf85579c516592c81c062475c36540a43eb8c8e46392af1565ce83c8def8fa4bb463060a1d33b812b9ea8b690f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe

Filesize
729KB

MD5
20c6dc83a481bd920b9b9bcb7f0b5979

SHA1
ac5834f7bff1eea2bbd2753bbeeca69dff687f58

SHA256
c3f7b822ad7d7144461b2a2917e76dd6872acefdb9a068215f5e41c30797da34

SHA512
9c5571f18252ee879e30ac02bd8b721055fcdbf85579c516592c81c062475c36540a43eb8c8e46392af1565ce83c8def8fa4bb463060a1d33b812b9ea8b690f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe

Filesize
729KB

MD5
20c6dc83a481bd920b9b9bcb7f0b5979

SHA1
ac5834f7bff1eea2bbd2753bbeeca69dff687f58

SHA256
c3f7b822ad7d7144461b2a2917e76dd6872acefdb9a068215f5e41c30797da34

SHA512
9c5571f18252ee879e30ac02bd8b721055fcdbf85579c516592c81c062475c36540a43eb8c8e46392af1565ce83c8def8fa4bb463060a1d33b812b9ea8b690f2

Download Submit
memory/1440-135-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1440-138-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4060-148-0x0000000000890000-0x00000000008B7000-memory.dmp

Filesize
156KB

Download
memory/4104-146-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4104-147-0x0000000000590000-0x00000000005B7000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing