a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b

General

Target

a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe
Size

132KB
MD5

52c46d7818f7ebe5d5ce91a9fec8f500
SHA1

21c8805de8f489c1a857023992f941cc34a8a983
SHA256

a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b
SHA512

91a04c5da0692406b69bb17255b375d34fc44236d0d8971259ffbecd2085a6c9a1cb738f59cc5417deeca7d88684142f3bc830e0901ddd04c269e466b86101c2
SSDEEP

1536:5CwpMY9Uz6EA3lp4IN+1yVKr2zqB5If9:4Y6fA39N7uBk

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\lssas.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lssas.exe:*:Enabled:Windows Defense"	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\MicrosoftCorp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lssas.exe"	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe

Executes dropped EXE 2 IoCs

Processes:

lssas.exelssas.exe

pid process

4884 lssas.exe
4040 lssas.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

4220 netsh.exe

pid	process
4884	lssas.exe
4040	lssas.exe

pid	process
4220	netsh.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1684-136-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/1684-138-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/1684-140-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/1684-151-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/4040-157-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/4040-159-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/4040-160-0x0000000000400000-0x0000000000413000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Google Updater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lssas.exe"	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Updater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lssas.exe"	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exelssas.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	lssas.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	lssas.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exelssas.exe

description	pid	process	target process
PID 1032 set thread context of 1684	1032	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe
PID 4884 set thread context of 4040	4884	lssas.exe	lssas.exe

Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

2732 taskkill.exe
4420 taskkill.exe
3332 taskkill.exe
2748 taskkill.exe

pid	process
2732	taskkill.exe
4420	taskkill.exe
3332	taskkill.exe
2748	taskkill.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	4420	taskkill.exe
Token: SeDebugPrivilege	2732	taskkill.exe
Token: SeDebugPrivilege	2748	taskkill.exe
Token: SeDebugPrivilege	3332	taskkill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exelssas.exe

pid process

1032 a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe
4884 lssas.exe

pid	process
1032	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe
4884	lssas.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exea6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exelssas.exe

description	pid	process	target process
PID 1032 wrote to memory of 1684	1032	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe
PID 1032 wrote to memory of 1684	1032	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe
PID 1032 wrote to memory of 1684	1032	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe
PID 1032 wrote to memory of 1684	1032	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe
PID 1032 wrote to memory of 1684	1032	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe
PID 1032 wrote to memory of 1684	1032	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe
PID 1032 wrote to memory of 1684	1032	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe
PID 1032 wrote to memory of 1684	1032	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe
PID 1684 wrote to memory of 4220	1684	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe	netsh.exe
PID 1684 wrote to memory of 4220	1684	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe	netsh.exe
PID 1684 wrote to memory of 4220	1684	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe	netsh.exe
PID 1684 wrote to memory of 4420	1684	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe	taskkill.exe
PID 1684 wrote to memory of 4420	1684	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe	taskkill.exe
PID 1684 wrote to memory of 4420	1684	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe	taskkill.exe
PID 1684 wrote to memory of 3332	1684	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe	taskkill.exe
PID 1684 wrote to memory of 3332	1684	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe	taskkill.exe
PID 1684 wrote to memory of 3332	1684	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe	taskkill.exe
PID 1684 wrote to memory of 2748	1684	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe	taskkill.exe
PID 1684 wrote to memory of 2748	1684	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe	taskkill.exe
PID 1684 wrote to memory of 2748	1684	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe	taskkill.exe
PID 1684 wrote to memory of 2732	1684	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe	taskkill.exe
PID 1684 wrote to memory of 2732	1684	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe	taskkill.exe
PID 1684 wrote to memory of 2732	1684	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe	taskkill.exe
PID 1684 wrote to memory of 4884	1684	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe	lssas.exe
PID 1684 wrote to memory of 4884	1684	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe	lssas.exe
PID 1684 wrote to memory of 4884	1684	a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe	lssas.exe
PID 4884 wrote to memory of 4040	4884	lssas.exe	lssas.exe
PID 4884 wrote to memory of 4040	4884	lssas.exe	lssas.exe
PID 4884 wrote to memory of 4040	4884	lssas.exe	lssas.exe
PID 4884 wrote to memory of 4040	4884	lssas.exe	lssas.exe
PID 4884 wrote to memory of 4040	4884	lssas.exe	lssas.exe
PID 4884 wrote to memory of 4040	4884	lssas.exe	lssas.exe
PID 4884 wrote to memory of 4040	4884	lssas.exe	lssas.exe
PID 4884 wrote to memory of 4040	4884	lssas.exe	lssas.exe

C:\Users\Admin\AppData\Local\Temp\a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe
"C:\Users\Admin\AppData\Local\Temp\a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe"
1⤵
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1032

C:\Users\Admin\AppData\Local\Temp\a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe
C:\Users\Admin\AppData\Local\Temp\a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b.exe
2⤵
- Modifies firewall policy service
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram C:\Users\Admin\AppData\Local\Temp\lssas.exe WindowsSafety ENABLE
3⤵
- Modifies Windows Firewall
PID:4220

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM winlog.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4420

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM svchost.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3332

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM csrss.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2748

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM lsass.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Users\Admin\AppData\Local\Temp\lssas.exe
"C:\Users\Admin\AppData\Local\Temp\lssas.exe"
3⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4884

C:\Users\Admin\AppData\Local\Temp\lssas.exe
C:\Users\Admin\AppData\Local\Temp\lssas.exe
4⤵
- Executes dropped EXE
PID:4040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

2

T1031

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lssas.exe

Filesize
132KB

MD5
52c46d7818f7ebe5d5ce91a9fec8f500

SHA1
21c8805de8f489c1a857023992f941cc34a8a983

SHA256
a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b

SHA512
91a04c5da0692406b69bb17255b375d34fc44236d0d8971259ffbecd2085a6c9a1cb738f59cc5417deeca7d88684142f3bc830e0901ddd04c269e466b86101c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\lssas.exe

Filesize
132KB

MD5
52c46d7818f7ebe5d5ce91a9fec8f500

SHA1
21c8805de8f489c1a857023992f941cc34a8a983

SHA256
a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b

SHA512
91a04c5da0692406b69bb17255b375d34fc44236d0d8971259ffbecd2085a6c9a1cb738f59cc5417deeca7d88684142f3bc830e0901ddd04c269e466b86101c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\lssas.exe

Filesize
132KB

MD5
52c46d7818f7ebe5d5ce91a9fec8f500

SHA1
21c8805de8f489c1a857023992f941cc34a8a983

SHA256
a6c755e2ffef540d8be6513b4b9f24b45ce3d55fa5987fa6a76bc29ae72f971b

SHA512
91a04c5da0692406b69bb17255b375d34fc44236d0d8971259ffbecd2085a6c9a1cb738f59cc5417deeca7d88684142f3bc830e0901ddd04c269e466b86101c2

Download Submit
memory/1032-134-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1032-139-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1684-136-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1684-135-0x0000000000000000-mapping.dmp

Download
memory/1684-138-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1684-140-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1684-151-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2732-145-0x0000000000000000-mapping.dmp

Download
memory/2748-144-0x0000000000000000-mapping.dmp

Download
memory/3332-143-0x0000000000000000-mapping.dmp

Download
memory/4040-153-0x0000000000000000-mapping.dmp

Download
memory/4040-157-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4040-159-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4040-160-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4220-141-0x0000000000000000-mapping.dmp

Download
memory/4420-142-0x0000000000000000-mapping.dmp

Download
memory/4884-146-0x0000000000000000-mapping.dmp

Download
memory/4884-152-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4884-158-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads