ef2dc2cd3239f15d35b9067d555ea7fa452186e38ef0958bcfa1320e93a36d56

General

Target

ef2dc2cd3239f15d35b9067d555ea7fa452186e38ef0958bcfa1320e93a36d56.exe
Size

573KB
MD5

5cb746bc6469b5079b20affbccd3ea97
SHA1

358b93b9e9db12c44ad857168e0d61bc36a3e0cc
SHA256

ef2dc2cd3239f15d35b9067d555ea7fa452186e38ef0958bcfa1320e93a36d56
SHA512

38ab4beebf8edbf0d50e212569aeb81b7e83aa65969667bbf6c901561c30009504f8275303160ba57c112ef94730c79f9e877bfe17e0485ae484aa49703f3758
SSDEEP

12288:PyTOA0bbXTYx9xsx6F25VEgcGrkVEBU3LC:PxJkCx6FgRcuk2MLC

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\lsass.exe	ef2dc2cd3239f15d35b9067d555ea7fa452186e38ef0958bcfa1320e93a36d56.exe
File created	C:\Windows\SysWOW64\drivers\lsass.exe	lsass.exe

Executes dropped EXE 2 IoCs

pid	Process
1624	lsass.exe
1552	ef2dc2cd3239f15d35b9067d555ea7fa452186e38ef0958bcfa1320e93a36d56.~tmp

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif	lsass.exe

Loads dropped DLL 3 IoCs

pid	Process
1044	ef2dc2cd3239f15d35b9067d555ea7fa452186e38ef0958bcfa1320e93a36d56.exe
1044	ef2dc2cd3239f15d35b9067d555ea7fa452186e38ef0958bcfa1320e93a36d56.exe
1044	ef2dc2cd3239f15d35b9067d555ea7fa452186e38ef0958bcfa1320e93a36d56.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	lsass.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1044	ef2dc2cd3239f15d35b9067d555ea7fa452186e38ef0958bcfa1320e93a36d56.exe
1044	ef2dc2cd3239f15d35b9067d555ea7fa452186e38ef0958bcfa1320e93a36d56.exe
1624	lsass.exe
1624	lsass.exe
1552	ef2dc2cd3239f15d35b9067d555ea7fa452186e38ef0958bcfa1320e93a36d56.~tmp

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 1624	1044	ef2dc2cd3239f15d35b9067d555ea7fa452186e38ef0958bcfa1320e93a36d56.exe	28
PID 1044 wrote to memory of 1624	1044	ef2dc2cd3239f15d35b9067d555ea7fa452186e38ef0958bcfa1320e93a36d56.exe	28
PID 1044 wrote to memory of 1624	1044	ef2dc2cd3239f15d35b9067d555ea7fa452186e38ef0958bcfa1320e93a36d56.exe	28
PID 1044 wrote to memory of 1624	1044	ef2dc2cd3239f15d35b9067d555ea7fa452186e38ef0958bcfa1320e93a36d56.exe	28
PID 1044 wrote to memory of 1552	1044	ef2dc2cd3239f15d35b9067d555ea7fa452186e38ef0958bcfa1320e93a36d56.exe	29
PID 1044 wrote to memory of 1552	1044	ef2dc2cd3239f15d35b9067d555ea7fa452186e38ef0958bcfa1320e93a36d56.exe	29
PID 1044 wrote to memory of 1552	1044	ef2dc2cd3239f15d35b9067d555ea7fa452186e38ef0958bcfa1320e93a36d56.exe	29
PID 1044 wrote to memory of 1552	1044	ef2dc2cd3239f15d35b9067d555ea7fa452186e38ef0958bcfa1320e93a36d56.exe	29
PID 1044 wrote to memory of 1552	1044	ef2dc2cd3239f15d35b9067d555ea7fa452186e38ef0958bcfa1320e93a36d56.exe	29
PID 1044 wrote to memory of 1552	1044	ef2dc2cd3239f15d35b9067d555ea7fa452186e38ef0958bcfa1320e93a36d56.exe	29
PID 1044 wrote to memory of 1552	1044	ef2dc2cd3239f15d35b9067d555ea7fa452186e38ef0958bcfa1320e93a36d56.exe	29

C:\Users\Admin\AppData\Local\Temp\ef2dc2cd3239f15d35b9067d555ea7fa452186e38ef0958bcfa1320e93a36d56.exe
"C:\Users\Admin\AppData\Local\Temp\ef2dc2cd3239f15d35b9067d555ea7fa452186e38ef0958bcfa1320e93a36d56.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Windows\SysWOW64\drivers\lsass.exe
  "C:\Windows\system32\drivers\lsass.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops startup file
  - Enumerates connected drives
  - Suspicious use of SetWindowsHookEx
  PID:1624
- C:\Users\Admin\AppData\Local\Temp\ef2dc2cd3239f15d35b9067d555ea7fa452186e38ef0958bcfa1320e93a36d56.~tmp
  "C:\Users\Admin\AppData\Local\Temp\ef2dc2cd3239f15d35b9067d555ea7fa452186e38ef0958bcfa1320e93a36d56.~tmp "
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ef2dc2cd3239f15d35b9067d555ea7fa452186e38ef0958bcfa1320e93a36d56.~tmp

Filesize
509KB

MD5
719607d7f0308742d5d1d4087a6ff6bf

SHA1
3ef62ab3155aef6e7988bc3b761b10152c48b38d

SHA256
aaccc3add56c7fa9def0de7dcd6faba5242fe14daeb72fecd3bffcfeec482af9

SHA512
608830235e4c27b3d11b120dc84d4f19d8724c6b62bce59d57141ce2dd60709c220f28710bec338c7fc64b72a2e8f90a3e4794fc7afd8048fda17ea2a43be245

Download Submit
C:\Users\Admin\AppData\Local\Temp\ef2dc2cd3239f15d35b9067d555ea7fa452186e38ef0958bcfa1320e93a36d56.~tmp

Filesize
509KB

MD5
719607d7f0308742d5d1d4087a6ff6bf

SHA1
3ef62ab3155aef6e7988bc3b761b10152c48b38d

SHA256
aaccc3add56c7fa9def0de7dcd6faba5242fe14daeb72fecd3bffcfeec482af9

SHA512
608830235e4c27b3d11b120dc84d4f19d8724c6b62bce59d57141ce2dd60709c220f28710bec338c7fc64b72a2e8f90a3e4794fc7afd8048fda17ea2a43be245

Download Submit
C:\Windows\SysWOW64\drivers\lsass.exe

Filesize
32KB

MD5
669ffd1dd6fb7a0e4ddbc3ad3b76507b

SHA1
372820d6b9350ad629a489d49876d8bd422b8f31

SHA256
7dc487e762e55ffa601480c4bc7948f85fcd4f025665ff599060ec1f81d7e986

SHA512
cd69694ad3316c768dbe0d1514060870568c67a50785b38d402eb16e94740c5ae351eb6d47284630a2505fac50c9777bedef85608571c85385b1b9c1f12d73f5

Download Submit
C:\Windows\SysWOW64\drivers\lsass.exe

Filesize
32KB

MD5
669ffd1dd6fb7a0e4ddbc3ad3b76507b

SHA1
372820d6b9350ad629a489d49876d8bd422b8f31

SHA256
7dc487e762e55ffa601480c4bc7948f85fcd4f025665ff599060ec1f81d7e986

SHA512
cd69694ad3316c768dbe0d1514060870568c67a50785b38d402eb16e94740c5ae351eb6d47284630a2505fac50c9777bedef85608571c85385b1b9c1f12d73f5

Download Submit
\Users\Admin\AppData\Local\Temp\ef2dc2cd3239f15d35b9067d555ea7fa452186e38ef0958bcfa1320e93a36d56.~tmp

Filesize
509KB

MD5
719607d7f0308742d5d1d4087a6ff6bf

SHA1
3ef62ab3155aef6e7988bc3b761b10152c48b38d

SHA256
aaccc3add56c7fa9def0de7dcd6faba5242fe14daeb72fecd3bffcfeec482af9

SHA512
608830235e4c27b3d11b120dc84d4f19d8724c6b62bce59d57141ce2dd60709c220f28710bec338c7fc64b72a2e8f90a3e4794fc7afd8048fda17ea2a43be245

Download Submit
\Windows\SysWOW64\drivers\lsass.exe

Filesize
32KB

MD5
669ffd1dd6fb7a0e4ddbc3ad3b76507b

SHA1
372820d6b9350ad629a489d49876d8bd422b8f31

SHA256
7dc487e762e55ffa601480c4bc7948f85fcd4f025665ff599060ec1f81d7e986

SHA512
cd69694ad3316c768dbe0d1514060870568c67a50785b38d402eb16e94740c5ae351eb6d47284630a2505fac50c9777bedef85608571c85385b1b9c1f12d73f5

Download Submit
\Windows\SysWOW64\drivers\lsass.exe

Filesize
32KB

MD5
669ffd1dd6fb7a0e4ddbc3ad3b76507b

SHA1
372820d6b9350ad629a489d49876d8bd422b8f31

SHA256
7dc487e762e55ffa601480c4bc7948f85fcd4f025665ff599060ec1f81d7e986

SHA512
cd69694ad3316c768dbe0d1514060870568c67a50785b38d402eb16e94740c5ae351eb6d47284630a2505fac50c9777bedef85608571c85385b1b9c1f12d73f5

Download Submit
memory/1044-54-0x0000000075501000-0x0000000075503000-memory.dmp

Filesize
8KB

Download
memory/1552-62-0x0000000000000000-mapping.dmp

Download
memory/1624-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing