ec6d83d9be6da9ab4d34e1f05c4e865c2a82c88f70f993316d0ee0f4a6cb1bcf

General

Target

ec6d83d9be6da9ab4d34e1f05c4e865c2a82c88f70f993316d0ee0f4a6cb1bcf.exe
Size

18KB
MD5

da3e1b4f7423680c5a7bdefda502db5a
SHA1

dab6fa2e668bec1c83fb6547757ac0e2a362bdf1
SHA256

ec6d83d9be6da9ab4d34e1f05c4e865c2a82c88f70f993316d0ee0f4a6cb1bcf
SHA512

f680013088033c5d4281beefa6102983a1f24dcf8dc25327a6f563425b9c954a37435d482291145000617a7e880874fe310443c937def278d1f19d31c351c5b4
SSDEEP

384:pmNZsVGOuX8ChLO78/Yz6F0+m9ag84cOgIF4CCoI:wNGVw1hqgQzN9d84JgbZ

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\PCIDump.sys	ec6d83d9be6da9ab4d34e1f05c4e865c2a82c88f70f993316d0ee0f4a6cb1bcf.exe
File opened for modification	C:\Windows\SysWOW64\drivers\PCIDump.sys	lasso.exe

Executes dropped EXE 1 IoCs

pid	Process
1976	lasso.exe

Loads dropped DLL 2 IoCs

pid	Process
1932	ec6d83d9be6da9ab4d34e1f05c4e865c2a82c88f70f993316d0ee0f4a6cb1bcf.exe
1932	ec6d83d9be6da9ab4d34e1f05c4e865c2a82c88f70f993316d0ee0f4a6cb1bcf.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\lasso.exe	ec6d83d9be6da9ab4d34e1f05c4e865c2a82c88f70f993316d0ee0f4a6cb1bcf.exe
File created	C:\Windows\SysWOW64\lasso.exe	lasso.exe
File created	C:\Windows\SysWOW64\lasso.exe	ec6d83d9be6da9ab4d34e1f05c4e865c2a82c88f70f993316d0ee0f4a6cb1bcf.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1932	ec6d83d9be6da9ab4d34e1f05c4e865c2a82c88f70f993316d0ee0f4a6cb1bcf.exe
Token: SeIncBasePriorityPrivilege	1976	lasso.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 1976	1932	ec6d83d9be6da9ab4d34e1f05c4e865c2a82c88f70f993316d0ee0f4a6cb1bcf.exe	28
PID 1932 wrote to memory of 1976	1932	ec6d83d9be6da9ab4d34e1f05c4e865c2a82c88f70f993316d0ee0f4a6cb1bcf.exe	28
PID 1932 wrote to memory of 1976	1932	ec6d83d9be6da9ab4d34e1f05c4e865c2a82c88f70f993316d0ee0f4a6cb1bcf.exe	28
PID 1932 wrote to memory of 1976	1932	ec6d83d9be6da9ab4d34e1f05c4e865c2a82c88f70f993316d0ee0f4a6cb1bcf.exe	28

C:\Users\Admin\AppData\Local\Temp\ec6d83d9be6da9ab4d34e1f05c4e865c2a82c88f70f993316d0ee0f4a6cb1bcf.exe
"C:\Users\Admin\AppData\Local\Temp\ec6d83d9be6da9ab4d34e1f05c4e865c2a82c88f70f993316d0ee0f4a6cb1bcf.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Windows\SysWOW64\lasso.exe
  "C:\Windows\system32\lasso.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C del C:\Windows\SysWOW64\lasso.exe > nul
    3⤵
    PID:1240
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C del C:\Users\Admin\AppData\Local\Temp\EC6D83~1.EXE > nul
  2⤵
  PID:1232

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\drivers\PCIDump.sys

Filesize
4KB

MD5
d058dd1757e857d2cf1afcadce95a521

SHA1
3d5563ce8e7a11110d238b25711a176a63bfb703

SHA256
a0cd51ff93d087654b5ceccc279df8eb5e9783a530a3bca83a06c7f82025885d

SHA512
748937d6ae01ddbe97470754b73563c04e492d7980a8e0bbb9ed7838e85c8cff912d087204325664c3051aeba15606d23b9b507b211a6369e7ecc7bda175da44

Download Submit
C:\Windows\SysWOW64\lasso.exe

Filesize
18KB

MD5
da3e1b4f7423680c5a7bdefda502db5a

SHA1
dab6fa2e668bec1c83fb6547757ac0e2a362bdf1

SHA256
ec6d83d9be6da9ab4d34e1f05c4e865c2a82c88f70f993316d0ee0f4a6cb1bcf

SHA512
f680013088033c5d4281beefa6102983a1f24dcf8dc25327a6f563425b9c954a37435d482291145000617a7e880874fe310443c937def278d1f19d31c351c5b4

Download Submit
C:\Windows\SysWOW64\lasso.exe

Filesize
18KB

MD5
da3e1b4f7423680c5a7bdefda502db5a

SHA1
dab6fa2e668bec1c83fb6547757ac0e2a362bdf1

SHA256
ec6d83d9be6da9ab4d34e1f05c4e865c2a82c88f70f993316d0ee0f4a6cb1bcf

SHA512
f680013088033c5d4281beefa6102983a1f24dcf8dc25327a6f563425b9c954a37435d482291145000617a7e880874fe310443c937def278d1f19d31c351c5b4

Download Submit
\Windows\SysWOW64\lasso.exe

Filesize
18KB

MD5
da3e1b4f7423680c5a7bdefda502db5a

SHA1
dab6fa2e668bec1c83fb6547757ac0e2a362bdf1

SHA256
ec6d83d9be6da9ab4d34e1f05c4e865c2a82c88f70f993316d0ee0f4a6cb1bcf

SHA512
f680013088033c5d4281beefa6102983a1f24dcf8dc25327a6f563425b9c954a37435d482291145000617a7e880874fe310443c937def278d1f19d31c351c5b4

Download Submit
\Windows\SysWOW64\lasso.exe

Filesize
18KB

MD5
da3e1b4f7423680c5a7bdefda502db5a

SHA1
dab6fa2e668bec1c83fb6547757ac0e2a362bdf1

SHA256
ec6d83d9be6da9ab4d34e1f05c4e865c2a82c88f70f993316d0ee0f4a6cb1bcf

SHA512
f680013088033c5d4281beefa6102983a1f24dcf8dc25327a6f563425b9c954a37435d482291145000617a7e880874fe310443c937def278d1f19d31c351c5b4

Download Submit
memory/1932-54-0x0000000076181000-0x0000000076183000-memory.dmp

Filesize
8KB

Download
memory/1932-55-0x0000000000400000-0x0000000000411200-memory.dmp

Filesize
68KB

Download
memory/1932-56-0x0000000000400000-0x0000000000411200-memory.dmp

Filesize
68KB

Download

Analysis

Sharing