800348d738b503fe6758c8a053bca5be46a58c9b63c9bdcb6c88660f6ef03dd0

General

Target

800348d738b503fe6758c8a053bca5be46a58c9b63c9bdcb6c88660f6ef03dd0.exe
Size

33KB
MD5

c61c12a079c2a36fe1400e3e6ca3ba7c
SHA1

29042b356c6a0b993fe3882d6fa3e1864ee0bea2
SHA256

800348d738b503fe6758c8a053bca5be46a58c9b63c9bdcb6c88660f6ef03dd0
SHA512

d3543e20019efd8aa3976119b5ea10b0b1c71295a13f6fe6ae7fb3b6af9d1a7db2a22df585e513135e37b24ddff43848b0edb63ebc9703d35d54acab20282e21
SSDEEP

768:tU6lOwkh7JsymO9YFymb68dZxowwN41IoEI4wy741uM:swilsymO9BmNFwN4Yi5L

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2036	lsass.exe
1184	lsass.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Debugs.inf	800348d738b503fe6758c8a053bca5be46a58c9b63c9bdcb6c88660f6ef03dd0.exe
File created	C:\Windows\lsass.exe	800348d738b503fe6758c8a053bca5be46a58c9b63c9bdcb6c88660f6ef03dd0.exe
File opened for modification	C:\Windows\lsass.exe	800348d738b503fe6758c8a053bca5be46a58c9b63c9bdcb6c88660f6ef03dd0.exe
File created	C:\Windows\Debugs.inf	lsass.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
836	800348d738b503fe6758c8a053bca5be46a58c9b63c9bdcb6c88660f6ef03dd0.exe
1932	800348d738b503fe6758c8a053bca5be46a58c9b63c9bdcb6c88660f6ef03dd0.exe
2036	lsass.exe
1184	lsass.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 836 wrote to memory of 1932	836	800348d738b503fe6758c8a053bca5be46a58c9b63c9bdcb6c88660f6ef03dd0.exe	27
PID 836 wrote to memory of 1932	836	800348d738b503fe6758c8a053bca5be46a58c9b63c9bdcb6c88660f6ef03dd0.exe	27
PID 836 wrote to memory of 1932	836	800348d738b503fe6758c8a053bca5be46a58c9b63c9bdcb6c88660f6ef03dd0.exe	27
PID 836 wrote to memory of 1932	836	800348d738b503fe6758c8a053bca5be46a58c9b63c9bdcb6c88660f6ef03dd0.exe	27
PID 836 wrote to memory of 1932	836	800348d738b503fe6758c8a053bca5be46a58c9b63c9bdcb6c88660f6ef03dd0.exe	27
PID 836 wrote to memory of 1932	836	800348d738b503fe6758c8a053bca5be46a58c9b63c9bdcb6c88660f6ef03dd0.exe	27
PID 836 wrote to memory of 1932	836	800348d738b503fe6758c8a053bca5be46a58c9b63c9bdcb6c88660f6ef03dd0.exe	27
PID 1932 wrote to memory of 2036	1932	800348d738b503fe6758c8a053bca5be46a58c9b63c9bdcb6c88660f6ef03dd0.exe	28
PID 1932 wrote to memory of 2036	1932	800348d738b503fe6758c8a053bca5be46a58c9b63c9bdcb6c88660f6ef03dd0.exe	28
PID 1932 wrote to memory of 2036	1932	800348d738b503fe6758c8a053bca5be46a58c9b63c9bdcb6c88660f6ef03dd0.exe	28
PID 1932 wrote to memory of 2036	1932	800348d738b503fe6758c8a053bca5be46a58c9b63c9bdcb6c88660f6ef03dd0.exe	28
PID 1932 wrote to memory of 2036	1932	800348d738b503fe6758c8a053bca5be46a58c9b63c9bdcb6c88660f6ef03dd0.exe	28
PID 1932 wrote to memory of 2036	1932	800348d738b503fe6758c8a053bca5be46a58c9b63c9bdcb6c88660f6ef03dd0.exe	28
PID 1932 wrote to memory of 2036	1932	800348d738b503fe6758c8a053bca5be46a58c9b63c9bdcb6c88660f6ef03dd0.exe	28
PID 2036 wrote to memory of 1184	2036	lsass.exe	29
PID 2036 wrote to memory of 1184	2036	lsass.exe	29
PID 2036 wrote to memory of 1184	2036	lsass.exe	29
PID 2036 wrote to memory of 1184	2036	lsass.exe	29
PID 2036 wrote to memory of 1184	2036	lsass.exe	29
PID 2036 wrote to memory of 1184	2036	lsass.exe	29
PID 2036 wrote to memory of 1184	2036	lsass.exe	29

C:\Users\Admin\AppData\Local\Temp\800348d738b503fe6758c8a053bca5be46a58c9b63c9bdcb6c88660f6ef03dd0.exe
"C:\Users\Admin\AppData\Local\Temp\800348d738b503fe6758c8a053bca5be46a58c9b63c9bdcb6c88660f6ef03dd0.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:836
- C:\Users\Admin\AppData\Local\Temp\800348d738b503fe6758c8a053bca5be46a58c9b63c9bdcb6c88660f6ef03dd0.exe
  "C:\Users\Admin\AppData\Local\Temp\800348d738b503fe6758c8a053bca5be46a58c9b63c9bdcb6c88660f6ef03dd0.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Windows\lsass.exe
    "C:\Windows\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2036
  - - C:\Windows\lsass.exe
      "C:\Windows\lsass.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1184

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\lsass.exe

Filesize
12.2MB

MD5
0b6e42d301b3bd6637b292986e52d6e5

SHA1
7009656d8ccd31572b65500664b78b0eb51b89e7

SHA256
e50ddc6fa894ebea5ff8df68b766e0d69b030bdf74f6fcea1583e06096b75d65

SHA512
662ca48a7e496eb4de3b7ee63d451c5ae3806e08b972618188fe1eab85c41a544c16956dd604440bcd6d4a42b030de81003e225c805d6a59986089f2f9bc812a

Download Submit
C:\Windows\lsass.exe

Filesize
12.2MB

MD5
0b6e42d301b3bd6637b292986e52d6e5

SHA1
7009656d8ccd31572b65500664b78b0eb51b89e7

SHA256
e50ddc6fa894ebea5ff8df68b766e0d69b030bdf74f6fcea1583e06096b75d65

SHA512
662ca48a7e496eb4de3b7ee63d451c5ae3806e08b972618188fe1eab85c41a544c16956dd604440bcd6d4a42b030de81003e225c805d6a59986089f2f9bc812a

Download Submit
C:\Windows\lsass.exe

Filesize
12.2MB

MD5
0b6e42d301b3bd6637b292986e52d6e5

SHA1
7009656d8ccd31572b65500664b78b0eb51b89e7

SHA256
e50ddc6fa894ebea5ff8df68b766e0d69b030bdf74f6fcea1583e06096b75d65

SHA512
662ca48a7e496eb4de3b7ee63d451c5ae3806e08b972618188fe1eab85c41a544c16956dd604440bcd6d4a42b030de81003e225c805d6a59986089f2f9bc812a

Download Submit
memory/836-55-0x0000000000400000-0x000000000041C550-memory.dmp

Filesize
113KB

Download
memory/836-57-0x0000000000400000-0x000000000041C550-memory.dmp

Filesize
113KB

Download
memory/836-54-0x0000000076401000-0x0000000076403000-memory.dmp

Filesize
8KB

Download
memory/1184-75-0x0000000000400000-0x000000000041C550-memory.dmp

Filesize
113KB

Download
memory/1184-76-0x0000000000020000-0x000000000003D000-memory.dmp

Filesize
116KB

Download
memory/1184-74-0x0000000000020000-0x000000000003D000-memory.dmp

Filesize
116KB

Download
memory/1184-73-0x0000000000400000-0x000000000041C550-memory.dmp

Filesize
113KB

Download
memory/1932-60-0x0000000000020000-0x000000000003D000-memory.dmp

Filesize
116KB

Download
memory/1932-62-0x0000000000400000-0x000000000041C550-memory.dmp

Filesize
113KB

Download
memory/1932-61-0x0000000000020000-0x000000000003D000-memory.dmp

Filesize
116KB

Download
memory/2036-71-0x0000000000400000-0x000000000041C550-memory.dmp

Filesize
113KB

Download
memory/2036-66-0x0000000000400000-0x000000000041C550-memory.dmp

Filesize
113KB

Download
memory/2036-65-0x0000000000400000-0x000000000041C550-memory.dmp

Filesize
113KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads