Analysis
-
max time kernel
151s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 18:50
Static task
static1
Behavioral task
behavioral1
Sample
51b6f6d7cc053e21a13cd9e0832de51a65fbdc5d527737082b7b1b12417f936c.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
51b6f6d7cc053e21a13cd9e0832de51a65fbdc5d527737082b7b1b12417f936c.exe
Resource
win10v2004-20220812-en
General
-
Target
51b6f6d7cc053e21a13cd9e0832de51a65fbdc5d527737082b7b1b12417f936c.exe
-
Size
444KB
-
MD5
56e9b0fbe41b8a3e96fb28e02ca96a70
-
SHA1
bc04ac2c58f805b0c97b07076d1de4e0b981a1c3
-
SHA256
51b6f6d7cc053e21a13cd9e0832de51a65fbdc5d527737082b7b1b12417f936c
-
SHA512
519dbab949a697d3df3671781d90ab7eac5d726dd56c73a737290d7dff4f52500c27c8ecfa1feb712216b99192183ef4f307b0c61b533de9bfb1edae9259aad6
-
SSDEEP
12288:PFMeCb6yOIKgUnqN9ugSNkvm9f+MgvLwabghCE2SN7YDansz6J7yCXjmZfMc3edD:PXOSN7YDansWJ7yimS
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
Processes:
51b6f6d7cc053e21a13cd9e0832de51a65fbdc5d527737082b7b1b12417f936c.exelsass.exedescription ioc process File created C:\Windows\SysWOW64\drivers\lsass.exe 51b6f6d7cc053e21a13cd9e0832de51a65fbdc5d527737082b7b1b12417f936c.exe File created C:\Windows\SysWOW64\drivers\lsass.exe lsass.exe -
Executes dropped EXE 2 IoCs
Processes:
lsass.exe51b6f6d7cc053e21a13cd9e0832de51a65fbdc5d527737082b7b1b12417f936c.~tmppid process 1700 lsass.exe 1496 51b6f6d7cc053e21a13cd9e0832de51a65fbdc5d527737082b7b1b12417f936c.~tmp -
Drops startup file 1 IoCs
Processes:
lsass.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif lsass.exe -
Loads dropped DLL 4 IoCs
Processes:
51b6f6d7cc053e21a13cd9e0832de51a65fbdc5d527737082b7b1b12417f936c.exepid process 788 51b6f6d7cc053e21a13cd9e0832de51a65fbdc5d527737082b7b1b12417f936c.exe 788 51b6f6d7cc053e21a13cd9e0832de51a65fbdc5d527737082b7b1b12417f936c.exe 788 51b6f6d7cc053e21a13cd9e0832de51a65fbdc5d527737082b7b1b12417f936c.exe 788 51b6f6d7cc053e21a13cd9e0832de51a65fbdc5d527737082b7b1b12417f936c.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
lsass.exedescription ioc process File opened (read-only) \??\E: lsass.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
51b6f6d7cc053e21a13cd9e0832de51a65fbdc5d527737082b7b1b12417f936c.exelsass.exepid process 788 51b6f6d7cc053e21a13cd9e0832de51a65fbdc5d527737082b7b1b12417f936c.exe 788 51b6f6d7cc053e21a13cd9e0832de51a65fbdc5d527737082b7b1b12417f936c.exe 1700 lsass.exe 1700 lsass.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
51b6f6d7cc053e21a13cd9e0832de51a65fbdc5d527737082b7b1b12417f936c.exedescription pid process target process PID 788 wrote to memory of 1700 788 51b6f6d7cc053e21a13cd9e0832de51a65fbdc5d527737082b7b1b12417f936c.exe lsass.exe PID 788 wrote to memory of 1700 788 51b6f6d7cc053e21a13cd9e0832de51a65fbdc5d527737082b7b1b12417f936c.exe lsass.exe PID 788 wrote to memory of 1700 788 51b6f6d7cc053e21a13cd9e0832de51a65fbdc5d527737082b7b1b12417f936c.exe lsass.exe PID 788 wrote to memory of 1700 788 51b6f6d7cc053e21a13cd9e0832de51a65fbdc5d527737082b7b1b12417f936c.exe lsass.exe PID 788 wrote to memory of 1496 788 51b6f6d7cc053e21a13cd9e0832de51a65fbdc5d527737082b7b1b12417f936c.exe 51b6f6d7cc053e21a13cd9e0832de51a65fbdc5d527737082b7b1b12417f936c.~tmp PID 788 wrote to memory of 1496 788 51b6f6d7cc053e21a13cd9e0832de51a65fbdc5d527737082b7b1b12417f936c.exe 51b6f6d7cc053e21a13cd9e0832de51a65fbdc5d527737082b7b1b12417f936c.~tmp PID 788 wrote to memory of 1496 788 51b6f6d7cc053e21a13cd9e0832de51a65fbdc5d527737082b7b1b12417f936c.exe 51b6f6d7cc053e21a13cd9e0832de51a65fbdc5d527737082b7b1b12417f936c.~tmp PID 788 wrote to memory of 1496 788 51b6f6d7cc053e21a13cd9e0832de51a65fbdc5d527737082b7b1b12417f936c.exe 51b6f6d7cc053e21a13cd9e0832de51a65fbdc5d527737082b7b1b12417f936c.~tmp
Processes
-
C:\Users\Admin\AppData\Local\Temp\51b6f6d7cc053e21a13cd9e0832de51a65fbdc5d527737082b7b1b12417f936c.exe"C:\Users\Admin\AppData\Local\Temp\51b6f6d7cc053e21a13cd9e0832de51a65fbdc5d527737082b7b1b12417f936c.exe"1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Windows\SysWOW64\drivers\lsass.exe"C:\Windows\system32\drivers\lsass.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops startup file
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
PID:1700 -
C:\Users\Admin\AppData\Local\Temp\51b6f6d7cc053e21a13cd9e0832de51a65fbdc5d527737082b7b1b12417f936c.~tmp"C:\Users\Admin\AppData\Local\Temp\51b6f6d7cc053e21a13cd9e0832de51a65fbdc5d527737082b7b1b12417f936c.~tmp "2⤵
- Executes dropped EXE
PID:1496
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\51b6f6d7cc053e21a13cd9e0832de51a65fbdc5d527737082b7b1b12417f936c.~tmp
Filesize380KB
MD5bee0aa5f2822bacc9069eec563f93e5f
SHA1c590b7a8371c9f79549093d9c1c025a538556f3f
SHA256edca6c4725146c4940c6d3747f123ce10d6656d5880e5c503a90bc0cd8d73bfc
SHA5123dbc51731d1e436a11f3249f17719c95c55be3a8b293ec49c4f885b160f527ff4e31529acecd75c22c688b4e48aa1b7a89b39890bccd9b974f93cfccbfe5b575
-
Filesize
32KB
MD5669ffd1dd6fb7a0e4ddbc3ad3b76507b
SHA1372820d6b9350ad629a489d49876d8bd422b8f31
SHA2567dc487e762e55ffa601480c4bc7948f85fcd4f025665ff599060ec1f81d7e986
SHA512cd69694ad3316c768dbe0d1514060870568c67a50785b38d402eb16e94740c5ae351eb6d47284630a2505fac50c9777bedef85608571c85385b1b9c1f12d73f5
-
Filesize
32KB
MD5669ffd1dd6fb7a0e4ddbc3ad3b76507b
SHA1372820d6b9350ad629a489d49876d8bd422b8f31
SHA2567dc487e762e55ffa601480c4bc7948f85fcd4f025665ff599060ec1f81d7e986
SHA512cd69694ad3316c768dbe0d1514060870568c67a50785b38d402eb16e94740c5ae351eb6d47284630a2505fac50c9777bedef85608571c85385b1b9c1f12d73f5
-
\Users\Admin\AppData\Local\Temp\51b6f6d7cc053e21a13cd9e0832de51a65fbdc5d527737082b7b1b12417f936c.~tmp
Filesize380KB
MD5bee0aa5f2822bacc9069eec563f93e5f
SHA1c590b7a8371c9f79549093d9c1c025a538556f3f
SHA256edca6c4725146c4940c6d3747f123ce10d6656d5880e5c503a90bc0cd8d73bfc
SHA5123dbc51731d1e436a11f3249f17719c95c55be3a8b293ec49c4f885b160f527ff4e31529acecd75c22c688b4e48aa1b7a89b39890bccd9b974f93cfccbfe5b575
-
\Users\Admin\AppData\Local\Temp\51b6f6d7cc053e21a13cd9e0832de51a65fbdc5d527737082b7b1b12417f936c.~tmp
Filesize380KB
MD5bee0aa5f2822bacc9069eec563f93e5f
SHA1c590b7a8371c9f79549093d9c1c025a538556f3f
SHA256edca6c4725146c4940c6d3747f123ce10d6656d5880e5c503a90bc0cd8d73bfc
SHA5123dbc51731d1e436a11f3249f17719c95c55be3a8b293ec49c4f885b160f527ff4e31529acecd75c22c688b4e48aa1b7a89b39890bccd9b974f93cfccbfe5b575
-
Filesize
32KB
MD5669ffd1dd6fb7a0e4ddbc3ad3b76507b
SHA1372820d6b9350ad629a489d49876d8bd422b8f31
SHA2567dc487e762e55ffa601480c4bc7948f85fcd4f025665ff599060ec1f81d7e986
SHA512cd69694ad3316c768dbe0d1514060870568c67a50785b38d402eb16e94740c5ae351eb6d47284630a2505fac50c9777bedef85608571c85385b1b9c1f12d73f5
-
Filesize
32KB
MD5669ffd1dd6fb7a0e4ddbc3ad3b76507b
SHA1372820d6b9350ad629a489d49876d8bd422b8f31
SHA2567dc487e762e55ffa601480c4bc7948f85fcd4f025665ff599060ec1f81d7e986
SHA512cd69694ad3316c768dbe0d1514060870568c67a50785b38d402eb16e94740c5ae351eb6d47284630a2505fac50c9777bedef85608571c85385b1b9c1f12d73f5