bac8c3a225bbbbc6b93c1ca77efbf1cfc5008fbdd69bddec1061e6278f5cfaa0

Analysis

max time kernel
152s
max time network
52s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bac8c3a225bbbbc6b93c1ca77efbf1cfc5008fbdd69bddec1061e6278f5cfaa0.exe
Size

460KB
MD5

fa701c98f73d0572c34666f5af43d82f
SHA1

01357c249d9c7657ccf3d65fa6e1e55dd3117623
SHA256

bac8c3a225bbbbc6b93c1ca77efbf1cfc5008fbdd69bddec1061e6278f5cfaa0
SHA512

0654062c74083cfbf108f73f4b390874f943936abf2cdb35322aeb235a412f82acde531520e46224a0637eca7b7c04f12dc72bd7d83ef6262eb5f320133ac05d
SSDEEP

6144:CBapC9DUIYmO5Kv5Q7X/l/rYvkW1VxxfnzrV9UAH0ctkPfc92F8+YLpIh9jhl:9pQD+mO5KWy/zrVbt4fcY7Y9U9jv

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
904	LSASS.exe
1716	LSASS.exe

Loads dropped DLL 2 IoCs

pid	Process
904	LSASS.exe
904	LSASS.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	REG.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	REG.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	REG.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	REG.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	REG.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	REG.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	REG.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	LSASS.exe
File opened (read-only)	\??\L:	LSASS.exe
File opened (read-only)	\??\S:	LSASS.exe
File opened (read-only)	\??\U:	LSASS.exe
File opened (read-only)	\??\Z:	LSASS.exe
File opened (read-only)	\??\P:	LSASS.exe
File opened (read-only)	\??\Q:	LSASS.exe
File opened (read-only)	\??\T:	LSASS.exe
File opened (read-only)	\??\V:	LSASS.exe
File opened (read-only)	\??\X:	LSASS.exe
File opened (read-only)	\??\Y:	LSASS.exe
File opened (read-only)	\??\W:	LSASS.exe
File opened (read-only)	\??\E:	LSASS.exe
File opened (read-only)	\??\G:	LSASS.exe
File opened (read-only)	\??\J:	LSASS.exe
File opened (read-only)	\??\K:	LSASS.exe
File opened (read-only)	\??\M:	LSASS.exe
File opened (read-only)	\??\N:	LSASS.exe
File opened (read-only)	\??\F:	LSASS.exe
File opened (read-only)	\??\I:	LSASS.exe
File opened (read-only)	\??\O:	LSASS.exe
File opened (read-only)	\??\R:	LSASS.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	LSASS.exe
File opened for modification	C:\autorun.inf	LSASS.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\LSASS.exe	bac8c3a225bbbbc6b93c1ca77efbf1cfc5008fbdd69bddec1061e6278f5cfaa0.exe
File opened for modification	C:\Windows\LSASS.exe	bac8c3a225bbbbc6b93c1ca77efbf1cfc5008fbdd69bddec1061e6278f5cfaa0.exe
File opened for modification	C:\Windows\LSASS.exe	LSASS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1552	bac8c3a225bbbbc6b93c1ca77efbf1cfc5008fbdd69bddec1061e6278f5cfaa0.exe
1552	bac8c3a225bbbbc6b93c1ca77efbf1cfc5008fbdd69bddec1061e6278f5cfaa0.exe
904	LSASS.exe
904	LSASS.exe
904	LSASS.exe
904	LSASS.exe
1716	LSASS.exe
904	LSASS.exe
904	LSASS.exe
904	LSASS.exe
904	LSASS.exe
904	LSASS.exe
904	LSASS.exe
904	LSASS.exe
904	LSASS.exe
904	LSASS.exe
904	LSASS.exe
904	LSASS.exe
904	LSASS.exe
904	LSASS.exe
904	LSASS.exe
904	LSASS.exe
904	LSASS.exe
904	LSASS.exe
904	LSASS.exe
904	LSASS.exe
904	LSASS.exe
904	LSASS.exe
904	LSASS.exe
904	LSASS.exe
904	LSASS.exe
904	LSASS.exe
904	LSASS.exe
904	LSASS.exe
904	LSASS.exe
904	LSASS.exe
904	LSASS.exe
904	LSASS.exe
904	LSASS.exe
904	LSASS.exe
904	LSASS.exe
904	LSASS.exe
904	LSASS.exe
904	LSASS.exe
904	LSASS.exe
904	LSASS.exe
904	LSASS.exe
904	LSASS.exe
904	LSASS.exe
904	LSASS.exe
904	LSASS.exe
904	LSASS.exe
904	LSASS.exe
904	LSASS.exe
904	LSASS.exe
904	LSASS.exe
