dfe8a3f9071b4ffa3f974f1e0e0312de09fa52f593bafea3d02dab73d404eacb

General

Target

dfe8a3f9071b4ffa3f974f1e0e0312de09fa52f593bafea3d02dab73d404eacb.exe
Size

93KB
MD5

43e07a83c129d2773466e666754c051a
SHA1

b230c002d023df16d4e997c1966474e104f0e318
SHA256

dfe8a3f9071b4ffa3f974f1e0e0312de09fa52f593bafea3d02dab73d404eacb
SHA512

7c291f987c91f48743d857db7f6f3abd37089626d8b0369846d5ee50b6927fee51bfeadadea08e5832773a6ae9915996b38c8c06736f93d6d76eaab91496d48e
SSDEEP

1536:+HxCaqYLXJOfEbvdTvqGORq0H/waHXxoqNFcMeYxoPR:+Hx8YL02HamwFDoP

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

lsass.exe

pid process

940 lsass.exe

pid	process
940	lsass.exe

Drops startup file 1 IoCs

Processes:

dfe8a3f9071b4ffa3f974f1e0e0312de09fa52f593bafea3d02dab73d404eacb.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe	dfe8a3f9071b4ffa3f974f1e0e0312de09fa52f593bafea3d02dab73d404eacb.exe

Loads dropped DLL 2 IoCs

Processes:

dfe8a3f9071b4ffa3f974f1e0e0312de09fa52f593bafea3d02dab73d404eacb.exe

pid	process
2020	dfe8a3f9071b4ffa3f974f1e0e0312de09fa52f593bafea3d02dab73d404eacb.exe
2020	dfe8a3f9071b4ffa3f974f1e0e0312de09fa52f593bafea3d02dab73d404eacb.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

pid process

1404
1404
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

lsass.exeexplorer.exe

pid process

940 lsass.exe
1296 explorer.exe
1404
1404
1404

pid	process
1404
1404

pid	process
940	lsass.exe
1296	explorer.exe
1404
1404
1404

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

dfe8a3f9071b4ffa3f974f1e0e0312de09fa52f593bafea3d02dab73d404eacb.exelsass.exe

description	pid	process
Token: SeDebugPrivilege	2020	dfe8a3f9071b4ffa3f974f1e0e0312de09fa52f593bafea3d02dab73d404eacb.exe
Token: SeDebugPrivilege	940	lsass.exe
Token: SeDebugPrivilege	1404

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

1404
1404
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

1404
1404

pid	process
1404
1404

pid	process
1404
1404

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

dfe8a3f9071b4ffa3f974f1e0e0312de09fa52f593bafea3d02dab73d404eacb.exelsass.exe

description	pid	process	target process
PID 2020 wrote to memory of 940	2020	dfe8a3f9071b4ffa3f974f1e0e0312de09fa52f593bafea3d02dab73d404eacb.exe	lsass.exe
PID 2020 wrote to memory of 940	2020	dfe8a3f9071b4ffa3f974f1e0e0312de09fa52f593bafea3d02dab73d404eacb.exe	lsass.exe
PID 2020 wrote to memory of 940	2020	dfe8a3f9071b4ffa3f974f1e0e0312de09fa52f593bafea3d02dab73d404eacb.exe	lsass.exe
PID 2020 wrote to memory of 940	2020	dfe8a3f9071b4ffa3f974f1e0e0312de09fa52f593bafea3d02dab73d404eacb.exe	lsass.exe
PID 940 wrote to memory of 1296	940	lsass.exe	explorer.exe
PID 940 wrote to memory of 1296	940	lsass.exe	explorer.exe
PID 940 wrote to memory of 1296	940	lsass.exe	explorer.exe
PID 940 wrote to memory of 1296	940	lsass.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\dfe8a3f9071b4ffa3f974f1e0e0312de09fa52f593bafea3d02dab73d404eacb.exe
"C:\Users\Admin\AppData\Local\Temp\dfe8a3f9071b4ffa3f974f1e0e0312de09fa52f593bafea3d02dab73d404eacb.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:940

C:\Windows\explorer.exe
C:\Windows\explorer.exe
3⤵
- Suspicious behavior: MapViewOfSection
PID:1296

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe

Filesize
93KB

MD5
43e07a83c129d2773466e666754c051a

SHA1
b230c002d023df16d4e997c1966474e104f0e318

SHA256
dfe8a3f9071b4ffa3f974f1e0e0312de09fa52f593bafea3d02dab73d404eacb

SHA512
7c291f987c91f48743d857db7f6f3abd37089626d8b0369846d5ee50b6927fee51bfeadadea08e5832773a6ae9915996b38c8c06736f93d6d76eaab91496d48e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe

Filesize
93KB

MD5
43e07a83c129d2773466e666754c051a

SHA1
b230c002d023df16d4e997c1966474e104f0e318

SHA256
dfe8a3f9071b4ffa3f974f1e0e0312de09fa52f593bafea3d02dab73d404eacb

SHA512
7c291f987c91f48743d857db7f6f3abd37089626d8b0369846d5ee50b6927fee51bfeadadea08e5832773a6ae9915996b38c8c06736f93d6d76eaab91496d48e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe

Filesize
93KB

MD5
43e07a83c129d2773466e666754c051a

SHA1
b230c002d023df16d4e997c1966474e104f0e318

SHA256
dfe8a3f9071b4ffa3f974f1e0e0312de09fa52f593bafea3d02dab73d404eacb

SHA512
7c291f987c91f48743d857db7f6f3abd37089626d8b0369846d5ee50b6927fee51bfeadadea08e5832773a6ae9915996b38c8c06736f93d6d76eaab91496d48e

Download Submit
memory/940-64-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/940-57-0x0000000000000000-mapping.dmp

Download
memory/940-62-0x00000000001F0000-0x0000000000217000-memory.dmp

Filesize
156KB

Download
memory/1276-66-0x0000000001BC0000-0x0000000001BE7000-memory.dmp

Filesize
156KB

Download
memory/1296-61-0x0000000000000000-mapping.dmp

Download
memory/1296-63-0x0000000000060000-0x0000000000087000-memory.dmp

Filesize
156KB

Download
memory/1356-68-0x0000000001BB0000-0x0000000001BD7000-memory.dmp

Filesize
156KB

Download
memory/1404-65-0x0000000002150000-0x0000000002177000-memory.dmp

Filesize
156KB

Download
memory/1404-67-0x0000000002180000-0x0000000002192000-memory.dmp

Filesize
72KB

Download
memory/2020-59-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2020-54-0x00000000756B1000-0x00000000756B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads