da5007b3da914a87cb0b8cb4540b59d08761aeddf058f09aea3b854c43c69bae

Analysis

max time kernel
91s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
15-02-2023 13:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29fb7632d7e495f0f9f23524d130fd81.exe
Size

305KB
MD5

29fb7632d7e495f0f9f23524d130fd81
SHA1

6fab23aec1df3c36755707bc7fe15da370e2776a
SHA256

da5007b3da914a87cb0b8cb4540b59d08761aeddf058f09aea3b854c43c69bae
SHA512

67f1d51f51a8018a9d1bf3e92bfe745720e95655281a250e945043819ea849fe50e78e4ad8671dec1e1b2f5380f44e288eb73df87110cbb221b5b5c1b63a40a1
SSDEEP

6144:/Ya6H1VsdE/dfnLAthYJpvak1cITgTo+BGms2uOUSgxo/o7LWFfXgwSXbOU0d4wE:/Yl3wgdfLUmJNJqI8NY50ofg4wSKU0WJ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4792	lsmlekitre.exe
912	lsmlekitre.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4792 set thread context of 912	4792	lsmlekitre.exe	83

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2768	912	WerFault.exe	83

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4792	lsmlekitre.exe
4792	lsmlekitre.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4804 wrote to memory of 4792	4804	29fb7632d7e495f0f9f23524d130fd81.exe	82
PID 4804 wrote to memory of 4792	4804	29fb7632d7e495f0f9f23524d130fd81.exe	82
PID 4804 wrote to memory of 4792	4804	29fb7632d7e495f0f9f23524d130fd81.exe	82
PID 4792 wrote to memory of 912	4792	lsmlekitre.exe	83
PID 4792 wrote to memory of 912	4792	lsmlekitre.exe	83
PID 4792 wrote to memory of 912	4792	lsmlekitre.exe	83
PID 4792 wrote to memory of 912	4792	lsmlekitre.exe	83

C:\Users\Admin\AppData\Local\Temp\29fb7632d7e495f0f9f23524d130fd81.exe
"C:\Users\Admin\AppData\Local\Temp\29fb7632d7e495f0f9f23524d130fd81.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Users\Admin\AppData\Local\Temp\lsmlekitre.exe
  "C:\Users\Admin\AppData\Local\Temp\lsmlekitre.exe" C:\Users\Admin\AppData\Local\Temp\rdkswobyge.xvj
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4792
- - C:\Users\Admin\AppData\Local\Temp\lsmlekitre.exe
    "C:\Users\Admin\AppData\Local\Temp\lsmlekitre.exe"
    3⤵
    - Executes dropped EXE
    PID:912
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 184
      4⤵
      Program crash
      PID:2768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 912 -ip 912
1⤵
PID:5056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bodivqob.itv

Filesize
206KB

MD5
06cf0b75c32755e25f7ccbb53488c1ab

SHA1
966d0e5e42a126d6a7f5d9939162451001401ee9

SHA256
0286d9505bc1d23e39e55a386a9eed31c5f0b33da8164a83f269920ed7babd38

SHA512
c194667f4b0b448b034cc709b1e2f7be683f775e1cd09dec291689d20aa7f0e07596d8ab3bc7abd251ed62fc0c2dc7c1612a555c44b6ff82a142b30b9a9f41ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\lsmlekitre.exe

Filesize
140KB

MD5
7027c7e620b85bda7f9697a9698632c3

SHA1
6a617653ca3e90546ad365286045b742b8bd9bc3

SHA256
4a708aa20244a5b14146939e25e2fc8aa6a19c5c4655b19088739f012ff0a44c

SHA512
41d8d538ab435f8aa061487ad7899b08b456b8768430faef0a3e1813af7ffafd6b9f023f21cb7365f2c70ad5f1df8ef3bf118b8b5272fafd85ebf862877ba72d

Download Submit
C:\Users\Admin\AppData\Local\Temp\lsmlekitre.exe

Filesize
140KB

MD5
7027c7e620b85bda7f9697a9698632c3

SHA1
6a617653ca3e90546ad365286045b742b8bd9bc3

SHA256
4a708aa20244a5b14146939e25e2fc8aa6a19c5c4655b19088739f012ff0a44c

SHA512
41d8d538ab435f8aa061487ad7899b08b456b8768430faef0a3e1813af7ffafd6b9f023f21cb7365f2c70ad5f1df8ef3bf118b8b5272fafd85ebf862877ba72d

Download Submit
C:\Users\Admin\AppData\Local\Temp\lsmlekitre.exe

Filesize
140KB

MD5
7027c7e620b85bda7f9697a9698632c3

SHA1
6a617653ca3e90546ad365286045b742b8bd9bc3

SHA256
4a708aa20244a5b14146939e25e2fc8aa6a19c5c4655b19088739f012ff0a44c

SHA512
41d8d538ab435f8aa061487ad7899b08b456b8768430faef0a3e1813af7ffafd6b9f023f21cb7365f2c70ad5f1df8ef3bf118b8b5272fafd85ebf862877ba72d

Download Submit
C:\Users\Admin\AppData\Local\Temp\rdkswobyge.xvj

Filesize
5KB

MD5
beaf14bcc9a2f078e8cf6f728b615427

SHA1
f33592699222c77834744e72c04070470eda42ca

SHA256
573e1395653c5dc2821d30f10382fc10ac7482296c5d6e6917bd3e78866af3bf

SHA512
4ea4ef425ef90551cf359049d034098f5d0fbaccd999345a0dcac246f278b48efd3dd3bcccc6fe9b41f7b4531397eba69aa48d9c7d297c53b7d42d8367c7174b

Download Submit
memory/912-137-0x0000000000000000-mapping.dmp

Download
memory/4792-132-0x0000000000000000-mapping.dmp

Download