904	LSASS.exe
904	LSASS.exe
904	LSASS.exe
904	LSASS.exe
904	LSASS.exe
904	LSASS.exe
904	LSASS.exe
904	LSASS.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 904	1552	bac8c3a225bbbbc6b93c1ca77efbf1cfc5008fbdd69bddec1061e6278f5cfaa0.exe	26
PID 1552 wrote to memory of 904	1552	bac8c3a225bbbbc6b93c1ca77efbf1cfc5008fbdd69bddec1061e6278f5cfaa0.exe	26
PID 1552 wrote to memory of 904	1552	bac8c3a225bbbbc6b93c1ca77efbf1cfc5008fbdd69bddec1061e6278f5cfaa0.exe	26
PID 1552 wrote to memory of 904	1552	bac8c3a225bbbbc6b93c1ca77efbf1cfc5008fbdd69bddec1061e6278f5cfaa0.exe	26
PID 904 wrote to memory of 1112	904	LSASS.exe	27
PID 904 wrote to memory of 1112	904	LSASS.exe	27
PID 904 wrote to memory of 1112	904	LSASS.exe	27
PID 904 wrote to memory of 1112	904	LSASS.exe	27
PID 904 wrote to memory of 676	904	LSASS.exe	30
PID 904 wrote to memory of 676	904	LSASS.exe	30
PID 904 wrote to memory of 676	904	LSASS.exe	30
PID 904 wrote to memory of 676	904	LSASS.exe	30
PID 904 wrote to memory of 1716	904	LSASS.exe	31
PID 904 wrote to memory of 1716	904	LSASS.exe	31
PID 904 wrote to memory of 1716	904	LSASS.exe	31
PID 904 wrote to memory of 1716	904	LSASS.exe	31
PID 904 wrote to memory of 1660	904	LSASS.exe	32
PID 904 wrote to memory of 1660	904	LSASS.exe	32
PID 904 wrote to memory of 1660	904	LSASS.exe	32
PID 904 wrote to memory of 1660	904	LSASS.exe	32
PID 904 wrote to memory of 1712	904	LSASS.exe	34
PID 904 wrote to memory of 1712	904	LSASS.exe	34
PID 904 wrote to memory of 1712	904	LSASS.exe	34
PID 904 wrote to memory of 1712	904	LSASS.exe	34
PID 904 wrote to memory of 540	904	LSASS.exe	36
PID 904 wrote to memory of 540	904	LSASS.exe	36
PID 904 wrote to memory of 540	904	LSASS.exe	36
PID 904 wrote to memory of 540	904	LSASS.exe	36
PID 904 wrote to memory of 688	904	LSASS.exe	37
PID 904 wrote to memory of 688	904	LSASS.exe	37
PID 904 wrote to memory of 688	904	LSASS.exe	37
PID 904 wrote to memory of 688	904	LSASS.exe	37
PID 904 wrote to memory of 1932	904	LSASS.exe	40
PID 904 wrote to memory of 1932	904	LSASS.exe	40
PID 904 wrote to memory of 1932	904	LSASS.exe	40
PID 904 wrote to memory of 1932	904	LSASS.exe	40
PID 904 wrote to memory of 936	904	LSASS.exe	42
PID 904 wrote to memory of 936	904	LSASS.exe	42
PID 904 wrote to memory of 936	904	LSASS.exe	42
PID 904 wrote to memory of 936	904	LSASS.exe	42
PID 904 wrote to memory of 1772	904	LSASS.exe	44
PID 904 wrote to memory of 1772	904	LSASS.exe	44
PID 904 wrote to memory of 1772	904	LSASS.exe	44
PID 904 wrote to memory of 1772	904	LSASS.exe	44
PID 904 wrote to memory of 800	904	LSASS.exe	47
PID 904 wrote to memory of 800	904	LSASS.exe	47
PID 904 wrote to memory of 800	904	LSASS.exe	47
PID 904 wrote to memory of 800	904	LSASS.exe	47
PID 904 wrote to memory of 1124	904	LSASS.exe	48
PID 904 wrote to memory of 1124	904	LSASS.exe	48
PID 904 wrote to memory of 1124	904	LSASS.exe	48
PID 904 wrote to memory of 1124	904	LSASS.exe	48
PID 904 wrote to memory of 2004	904	LSASS.exe	49
PID 904 wrote to memory of 2004	904	LSASS.exe	49
PID 904 wrote to memory of 2004	904	LSASS.exe	49
PID 904 wrote to memory of 2004	904	LSASS.exe	49
PID 904 wrote to memory of 1556	904	LSASS.exe	52
PID 904 wrote to memory of 1556	904	LSASS.exe	52
PID 904 wrote to memory of 1556	904	LSASS.exe	52
PID 904 wrote to memory of 1556	904	LSASS.exe	52
PID 904 wrote to memory of 2024	904	LSASS.exe	54
PID 904 wrote to memory of 2024	904	LSASS.exe	54
PID 904 wrote to memory of 2024	904	LSASS.exe	54
PID 904 wrote to memory of 2024	904	LSASS.exe	54

C:\Users\Admin\AppData\Local\Temp\bac8c3a225bbbbc6b93c1ca77efbf1cfc5008fbdd69bddec1061e6278f5cfaa0.exe
"C:\Users\Admin\AppData\Local\Temp\bac8c3a225bbbbc6b93c1ca77efbf1cfc5008fbdd69bddec1061e6278f5cfaa0.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Windows\LSASS.exe
  "C:\Windows\LSASS.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:904
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    PID:1112
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:676
- - C:\Users\Admin\LSASS.exe
    "C:\Users\Admin\LSASS.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1716
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1660
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1712
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:540
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:688
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1932
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:936
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1772
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:800
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1124
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2004
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1556
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2024
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    PID:1304
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1788
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    PID:1180
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1612
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    PID:588
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1736
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1780
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    PID:332
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1488
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    PID:1368
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:364
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1580
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:932
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1420
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1320
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2012
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    PID:1308
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:612
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:784
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1412
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2004
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1968
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1808
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1908
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:956
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:960
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1612
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1624
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1736
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2044
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:536
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:568
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    PID:1488
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:984
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    PID:364
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:112
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1416
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:296
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1988
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    PID:1980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\LSASS.exe

Filesize
460KB

MD5
130baa31b3fe2404069a43c943fbfcec

SHA1
9bc3a8242424ad9be542e3e182d584a02a2f1066

SHA256
a46eb548aa1e328424443979a32947c81b2f8e638b3626c00141f0b4570fe5dd

SHA512
9882cc350ffed35634b1efc432282b2751ea7e1f6e532a1fe17859ed94f2184657c676b161cbb373ac82377353a3d9664c0b36afb22c6ead68f13ce7789fcdf1

Download Submit
C:\Windows\LSASS.exe

Filesize
460KB

MD5
6271d7f87747df88d994293422cef4ec

SHA1
d397ae994831bbb837951819a8cae8ac77a0c8dc

SHA256
b234cab89370c8da86219d58c2e2549c51384330147050bedfed2940e029cb39

SHA512
e05103af7cdbf024a774fcea1ce68d596d5f7dd209f8b5424ff6f9d4c1ce1a95ad99d640f6bf022403649b95ebd06246bf6d1686ca952e7e985396125b555dfd

Download Submit
C:\Windows\LSASS.exe

Filesize
460KB

MD5
6271d7f87747df88d994293422cef4ec

SHA1
d397ae994831bbb837951819a8cae8ac77a0c8dc

SHA256
b234cab89370c8da86219d58c2e2549c51384330147050bedfed2940e029cb39

SHA512
e05103af7cdbf024a774fcea1ce68d596d5f7dd209f8b5424ff6f9d4c1ce1a95ad99d640f6bf022403649b95ebd06246bf6d1686ca952e7e985396125b555dfd

Download Submit
\Users\Admin\LSASS.exe

Filesize
460KB

MD5
130baa31b3fe2404069a43c943fbfcec

SHA1
9bc3a8242424ad9be542e3e182d584a02a2f1066

SHA256
a46eb548aa1e328424443979a32947c81b2f8e638b3626c00141f0b4570fe5dd

SHA512
9882cc350ffed35634b1efc432282b2751ea7e1f6e532a1fe17859ed94f2184657c676b161cbb373ac82377353a3d9664c0b36afb22c6ead68f13ce7789fcdf1

Download Submit
\Users\Admin\LSASS.exe

Filesize
460KB

MD5
130baa31b3fe2404069a43c943fbfcec

SHA1
9bc3a8242424ad9be542e3e182d584a02a2f1066

SHA256
a46eb548aa1e328424443979a32947c81b2f8e638b3626c00141f0b4570fe5dd

SHA512
9882cc350ffed35634b1efc432282b2751ea7e1f6e532a1fe17859ed94f2184657c676b161cbb373ac82377353a3d9664c0b36afb22c6ead68f13ce7789fcdf1

Download Submit
memory/1552-54-0x0000000075681000-0x0000000075683000-memory.dmp

Filesize
8KB

Download