c7464e136d99764cc3b5d3e48e58a48ba6fe270c9cd28130cb6d7513106b5968

Analysis

max time kernel
183s
max time network
195s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 01:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7464e136d99764cc3b5d3e48e58a48ba6fe270c9cd28130cb6d7513106b5968.exe
Size

127KB
MD5

1cb8ed30a8b823c97e756093fca979a0
SHA1

618cf805207bba375ce1cfc43f8529cc54733178
SHA256

c7464e136d99764cc3b5d3e48e58a48ba6fe270c9cd28130cb6d7513106b5968
SHA512

059ea6cf79b818767dc31fef6f9daf482fba3365f7b61790f5b96e2f29988be336a37aabc11ccfe757bd87793ae0c75adc03db5b96c346cdea6f8551ca0b4c34
SSDEEP

1536:554Q19FUR8N01/H5WXDBVAEejK2Jsno/m/S4XN54Q19FUR8N:T4SAR8NmgFdAQyV4X4SAR8N

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\lsass.exe	c7464e136d99764cc3b5d3e48e58a48ba6fe270c9cd28130cb6d7513106b5968.exe
File created	C:\Windows\SysWOW64\drivers\lsass.exe	lsass.exe

Executes dropped EXE 2 IoCs

pid	Process
2116	lsass.exe
4312	c7464e136d99764cc3b5d3e48e58a48ba6fe270c9cd28130cb6d7513106b5968.~tmp

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif	lsass.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	lsass.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1740	c7464e136d99764cc3b5d3e48e58a48ba6fe270c9cd28130cb6d7513106b5968.exe
1740	c7464e136d99764cc3b5d3e48e58a48ba6fe270c9cd28130cb6d7513106b5968.exe
2116	lsass.exe
2116	lsass.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2116	1740	c7464e136d99764cc3b5d3e48e58a48ba6fe270c9cd28130cb6d7513106b5968.exe	83
PID 1740 wrote to memory of 2116	1740	c7464e136d99764cc3b5d3e48e58a48ba6fe270c9cd28130cb6d7513106b5968.exe	83
PID 1740 wrote to memory of 2116	1740	c7464e136d99764cc3b5d3e48e58a48ba6fe270c9cd28130cb6d7513106b5968.exe	83
PID 1740 wrote to memory of 4312	1740	c7464e136d99764cc3b5d3e48e58a48ba6fe270c9cd28130cb6d7513106b5968.exe	84
PID 1740 wrote to memory of 4312	1740	c7464e136d99764cc3b5d3e48e58a48ba6fe270c9cd28130cb6d7513106b5968.exe	84
PID 1740 wrote to memory of 4312	1740	c7464e136d99764cc3b5d3e48e58a48ba6fe270c9cd28130cb6d7513106b5968.exe	84

C:\Users\Admin\AppData\Local\Temp\c7464e136d99764cc3b5d3e48e58a48ba6fe270c9cd28130cb6d7513106b5968.exe
"C:\Users\Admin\AppData\Local\Temp\c7464e136d99764cc3b5d3e48e58a48ba6fe270c9cd28130cb6d7513106b5968.exe"
1⤵
- Drops file in Drivers directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\SysWOW64\drivers\lsass.exe
  "C:\Windows\system32\drivers\lsass.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops startup file
  - Enumerates connected drives
  - Suspicious use of SetWindowsHookEx
  PID:2116
- C:\Users\Admin\AppData\Local\Temp\c7464e136d99764cc3b5d3e48e58a48ba6fe270c9cd28130cb6d7513106b5968.~tmp
  "C:\Users\Admin\AppData\Local\Temp\c7464e136d99764cc3b5d3e48e58a48ba6fe270c9cd28130cb6d7513106b5968.~tmp "
  2⤵
  - Executes dropped EXE
  PID:4312

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c7464e136d99764cc3b5d3e48e58a48ba6fe270c9cd28130cb6d7513106b5968.~tmp

Filesize
63KB

MD5
3dacf372b044e128fbf5025d5259fca7

SHA1
dbc538db7f624e7c369ded814fe36e2cee0bf335

SHA256
97b519a4b3612573fc0691b881d091c1591a0fea831ed85b44ec1bef79346133

SHA512
b569b395a1d218b01803e83a6c79af8b5708f2b47daef0e02d80c825278c67f68609e47f3b12c86859e3d0b2ad76250cdaee97d1a555276f5cbb37c3da985bcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\c7464e136d99764cc3b5d3e48e58a48ba6fe270c9cd28130cb6d7513106b5968.~tmp

Filesize
63KB

MD5
3dacf372b044e128fbf5025d5259fca7

SHA1
dbc538db7f624e7c369ded814fe36e2cee0bf335

SHA256
97b519a4b3612573fc0691b881d091c1591a0fea831ed85b44ec1bef79346133

SHA512
b569b395a1d218b01803e83a6c79af8b5708f2b47daef0e02d80c825278c67f68609e47f3b12c86859e3d0b2ad76250cdaee97d1a555276f5cbb37c3da985bcd

Download Submit
C:\Windows\SysWOW64\drivers\lsass.exe

Filesize
32KB

MD5
669ffd1dd6fb7a0e4ddbc3ad3b76507b

SHA1
372820d6b9350ad629a489d49876d8bd422b8f31

SHA256
7dc487e762e55ffa601480c4bc7948f85fcd4f025665ff599060ec1f81d7e986

SHA512
cd69694ad3316c768dbe0d1514060870568c67a50785b38d402eb16e94740c5ae351eb6d47284630a2505fac50c9777bedef85608571c85385b1b9c1f12d73f5

Download Submit
C:\Windows\SysWOW64\drivers\lsass.exe

Filesize
32KB

MD5
669ffd1dd6fb7a0e4ddbc3ad3b76507b

SHA1
372820d6b9350ad629a489d49876d8bd422b8f31

SHA256
7dc487e762e55ffa601480c4bc7948f85fcd4f025665ff599060ec1f81d7e986

SHA512
cd69694ad3316c768dbe0d1514060870568c67a50785b38d402eb16e94740c5ae351eb6d47284630a2505fac50c9777bedef85608571c85385b1b9c1f12d73f5

Download Submit