904219f6759b1d64f57408a490c4c4019f7311a492a2d40c782eb925ff926fc9

General

Target

904219f6759b1d64f57408a490c4c4019f7311a492a2d40c782eb925ff926fc9.exe
Size

960KB
MD5

bc0f36b838ce129f69ef71da6985992c
SHA1

c47127f752c8b90e38bbe1d94df7a58078e62138
SHA256

904219f6759b1d64f57408a490c4c4019f7311a492a2d40c782eb925ff926fc9
SHA512

95228905f2e8c0782b7c1e1ba848b356a7ec5d5e8fb5dea4c755c7ce06f8787e2e8bab4c154306c699086e110ee22944a3eb97772205021636a0f367f934982f
SSDEEP

12288:nnKpglA0+w4dxrW6BrliZ6ah832q3OnXg9MdQ8UnE:nnKWlANwW1WAizQ2tXg9MdQ8V

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1872	Lsas.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2124-132-0x0000000000400000-0x0000000000561000-memory.dmp	upx
behavioral2/memory/2124-139-0x0000000000400000-0x0000000000561000-memory.dmp	upx
behavioral2/memory/2124-141-0x0000000000400000-0x0000000000561000-memory.dmp	upx
behavioral2/memory/2124-140-0x0000000000400000-0x0000000000561000-memory.dmp	upx
behavioral2/memory/2124-143-0x0000000000400000-0x0000000000561000-memory.dmp	upx
behavioral2/memory/2124-145-0x0000000000400000-0x0000000000561000-memory.dmp	upx
behavioral2/files/0x0007000000022f7f-149.dat	upx
behavioral2/files/0x0007000000022f7f-148.dat	upx
behavioral2/memory/1872-157-0x0000000000400000-0x0000000000561000-memory.dmp	upx
behavioral2/memory/1872-159-0x0000000000400000-0x0000000000561000-memory.dmp	upx
behavioral2/memory/1872-160-0x0000000000400000-0x0000000000561000-memory.dmp	upx
behavioral2/memory/1872-161-0x0000000000400000-0x0000000000561000-memory.dmp	upx
behavioral2/memory/1872-164-0x0000000000400000-0x0000000000561000-memory.dmp	upx
behavioral2/memory/2124-166-0x0000000000400000-0x0000000000561000-memory.dmp	upx
behavioral2/memory/1872-168-0x0000000000400000-0x0000000000561000-memory.dmp	upx
behavioral2/memory/1872-169-0x0000000000400000-0x0000000000561000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Lsas.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	904219f6759b1d64f57408a490c4c4019f7311a492a2d40c782eb925ff926fc9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	904219f6759b1d64f57408a490c4c4019f7311a492a2d40c782eb925ff926fc9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Lsas.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	904219f6759b1d64f57408a490c4c4019f7311a492a2d40c782eb925ff926fc9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	Lsas.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winupdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\904219f6759b1d64f57408a490c4c4019f7311a492a2d40c782eb925ff926fc9.exe"	904219f6759b1d64f57408a490c4c4019f7311a492a2d40c782eb925ff926fc9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winupdate = "C:\\WINDOWS\\SysWOW64\\Lsas.exe"	Lsas.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\Lsas.exe	904219f6759b1d64f57408a490c4c4019f7311a492a2d40c782eb925ff926fc9.exe
File opened for modification	C:\WINDOWS\SysWOW64\Lsas.exe	904219f6759b1d64f57408a490c4c4019f7311a492a2d40c782eb925ff926fc9.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\win23.txt	Lsas.exe
File opened for modification	C:\WINDOWS\win23.txt	Lsas.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{518B0316-31E9-1FCB-639D-D5DA4D4F1432}	904219f6759b1d64f57408a490c4c4019f7311a492a2d40c782eb925ff926fc9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{518B0316-31E9-1FCB-639D-D5DA4D4F1432}\ = "CloudExperienceHost Diagnostics Elevated Manager"	904219f6759b1d64f57408a490c4c4019f7311a492a2d40c782eb925ff926fc9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{518B0316-31E9-1FCB-639D-D5DA4D4F1432}\InProcServer32	904219f6759b1d64f57408a490c4c4019f7311a492a2d40c782eb925ff926fc9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{518B0316-31E9-1FCB-639D-D5DA4D4F1432}\InProcServer32\ = "C:\\Windows\\SysWOW64\\CloudExperienceHostCommon.dll"	904219f6759b1d64f57408a490c4c4019f7311a492a2d40c782eb925ff926fc9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{518B0316-31E9-1FCB-639D-D5DA4D4F1432}\InProcServer32\ThreadingModel = "Both"	904219f6759b1d64f57408a490c4c4019f7311a492a2d40c782eb925ff926fc9.exe

NTFS ADS 3 IoCs

description	ioc	Process
File created	C:\ProgramData\TEMP:D0CAB0B8	904219f6759b1d64f57408a490c4c4019f7311a492a2d40c782eb925ff926fc9.exe
File opened for modification	C:\ProgramData\TEMP:D0CAB0B8	904219f6759b1d64f57408a490c4c4019f7311a492a2d40c782eb925ff926fc9.exe
File opened for modification	C:\ProgramData\TEMP:D0CAB0B8	Lsas.exe

Runs net.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1872	Lsas.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2124	904219f6759b1d64f57408a490c4c4019f7311a492a2d40c782eb925ff926fc9.exe
Token: SeIncBasePriorityPrivilege	2124	904219f6759b1d64f57408a490c4c4019f7311a492a2d40c782eb925ff926fc9.exe
Token: 33	1872	Lsas.exe
Token: SeIncBasePriorityPrivilege	1872	Lsas.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2124	904219f6759b1d64f57408a490c4c4019f7311a492a2d40c782eb925ff926fc9.exe
1872	Lsas.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 1156	2124	904219f6759b1d64f57408a490c4c4019f7311a492a2d40c782eb925ff926fc9.exe	80
PID 2124 wrote to memory of 1156	2124	904219f6759b1d64f57408a490c4c4019f7311a492a2d40c782eb925ff926fc9.exe	80
PID 2124 wrote to memory of 1156	2124	904219f6759b1d64f57408a490c4c4019f7311a492a2d40c782eb925ff926fc9.exe	80
PID 2124 wrote to memory of 1872	2124	904219f6759b1d64f57408a490c4c4019f7311a492a2d40c782eb925ff926fc9.exe	82
PID 2124 wrote to memory of 1872	2124	904219f6759b1d64f57408a490c4c4019f7311a492a2d40c782eb925ff926fc9.exe	82
PID 2124 wrote to memory of 1872	2124	904219f6759b1d64f57408a490c4c4019f7311a492a2d40c782eb925ff926fc9.exe	82
PID 1156 wrote to memory of 4556	1156	net.exe	83
PID 1156 wrote to memory of 4556	1156	net.exe	83
PID 1156 wrote to memory of 4556	1156	net.exe	83
PID 1872 wrote to memory of 4128	1872	Lsas.exe	84
PID 1872 wrote to memory of 4128	1872	Lsas.exe	84
PID 1872 wrote to memory of 4128	1872	Lsas.exe	84
PID 4128 wrote to memory of 1820	4128	net.exe	86
PID 4128 wrote to memory of 1820	4128	net.exe	86
PID 4128 wrote to memory of 1820	4128	net.exe	86

C:\Users\Admin\AppData\Local\Temp\904219f6759b1d64f57408a490c4c4019f7311a492a2d40c782eb925ff926fc9.exe
"C:\Users\Admin\AppData\Local\Temp\904219f6759b1d64f57408a490c4c4019f7311a492a2d40c782eb925ff926fc9.exe"
1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop sharedaccess
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1156
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop sharedaccess
    3⤵
    PID:4556
- C:\WINDOWS\SysWOW64\Lsas.exe
  C:\WINDOWS\system32\Lsas.exe
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in Windows directory
  - NTFS ADS
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1872
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop sharedaccess
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4128
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop sharedaccess
      4⤵
      PID:1820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TEMP:D0CAB0B8

Filesize
100B

MD5
45a9bbbd0d1eee2f36afa64b8353d86a

SHA1
58d2a604e6774d181373afb2a72709db00194817

SHA256
b214b1e5475196e0e669af8a1593e60a0ad76893f0e5f56b2217dda6f7bc7b03

SHA512
180d4033d04d0cd6ea671e691fe30e069e4c113fc4822c64a1102d746562644d3414da652e731bf2805517a667860b1a6d5dc25f7ee7e7ab837e89e3424fa6dd

Download Submit
C:\WINDOWS\SysWOW64\Lsas.exe

Filesize
960KB

MD5
bc0f36b838ce129f69ef71da6985992c

SHA1
c47127f752c8b90e38bbe1d94df7a58078e62138

SHA256
904219f6759b1d64f57408a490c4c4019f7311a492a2d40c782eb925ff926fc9

SHA512
95228905f2e8c0782b7c1e1ba848b356a7ec5d5e8fb5dea4c755c7ce06f8787e2e8bab4c154306c699086e110ee22944a3eb97772205021636a0f367f934982f

Download Submit
C:\Windows\SysWOW64\Lsas.exe

Filesize
960KB

MD5
bc0f36b838ce129f69ef71da6985992c

SHA1
c47127f752c8b90e38bbe1d94df7a58078e62138

SHA256
904219f6759b1d64f57408a490c4c4019f7311a492a2d40c782eb925ff926fc9

SHA512
95228905f2e8c0782b7c1e1ba848b356a7ec5d5e8fb5dea4c755c7ce06f8787e2e8bab4c154306c699086e110ee22944a3eb97772205021636a0f367f934982f

Download Submit
memory/1872-161-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/1872-160-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/1872-164-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/1872-168-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/1872-169-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/1872-151-0x0000000000640000-0x00000000006C9000-memory.dmp

Filesize
548KB

Download
memory/1872-159-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/1872-157-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/2124-145-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/2124-132-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/2124-143-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/2124-140-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/2124-166-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/2124-141-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/2124-139-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/2124-134-0x00000000005F0000-0x0000000000679000-memory.dmp

Filesize
548KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads