bab7f8ae02d46854b3e05c9f63c24aa2883d099563f0aafa4450542c2efab114

Analysis

max time kernel
342s
max time network
445s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 18:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bab7f8ae02d46854b3e05c9f63c24aa2883d099563f0aafa4450542c2efab114.exe
Size

128KB
MD5

fdba2fdc920edb859925e7997db9d9ff
SHA1

af9f19c7b38d3736f041511aa56bb5f98ddee849
SHA256

bab7f8ae02d46854b3e05c9f63c24aa2883d099563f0aafa4450542c2efab114
SHA512

693e738eeb1af0c507e4442eaa8ddff4bbfef395d5b3d57c8d2957f38877be7720af7b02a53d5f0cdeb9bbb65638ca0d2759582725f9321830523f63de6aa9b5
SSDEEP

1536:8z+9ChAiZ+3+ih2HRGc820fs3MM+xP//3mmSIqeaxls1DzU3y:Q+BiUOY2HRG/2ms3MM+xPwIqeaxly+y

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CeCo = "C:\\Windows\\lasas.exe"	bab7f8ae02d46854b3e05c9f63c24aa2883d099563f0aafa4450542c2efab114.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	bab7f8ae02d46854b3e05c9f63c24aa2883d099563f0aafa4450542c2efab114.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\svchest.exe	lasas.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\lasas.exe	bab7f8ae02d46854b3e05c9f63c24aa2883d099563f0aafa4450542c2efab114.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
3620	taskkill.exe
4640	taskkill.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1912	bab7f8ae02d46854b3e05c9f63c24aa2883d099563f0aafa4450542c2efab114.exe
1912	bab7f8ae02d46854b3e05c9f63c24aa2883d099563f0aafa4450542c2efab114.exe
1912	bab7f8ae02d46854b3e05c9f63c24aa2883d099563f0aafa4450542c2efab114.exe
1912	bab7f8ae02d46854b3e05c9f63c24aa2883d099563f0aafa4450542c2efab114.exe
1912	bab7f8ae02d46854b3e05c9f63c24aa2883d099563f0aafa4450542c2efab114.exe
1912	bab7f8ae02d46854b3e05c9f63c24aa2883d099563f0aafa4450542c2efab114.exe
1912	bab7f8ae02d46854b3e05c9f63c24aa2883d099563f0aafa4450542c2efab114.exe
1912	bab7f8ae02d46854b3e05c9f63c24aa2883d099563f0aafa4450542c2efab114.exe
1912	bab7f8ae02d46854b3e05c9f63c24aa2883d099563f0aafa4450542c2efab114.exe
1912	bab7f8ae02d46854b3e05c9f63c24aa2883d099563f0aafa4450542c2efab114.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1912	bab7f8ae02d46854b3e05c9f63c24aa2883d099563f0aafa4450542c2efab114.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3620	taskkill.exe
Token: SeDebugPrivilege	4640	taskkill.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 3620	1912	bab7f8ae02d46854b3e05c9f63c24aa2883d099563f0aafa4450542c2efab114.exe	83
PID 1912 wrote to memory of 3620	1912	bab7f8ae02d46854b3e05c9f63c24aa2883d099563f0aafa4450542c2efab114.exe	83
PID 1912 wrote to memory of 3620	1912	bab7f8ae02d46854b3e05c9f63c24aa2883d099563f0aafa4450542c2efab114.exe	83
PID 1912 wrote to memory of 3632	1912	bab7f8ae02d46854b3e05c9f63c24aa2883d099563f0aafa4450542c2efab114.exe	85
PID 1912 wrote to memory of 3632	1912	bab7f8ae02d46854b3e05c9f63c24aa2883d099563f0aafa4450542c2efab114.exe	85
PID 1912 wrote to memory of 3632	1912	bab7f8ae02d46854b3e05c9f63c24aa2883d099563f0aafa4450542c2efab114.exe	85
PID 3632 wrote to memory of 4640	3632	lasas.exe	86
PID 3632 wrote to memory of 4640	3632	lasas.exe	86
PID 3632 wrote to memory of 4640	3632	lasas.exe	86

C:\Users\Admin\AppData\Local\Temp\bab7f8ae02d46854b3e05c9f63c24aa2883d099563f0aafa4450542c2efab114.exe
"C:\Users\Admin\AppData\Local\Temp\bab7f8ae02d46854b3e05c9f63c24aa2883d099563f0aafa4450542c2efab114.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im Ksafetray.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3620
- C:\Windows\lasas.exe
  C:\Windows\lasas.exe
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:3632
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Ksafetray.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads