b6ac3f99fe3a7731b91ef8dc1b27be56cbb219fde1461327177ab0506615ff73

Resubmissions

31-03-2023 19:53

230331-yl4v2ada29 3

31-03-2023 19:30

230331-x7zyjaeb7w 1

Analysis

max time kernel
104s
max time network
107s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
31-03-2023 19:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Lag Switch.exe
Size

4.2MB
MD5

68ec8bb5b181d5d2506ff9f9476087a0
SHA1

0e21f7d94fa84a724c62d2d547032750c9dad9f7
SHA256

b6ac3f99fe3a7731b91ef8dc1b27be56cbb219fde1461327177ab0506615ff73
SHA512

c4111d86b2d8b1bd0519793775957e41c2847aa09bc7ce0523c8d673eafc5e1e77133284483e33b228118f62a363f9197d2c21bbbfec7c2a91f402fd2de6aa5d
SSDEEP

98304:gcHeOQR7OptGVCQ/s0OQR7OptGaCQ/sBcHKCQ/U:gqeOQR7OzGMQ/3OQR7OzGzQ/8qDQ/

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Gathers network information 2 TTPs 10 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

Processes:

ipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exe

pid	process
3548	ipconfig.exe
3672	ipconfig.exe
4180	ipconfig.exe
4784	ipconfig.exe
5024	ipconfig.exe
2664	ipconfig.exe
2756	ipconfig.exe
4864	ipconfig.exe
1556	ipconfig.exe
5004	ipconfig.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Lag Switch.exe

description pid process

Token: SeDebugPrivilege 4456 Lag Switch.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Lag Switch.exe

pid process

4456 Lag Switch.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Lag Switch.exe

pid process

4456 Lag Switch.exe

description	pid	process
Token: SeDebugPrivilege	4456	Lag Switch.exe

pid	process
4456	Lag Switch.exe

pid	process
4456	Lag Switch.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

Lag Switch.exe

description	pid	process	target process
PID 4456 wrote to memory of 2664	4456	Lag Switch.exe	ipconfig.exe
PID 4456 wrote to memory of 2664	4456	Lag Switch.exe	ipconfig.exe
PID 4456 wrote to memory of 2664	4456	Lag Switch.exe	ipconfig.exe
PID 4456 wrote to memory of 3548	4456	Lag Switch.exe	ipconfig.exe
PID 4456 wrote to memory of 3548	4456	Lag Switch.exe	ipconfig.exe
PID 4456 wrote to memory of 3548	4456	Lag Switch.exe	ipconfig.exe
PID 4456 wrote to memory of 3672	4456	Lag Switch.exe	ipconfig.exe
PID 4456 wrote to memory of 3672	4456	Lag Switch.exe	ipconfig.exe
PID 4456 wrote to memory of 3672	4456	Lag Switch.exe	ipconfig.exe
PID 4456 wrote to memory of 2756	4456	Lag Switch.exe	ipconfig.exe
PID 4456 wrote to memory of 2756	4456	Lag Switch.exe	ipconfig.exe
PID 4456 wrote to memory of 2756	4456	Lag Switch.exe	ipconfig.exe
PID 4456 wrote to memory of 4864	4456	Lag Switch.exe	ipconfig.exe
PID 4456 wrote to memory of 4864	4456	Lag Switch.exe	ipconfig.exe
PID 4456 wrote to memory of 4864	4456	Lag Switch.exe	ipconfig.exe
PID 4456 wrote to memory of 1556	4456	Lag Switch.exe	ipconfig.exe
PID 4456 wrote to memory of 1556	4456	Lag Switch.exe	ipconfig.exe
PID 4456 wrote to memory of 1556	4456	Lag Switch.exe	ipconfig.exe
PID 4456 wrote to memory of 5004	4456	Lag Switch.exe	ipconfig.exe
PID 4456 wrote to memory of 5004	4456	Lag Switch.exe	ipconfig.exe
PID 4456 wrote to memory of 5004	4456	Lag Switch.exe	ipconfig.exe
PID 4456 wrote to memory of 4180	4456	Lag Switch.exe	ipconfig.exe
PID 4456 wrote to memory of 4180	4456	Lag Switch.exe	ipconfig.exe
PID 4456 wrote to memory of 4180	4456	Lag Switch.exe	ipconfig.exe
PID 4456 wrote to memory of 5024	4456	Lag Switch.exe	ipconfig.exe
PID 4456 wrote to memory of 5024	4456	Lag Switch.exe	ipconfig.exe
PID 4456 wrote to memory of 5024	4456	Lag Switch.exe	ipconfig.exe
PID 4456 wrote to memory of 4784	4456	Lag Switch.exe	ipconfig.exe
PID 4456 wrote to memory of 4784	4456	Lag Switch.exe	ipconfig.exe
PID 4456 wrote to memory of 4784	4456	Lag Switch.exe	ipconfig.exe

C:\Users\Admin\AppData\Local\Temp\Lag Switch.exe
"C:\Users\Admin\AppData\Local\Temp\Lag Switch.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4456

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\System32\ipconfig.exe" /release
2⤵
- Gathers network information
PID:2664

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\System32\ipconfig.exe" /renew
2⤵
- Gathers network information
PID:3548

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\System32\ipconfig.exe" /release
2⤵
- Gathers network information
PID:3672

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\System32\ipconfig.exe" /renew
2⤵
- Gathers network information
PID:2756

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\System32\ipconfig.exe" /release
2⤵
- Gathers network information
PID:4864

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\System32\ipconfig.exe" /renew
2⤵
- Gathers network information
PID:1556

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\System32\ipconfig.exe" /release
2⤵
- Gathers network information
PID:5004

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\System32\ipconfig.exe" /renew
2⤵
- Gathers network information
PID:4180

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\System32\ipconfig.exe" /release
2⤵
- Gathers network information
PID:5024

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\System32\ipconfig.exe" /renew
2⤵
- Gathers network information
PID:4784

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4456-117-0x0000000000690000-0x0000000000ACC000-memory.dmp

Filesize
4.2MB

Download
memory/4456-118-0x0000000005850000-0x0000000005D4E000-memory.dmp

Filesize
5.0MB

Download
memory/4456-119-0x0000000005440000-0x00000000054D2000-memory.dmp

Filesize
584KB

Download
memory/4456-120-0x0000000005560000-0x000000000556A000-memory.dmp

Filesize
40KB

Download
memory/4456-121-0x0000000005570000-0x0000000005580000-memory.dmp

Filesize
64KB

Download
memory/4456-122-0x0000000005570000-0x0000000005580000-memory.dmp

Filesize
64KB

Download
memory/4456-123-0x0000000005570000-0x0000000005580000-memory.dmp

Filesize
64KB

Download
memory/4456-124-0x0000000005570000-0x0000000005580000-memory.dmp

Filesize
64KB

Download