f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed

Analysis

max time kernel
150s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2022 03:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
Size

340KB
MD5

5a20a6ea25c2c31ad71b6534c69c1644
SHA1

340085f8892ec76ed30c0df67b9f8e02d30e2d89
SHA256

f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed
SHA512

b874ae04d69e6e05521f93aac10109f30c1ea3498f7d6da57020c16fe6075629b3ea65b0f3e42a96946dc1c611b94aead0c19404e4b8e6926491d62d5fc73d17
SSDEEP

6144:yz9PjglQKRd8PA/bD0vZgcHF9F0NzxEluJujtkAWVfSzQ:6N0lZd8o/f0vKk2zxElZST

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\""	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\""	lsass.exe

Executes dropped EXE 2 IoCs

pid	Process
384	lsass.exe
2368	lsass.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
5028	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Teamviewer.exe	lsass.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Teamviewer.exe	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\""	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\""	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\""	lsass.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\""	lsass.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
File opened (read-only)	\??\N:	lsass.exe
File opened (read-only)	\??\T:	lsass.exe
File opened (read-only)	\??\A:	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
File opened (read-only)	\??\G:	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
File opened (read-only)	\??\J:	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
File opened (read-only)	\??\N:	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
File opened (read-only)	\??\Y:	lsass.exe
File opened (read-only)	\??\W:	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
File opened (read-only)	\??\F:	lsass.exe
File opened (read-only)	\??\L:	lsass.exe
File opened (read-only)	\??\P:	lsass.exe
File opened (read-only)	\??\Q:	lsass.exe
File opened (read-only)	\??\S:	lsass.exe
File opened (read-only)	\??\W:	lsass.exe
File opened (read-only)	\??\M:	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
File opened (read-only)	\??\Q:	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
File opened (read-only)	\??\A:	lsass.exe
File opened (read-only)	\??\I:	lsass.exe
File opened (read-only)	\??\J:	lsass.exe
File opened (read-only)	\??\V:	lsass.exe
File opened (read-only)	\??\H:	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
File opened (read-only)	\??\O:	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
File opened (read-only)	\??\E:	lsass.exe
File opened (read-only)	\??\M:	lsass.exe
File opened (read-only)	\??\O:	lsass.exe
File opened (read-only)	\??\I:	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
File opened (read-only)	\??\L:	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
File opened (read-only)	\??\P:	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
File opened (read-only)	\??\S:	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
File opened (read-only)	\??\U:	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
File opened (read-only)	\??\V:	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
File opened (read-only)	\??\G:	lsass.exe
File opened (read-only)	\??\K:	lsass.exe
File opened (read-only)	\??\E:	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
File opened (read-only)	\??\F:	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
File opened (read-only)	\??\K:	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
File opened (read-only)	\??\T:	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
File opened (read-only)	\??\X:	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
File opened (read-only)	\??\Y:	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
File opened (read-only)	\??\H:	lsass.exe
File opened (read-only)	\??\R:	lsass.exe
File opened (read-only)	\??\U:	lsass.exe
File opened (read-only)	\??\R:	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
File opened (read-only)	\??\B:	lsass.exe
File opened (read-only)	\??\X:	lsass.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2952 set thread context of 1948	2952	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe	80
PID 384 set thread context of 2368	384	lsass.exe	84

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2952	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
1948	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
384	lsass.exe
2368	lsass.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 1948	2952	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe	80
PID 2952 wrote to memory of 1948	2952	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe	80
PID 2952 wrote to memory of 1948	2952	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe	80
PID 2952 wrote to memory of 1948	2952	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe	80
PID 2952 wrote to memory of 1948	2952	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe	80
PID 2952 wrote to memory of 1948	2952	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe	80
PID 2952 wrote to memory of 1948	2952	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe	80
PID 2952 wrote to memory of 1948	2952	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe	80
PID 1948 wrote to memory of 5028	1948	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe	81
PID 1948 wrote to memory of 5028	1948	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe	81
PID 1948 wrote to memory of 5028	1948	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe	81
PID 1948 wrote to memory of 384	1948	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe	83
PID 1948 wrote to memory of 384	1948	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe	83
PID 1948 wrote to memory of 384	1948	f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe	83
PID 384 wrote to memory of 2368	384	lsass.exe	84
PID 384 wrote to memory of 2368	384	lsass.exe	84
PID 384 wrote to memory of 2368	384	lsass.exe	84
PID 384 wrote to memory of 2368	384	lsass.exe	84
PID 384 wrote to memory of 2368	384	lsass.exe	84
PID 384 wrote to memory of 2368	384	lsass.exe	84
PID 384 wrote to memory of 2368	384	lsass.exe	84
PID 384 wrote to memory of 2368	384	lsass.exe	84

C:\Users\Admin\AppData\Local\Temp\f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
"C:\Users\Admin\AppData\Local\Temp\f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe"
1⤵
- Drops startup file
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Users\Admin\AppData\Local\Temp\f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
  C:\Users\Admin\AppData\Local\Temp\f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
  2⤵
  - Modifies WinLogon for persistence
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram program = C:\Users\Admin\AppData\Roaming\lsass.exename = Nero mode = ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:5028
- - C:\Users\Admin\AppData\Roaming\lsass.exe
    "C:\Users\Admin\AppData\Roaming\lsass.exe" /d C:\Users\Admin\AppData\Local\Temp\f77f4960e03af22f5368b0539a975e58e0f982341ff511fbec719a71686151ed.exe
    3⤵
    - Executes dropped EXE
    - Drops startup file
    - Enumerates connected drives
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:384
  - - C:\Users\Admin\AppData\Roaming\lsass.exe
      C:\Users\Admin\AppData\Roaming\lsass.exe
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetWindowsHookEx
      PID:2368

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Teamviewer.exe

Filesize
256KB

MD5
439f678e04c25f95c608b88eba1caefe

SHA1
aca7f1e9e32b0a359b4318bdb59cf980b56eb0c9

SHA256
76b8d04f02014c64315199461f3316e7a583f5089a072fcdcf03b54a8d6d5778

SHA512
8bbe69aeea74c17bcff48bff74abc7ef277f9ca5bc276b930ee0165b0fa123212220ccb879cc8eecc07f99d1abe47eb63fbc21eefe208c4b7839bdc76bfd6111

Download Submit
C:\Users\Admin\AppData\Roaming\lsass.exe

Filesize
340KB

MD5
2db9c1241b0a74ff6433cc9c763838e4

SHA1
79f66d99bb2ac29cc50ec0a4c42fc5fb7c7d13a7

SHA256
f674375ab4ada41f13d0c7c72ca4820019065a0cf949d409edbf53ecbbc2ac5f

SHA512
ae1efa31cf5157bd1791c9d8b4a0cf603c0bcbefdc48eb67cfa27011e159f83a4f2bf3dacf92f170826100b612369718c0f59461715c5b361c61016407e990c0

Download Submit
C:\Users\Admin\AppData\Roaming\lsass.exe

Filesize
340KB

MD5
2db9c1241b0a74ff6433cc9c763838e4

SHA1
79f66d99bb2ac29cc50ec0a4c42fc5fb7c7d13a7

SHA256
f674375ab4ada41f13d0c7c72ca4820019065a0cf949d409edbf53ecbbc2ac5f

SHA512
ae1efa31cf5157bd1791c9d8b4a0cf603c0bcbefdc48eb67cfa27011e159f83a4f2bf3dacf92f170826100b612369718c0f59461715c5b361c61016407e990c0

Download Submit
C:\Users\Admin\AppData\Roaming\lsass.exe

Filesize
340KB

MD5
2db9c1241b0a74ff6433cc9c763838e4

SHA1
79f66d99bb2ac29cc50ec0a4c42fc5fb7c7d13a7

SHA256
f674375ab4ada41f13d0c7c72ca4820019065a0cf949d409edbf53ecbbc2ac5f

SHA512
ae1efa31cf5157bd1791c9d8b4a0cf603c0bcbefdc48eb67cfa27011e159f83a4f2bf3dacf92f170826100b612369718c0f59461715c5b361c61016407e990c0

Download Submit
memory/384-141-0x0000000000000000-mapping.dmp

Download
memory/1948-139-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1948-146-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1948-134-0x0000000000000000-mapping.dmp

Download
memory/1948-135-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2368-147-0x0000000000000000-mapping.dmp

Download
memory/2368-153-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2368-155-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5028-140-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads