52b664beaf1ea12a3090e831489ba4f5487ecd2de54e31194c8d920d7f29cf42

General

Target

52b664beaf1ea12a3090e831489ba4f5487ecd2de54e31194c8d920d7f29cf42.exe
Size

93KB
MD5

c12d14e80d88e682ab7a40c430dc3d02
SHA1

0451d994a6cfac8d5f5d93a540df9deb543a149e
SHA256

52b664beaf1ea12a3090e831489ba4f5487ecd2de54e31194c8d920d7f29cf42
SHA512

8145f06d1499b6a53ec07e6e5d19a0090297ee4e3395d34380c41ff69a7366eb740cabaefd663d9020cf9f34cb501b3f3e97ec4fb3c1eb0ea6c8601c539ac34c
SSDEEP

1536:+HxCaqYLXJOfEbvdTvqGORq0H/waHXxoqNFcMeYxoPRQf:+Hx8YL02HamwFDoPy

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

lsass.exe

pid process

1684 lsass.exe

pid	process
1684	lsass.exe

Drops startup file 1 IoCs

Processes:

52b664beaf1ea12a3090e831489ba4f5487ecd2de54e31194c8d920d7f29cf42.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe	52b664beaf1ea12a3090e831489ba4f5487ecd2de54e31194c8d920d7f29cf42.exe

Loads dropped DLL 2 IoCs

Processes:

52b664beaf1ea12a3090e831489ba4f5487ecd2de54e31194c8d920d7f29cf42.exe

pid	process
1236	52b664beaf1ea12a3090e831489ba4f5487ecd2de54e31194c8d920d7f29cf42.exe
1236	52b664beaf1ea12a3090e831489ba4f5487ecd2de54e31194c8d920d7f29cf42.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

pid process

1200
1200
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1200
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

lsass.exeexplorer.exe

pid process

1684 lsass.exe
300 explorer.exe
1200
1200

pid	process
1200
1200

pid	process
1200

pid	process
1684	lsass.exe
300	explorer.exe
1200
1200

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

52b664beaf1ea12a3090e831489ba4f5487ecd2de54e31194c8d920d7f29cf42.exelsass.exe

description	pid	process
Token: SeDebugPrivilege	1236	52b664beaf1ea12a3090e831489ba4f5487ecd2de54e31194c8d920d7f29cf42.exe
Token: SeDebugPrivilege	1684	lsass.exe
Token: SeDebugPrivilege	1200

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

1200
1200
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

1200
1200

pid	process
1200
1200

pid	process
1200
1200

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

52b664beaf1ea12a3090e831489ba4f5487ecd2de54e31194c8d920d7f29cf42.exelsass.exe

description	pid	process	target process
PID 1236 wrote to memory of 1684	1236	52b664beaf1ea12a3090e831489ba4f5487ecd2de54e31194c8d920d7f29cf42.exe	lsass.exe
PID 1236 wrote to memory of 1684	1236	52b664beaf1ea12a3090e831489ba4f5487ecd2de54e31194c8d920d7f29cf42.exe	lsass.exe
PID 1236 wrote to memory of 1684	1236	52b664beaf1ea12a3090e831489ba4f5487ecd2de54e31194c8d920d7f29cf42.exe	lsass.exe
PID 1236 wrote to memory of 1684	1236	52b664beaf1ea12a3090e831489ba4f5487ecd2de54e31194c8d920d7f29cf42.exe	lsass.exe
PID 1684 wrote to memory of 300	1684	lsass.exe	explorer.exe
PID 1684 wrote to memory of 300	1684	lsass.exe	explorer.exe
PID 1684 wrote to memory of 300	1684	lsass.exe	explorer.exe
PID 1684 wrote to memory of 300	1684	lsass.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\52b664beaf1ea12a3090e831489ba4f5487ecd2de54e31194c8d920d7f29cf42.exe
"C:\Users\Admin\AppData\Local\Temp\52b664beaf1ea12a3090e831489ba4f5487ecd2de54e31194c8d920d7f29cf42.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1236

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\explorer.exe
C:\Windows\explorer.exe
3⤵
- Suspicious behavior: MapViewOfSection
PID:300

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe
Filesize
93KB

MD5
c12d14e80d88e682ab7a40c430dc3d02

SHA1
0451d994a6cfac8d5f5d93a540df9deb543a149e

SHA256
52b664beaf1ea12a3090e831489ba4f5487ecd2de54e31194c8d920d7f29cf42

SHA512
8145f06d1499b6a53ec07e6e5d19a0090297ee4e3395d34380c41ff69a7366eb740cabaefd663d9020cf9f34cb501b3f3e97ec4fb3c1eb0ea6c8601c539ac34c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe
Filesize
93KB

MD5
c12d14e80d88e682ab7a40c430dc3d02

SHA1
0451d994a6cfac8d5f5d93a540df9deb543a149e

SHA256
52b664beaf1ea12a3090e831489ba4f5487ecd2de54e31194c8d920d7f29cf42

SHA512
8145f06d1499b6a53ec07e6e5d19a0090297ee4e3395d34380c41ff69a7366eb740cabaefd663d9020cf9f34cb501b3f3e97ec4fb3c1eb0ea6c8601c539ac34c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe
Filesize
93KB

MD5
c12d14e80d88e682ab7a40c430dc3d02

SHA1
0451d994a6cfac8d5f5d93a540df9deb543a149e

SHA256
52b664beaf1ea12a3090e831489ba4f5487ecd2de54e31194c8d920d7f29cf42

SHA512
8145f06d1499b6a53ec07e6e5d19a0090297ee4e3395d34380c41ff69a7366eb740cabaefd663d9020cf9f34cb501b3f3e97ec4fb3c1eb0ea6c8601c539ac34c

Download Submit
memory/300-61-0x0000000000000000-mapping.dmp

Download
memory/300-64-0x0000000000060000-0x0000000000087000-memory.dmp

Filesize
156KB

Download
memory/1112-68-0x0000000001BC0000-0x0000000001BE7000-memory.dmp

Filesize
156KB

Download
memory/1168-67-0x0000000000130000-0x0000000000157000-memory.dmp

Filesize
156KB

Download
memory/1200-65-0x0000000002A10000-0x0000000002A37000-memory.dmp

Filesize
156KB

Download
memory/1200-66-0x0000000002210000-0x0000000002222000-memory.dmp

Filesize
72KB

Download
memory/1236-58-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1236-54-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download
memory/1684-57-0x0000000000000000-mapping.dmp

Download
memory/1684-62-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1684-63-0x00000000001F0000-0x0000000000217000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads