f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
07/12/2022, 03:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
Size

340KB
MD5

5a20a6ea25c2c31ad71b6534c69c1644
SHA1

340085f8892ec76ed30c0df67b9f8e02d30e2d89
SHA256

f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed
SHA512

b874ae04d69e6e05521f93aac10109f30c1ea3498f7d6da57020c16fe6075629b3ea65b0f3e42a96946dc1c611b94aead0c19404e4b8e6926491d62d5fc73d17
SSDEEP

6144:yz9PjglQKRd8PA/bD0vZgcHF9F0NzxEluJujtkAWVfSzQ:6N0lZd8o/f0vKk2zxElZST

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\""	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\""	lsass.exe

Executes dropped EXE 2 IoCs

pid	Process
1748	lsass.exe
1312	lsass.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1260	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Teamviewer.exe	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Teamviewer.exe	lsass.exe

Loads dropped DLL 2 IoCs

pid	Process
852	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
852	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\""	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\""	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\""	lsass.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\""	lsass.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
File opened (read-only)	\??\N:	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
File opened (read-only)	\??\U:	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
File opened (read-only)	\??\V:	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
File opened (read-only)	\??\A:	lsass.exe
File opened (read-only)	\??\H:	lsass.exe
File opened (read-only)	\??\L:	lsass.exe
File opened (read-only)	\??\N:	lsass.exe
File opened (read-only)	\??\O:	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
File opened (read-only)	\??\Y:	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
File opened (read-only)	\??\B:	lsass.exe
File opened (read-only)	\??\F:	lsass.exe
File opened (read-only)	\??\O:	lsass.exe
File opened (read-only)	\??\R:	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
File opened (read-only)	\??\W:	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
File opened (read-only)	\??\M:	lsass.exe
File opened (read-only)	\??\Q:	lsass.exe
File opened (read-only)	\??\B:	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
File opened (read-only)	\??\J:	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
File opened (read-only)	\??\K:	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
File opened (read-only)	\??\P:	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
File opened (read-only)	\??\K:	lsass.exe
File opened (read-only)	\??\Y:	lsass.exe
File opened (read-only)	\??\A:	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
File opened (read-only)	\??\F:	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
File opened (read-only)	\??\I:	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
File opened (read-only)	\??\I:	lsass.exe
File opened (read-only)	\??\P:	lsass.exe
File opened (read-only)	\??\W:	lsass.exe
File opened (read-only)	\??\E:	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
File opened (read-only)	\??\X:	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
File opened (read-only)	\??\E:	lsass.exe
File opened (read-only)	\??\U:	lsass.exe
File opened (read-only)	\??\X:	lsass.exe
File opened (read-only)	\??\G:	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
File opened (read-only)	\??\H:	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
File opened (read-only)	\??\Q:	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
File opened (read-only)	\??\S:	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
File opened (read-only)	\??\T:	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
File opened (read-only)	\??\J:	lsass.exe
File opened (read-only)	\??\R:	lsass.exe
File opened (read-only)	\??\T:	lsass.exe
File opened (read-only)	\??\L:	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
File opened (read-only)	\??\G:	lsass.exe
File opened (read-only)	\??\S:	lsass.exe
File opened (read-only)	\??\V:	lsass.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1324 set thread context of 852	1324	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe	27
PID 1748 set thread context of 1312	1748	lsass.exe	31

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1324	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
852	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
1748	lsass.exe
1312	lsass.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1324 wrote to memory of 852	1324	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe	27
PID 1324 wrote to memory of 852	1324	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe	27
PID 1324 wrote to memory of 852	1324	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe	27
PID 1324 wrote to memory of 852	1324	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe	27
PID 1324 wrote to memory of 852	1324	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe	27
PID 1324 wrote to memory of 852	1324	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe	27
PID 1324 wrote to memory of 852	1324	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe	27
PID 1324 wrote to memory of 852	1324	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe	27
PID 1324 wrote to memory of 852	1324	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe	27
PID 852 wrote to memory of 1260	852	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe	28
PID 852 wrote to memory of 1260	852	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe	28
PID 852 wrote to memory of 1260	852	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe	28
PID 852 wrote to memory of 1260	852	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe	28
PID 852 wrote to memory of 1748	852	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe	30
PID 852 wrote to memory of 1748	852	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe	30
PID 852 wrote to memory of 1748	852	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe	30
PID 852 wrote to memory of 1748	852	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe	30
PID 1748 wrote to memory of 1312	1748	lsass.exe	31
PID 1748 wrote to memory of 1312	1748	lsass.exe	31
PID 1748 wrote to memory of 1312	1748	lsass.exe	31
PID 1748 wrote to memory of 1312	1748	lsass.exe	31
PID 1748 wrote to memory of 1312	1748	lsass.exe	31
PID 1748 wrote to memory of 1312	1748	lsass.exe	31
PID 1748 wrote to memory of 1312	1748	lsass.exe	31
PID 1748 wrote to memory of 1312	1748	lsass.exe	31
PID 1748 wrote to memory of 1312	1748	lsass.exe	31

C:\Users\Admin\AppData\Local\Temp\f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
"C:\Users\Admin\AppData\Local\Temp\f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe"
1⤵
- Drops startup file
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1324
- C:\Users\Admin\AppData\Local\Temp\f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
  C:\Users\Admin\AppData\Local\Temp\f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
  2⤵
  - Modifies WinLogon for persistence
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:852
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram program = C:\Users\Admin\AppData\Roaming\lsass.exename = Nero mode = ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:1260
- - C:\Users\Admin\AppData\Roaming\lsass.exe
    "C:\Users\Admin\AppData\Roaming\lsass.exe" /d C:\Users\Admin\AppData\Local\Temp\f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
    3⤵
    - Executes dropped EXE
    - Drops startup file
    - Enumerates connected drives
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1748
  - - C:\Users\Admin\AppData\Roaming\lsass.exe
      C:\Users\Admin\AppData\Roaming\lsass.exe
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetWindowsHookEx
      PID:1312

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Teamviewer.exe

Filesize
256KB

MD5
439f678e04c25f95c608b88eba1caefe

SHA1
aca7f1e9e32b0a359b4318bdb59cf980b56eb0c9

SHA256
76b8d04f02014c64315199461f3316e7a583f5089a072fcdcf03b54a8d6d5778

SHA512
8bbe69aeea74c17bcff48bff74abc7ef277f9ca5bc276b930ee0165b0fa123212220ccb879cc8eecc07f99d1abe47eb63fbc21eefe208c4b7839bdc76bfd6111

Download Submit
C:\Users\Admin\AppData\Roaming\lsass.exe

Filesize
340KB

MD5
2db9c1241b0a74ff6433cc9c763838e4

SHA1
79f66d99bb2ac29cc50ec0a4c42fc5fb7c7d13a7

SHA256
f674375ab4ada41f13d0c7c72ca4820019065a0cf949d409edbf53ecbbc2ac5f

SHA512
ae1efa31cf5157bd1791c9d8b4a0cf603c0bcbefdc48eb67cfa27011e159f83a4f2bf3dacf92f170826100b612369718c0f59461715c5b361c61016407e990c0

Download Submit
C:\Users\Admin\AppData\Roaming\lsass.exe

Filesize
340KB

MD5
2db9c1241b0a74ff6433cc9c763838e4

SHA1
79f66d99bb2ac29cc50ec0a4c42fc5fb7c7d13a7

SHA256
f674375ab4ada41f13d0c7c72ca4820019065a0cf949d409edbf53ecbbc2ac5f

SHA512
ae1efa31cf5157bd1791c9d8b4a0cf603c0bcbefdc48eb67cfa27011e159f83a4f2bf3dacf92f170826100b612369718c0f59461715c5b361c61016407e990c0

Download Submit
C:\Users\Admin\AppData\Roaming\lsass.exe

Filesize
340KB

MD5
2db9c1241b0a74ff6433cc9c763838e4

SHA1
79f66d99bb2ac29cc50ec0a4c42fc5fb7c7d13a7

SHA256
f674375ab4ada41f13d0c7c72ca4820019065a0cf949d409edbf53ecbbc2ac5f

SHA512
ae1efa31cf5157bd1791c9d8b4a0cf603c0bcbefdc48eb67cfa27011e159f83a4f2bf3dacf92f170826100b612369718c0f59461715c5b361c61016407e990c0

Download Submit
\Users\Admin\AppData\Roaming\lsass.exe

Filesize
340KB

MD5
2db9c1241b0a74ff6433cc9c763838e4

SHA1
79f66d99bb2ac29cc50ec0a4c42fc5fb7c7d13a7

SHA256
f674375ab4ada41f13d0c7c72ca4820019065a0cf949d409edbf53ecbbc2ac5f

SHA512
ae1efa31cf5157bd1791c9d8b4a0cf603c0bcbefdc48eb67cfa27011e159f83a4f2bf3dacf92f170826100b612369718c0f59461715c5b361c61016407e990c0

Download Submit
\Users\Admin\AppData\Roaming\lsass.exe

Filesize
340KB

MD5
2db9c1241b0a74ff6433cc9c763838e4

SHA1
79f66d99bb2ac29cc50ec0a4c42fc5fb7c7d13a7

SHA256
f674375ab4ada41f13d0c7c72ca4820019065a0cf949d409edbf53ecbbc2ac5f

SHA512
ae1efa31cf5157bd1791c9d8b4a0cf603c0bcbefdc48eb67cfa27011e159f83a4f2bf3dacf92f170826100b612369718c0f59461715c5b361c61016407e990c0

Download Submit
memory/852-70-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/852-56-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1312-82-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1312-83-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1324-59-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads