35d56692db82843b21a275805880b8c1444eaebbbf21dfd4205474c002068cdd

Analysis

max time kernel
140s
max time network
125s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
07/06/2023, 19:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35d56692db82843b21a275805880b8c1444eaebbbf21dfd4205474c002068cdd.exe
Size

206KB
MD5

c0fab5d39c65d14e2fa524bd17638230
SHA1

6de5ece12a7f3c7099cfd38473fc53828e66c67a
SHA256

35d56692db82843b21a275805880b8c1444eaebbbf21dfd4205474c002068cdd
SHA512

9daecc6fee75dd00d89632f479748c93d4a329ed2a99174fb594b924e15c729b90aaaadba998fe1df649cdd873eaa788ea37f43779977bd67d196375cb15fa9d
SSDEEP

3072:H/DmgskHbfHN+Pst60p0zuNmnKG7peNMQbuZAIqbey3lfbi:fDmfAfHN+wiuInRexuZAIij

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2404	lamod.exe
3368	lamod.exe
4380	lamod.exe
1496	lamod.exe

Loads dropped DLL 1 IoCs

pid	Process
2812	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2852	schtasks.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2008	35d56692db82843b21a275805880b8c1444eaebbbf21dfd4205474c002068cdd.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 2404	2008	35d56692db82843b21a275805880b8c1444eaebbbf21dfd4205474c002068cdd.exe	66
PID 2008 wrote to memory of 2404	2008	35d56692db82843b21a275805880b8c1444eaebbbf21dfd4205474c002068cdd.exe	66
PID 2008 wrote to memory of 2404	2008	35d56692db82843b21a275805880b8c1444eaebbbf21dfd4205474c002068cdd.exe	66
PID 2404 wrote to memory of 2852	2404	lamod.exe	67
PID 2404 wrote to memory of 2852	2404	lamod.exe	67
PID 2404 wrote to memory of 2852	2404	lamod.exe	67
PID 2404 wrote to memory of 3172	2404	lamod.exe	69
PID 2404 wrote to memory of 3172	2404	lamod.exe	69
PID 2404 wrote to memory of 3172	2404	lamod.exe	69
PID 3172 wrote to memory of 4208	3172	cmd.exe	71
PID 3172 wrote to memory of 4208	3172	cmd.exe	71
PID 3172 wrote to memory of 4208	3172	cmd.exe	71
PID 3172 wrote to memory of 4220	3172	cmd.exe	72
PID 3172 wrote to memory of 4220	3172	cmd.exe	72
PID 3172 wrote to memory of 4220	3172	cmd.exe	72
PID 3172 wrote to memory of 4240	3172	cmd.exe	73
PID 3172 wrote to memory of 4240	3172	cmd.exe	73
PID 3172 wrote to memory of 4240	3172	cmd.exe	73
PID 3172 wrote to memory of 4128	3172	cmd.exe	74
PID 3172 wrote to memory of 4128	3172	cmd.exe	74
PID 3172 wrote to memory of 4128	3172	cmd.exe	74
PID 3172 wrote to memory of 4116	3172	cmd.exe	75
PID 3172 wrote to memory of 4116	3172	cmd.exe	75
PID 3172 wrote to memory of 4116	3172	cmd.exe	75
PID 3172 wrote to memory of 4008	3172	cmd.exe	76
PID 3172 wrote to memory of 4008	3172	cmd.exe	76
PID 3172 wrote to memory of 4008	3172	cmd.exe	76
PID 2404 wrote to memory of 2812	2404	lamod.exe	78
PID 2404 wrote to memory of 2812	2404	lamod.exe	78
PID 2404 wrote to memory of 2812	2404	lamod.exe	78

C:\Users\Admin\AppData\Local\Temp\35d56692db82843b21a275805880b8c1444eaebbbf21dfd4205474c002068cdd.exe
"C:\Users\Admin\AppData\Local\Temp\35d56692db82843b21a275805880b8c1444eaebbbf21dfd4205474c002068cdd.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
  "C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN lamod.exe /TR "C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:2852
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "lamod.exe" /P "Admin:N"&&CACLS "lamod.exe" /P "Admin:R" /E&&echo Y|CACLS "..\a9e2a16078" /P "Admin:N"&&CACLS "..\a9e2a16078" /P "Admin:R" /E&&Exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3172
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:4208
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "lamod.exe" /P "Admin:N"
      4⤵
      PID:4220
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "lamod.exe" /P "Admin:R" /E
      4⤵
      PID:4240
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:4128
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\a9e2a16078" /P "Admin:N"
      4⤵
      PID:4116
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\a9e2a16078" /P "Admin:R" /E
      4⤵
      PID:4008
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:2812

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
- Executes dropped EXE
PID:3368

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
- Executes dropped EXE
PID:4380

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
- Executes dropped EXE
PID:1496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe

Filesize
206KB

MD5
c0fab5d39c65d14e2fa524bd17638230

SHA1
6de5ece12a7f3c7099cfd38473fc53828e66c67a

SHA256
35d56692db82843b21a275805880b8c1444eaebbbf21dfd4205474c002068cdd

SHA512
9daecc6fee75dd00d89632f479748c93d4a329ed2a99174fb594b924e15c729b90aaaadba998fe1df649cdd873eaa788ea37f43779977bd67d196375cb15fa9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe

Filesize
206KB

MD5
c0fab5d39c65d14e2fa524bd17638230

SHA1
6de5ece12a7f3c7099cfd38473fc53828e66c67a

SHA256
35d56692db82843b21a275805880b8c1444eaebbbf21dfd4205474c002068cdd

SHA512
9daecc6fee75dd00d89632f479748c93d4a329ed2a99174fb594b924e15c729b90aaaadba998fe1df649cdd873eaa788ea37f43779977bd67d196375cb15fa9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe

Filesize
206KB

MD5
c0fab5d39c65d14e2fa524bd17638230

SHA1
6de5ece12a7f3c7099cfd38473fc53828e66c67a

SHA256
35d56692db82843b21a275805880b8c1444eaebbbf21dfd4205474c002068cdd

SHA512
9daecc6fee75dd00d89632f479748c93d4a329ed2a99174fb594b924e15c729b90aaaadba998fe1df649cdd873eaa788ea37f43779977bd67d196375cb15fa9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe

Filesize
206KB

MD5
c0fab5d39c65d14e2fa524bd17638230

SHA1
6de5ece12a7f3c7099cfd38473fc53828e66c67a

SHA256
35d56692db82843b21a275805880b8c1444eaebbbf21dfd4205474c002068cdd

SHA512
9daecc6fee75dd00d89632f479748c93d4a329ed2a99174fb594b924e15c729b90aaaadba998fe1df649cdd873eaa788ea37f43779977bd67d196375cb15fa9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe

Filesize
206KB

MD5
c0fab5d39c65d14e2fa524bd17638230

SHA1
6de5ece12a7f3c7099cfd38473fc53828e66c67a

SHA256
35d56692db82843b21a275805880b8c1444eaebbbf21dfd4205474c002068cdd

SHA512
9daecc6fee75dd00d89632f479748c93d4a329ed2a99174fb594b924e15c729b90aaaadba998fe1df649cdd873eaa788ea37f43779977bd67d196375cb15fa9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe

Filesize
206KB

MD5
c0fab5d39c65d14e2fa524bd17638230

SHA1
6de5ece12a7f3c7099cfd38473fc53828e66c67a

SHA256
35d56692db82843b21a275805880b8c1444eaebbbf21dfd4205474c002068cdd

SHA512
9daecc6fee75dd00d89632f479748c93d4a329ed2a99174fb594b924e15c729b90aaaadba998fe1df649cdd873eaa788ea37f43779977bd67d196375cb15fa9d

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads