3beb6926f920b26bb1a7ca4f8cee1f20eeea2bc660ddd2b16b04c7cd01d97231

Analysis

max time kernel
111s
max time network
127s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
08/06/2023, 02:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2fd6cdf7c8f3cb7f6cfe19ad9f0bb8ac.exe
Size

206KB
MD5

2fd6cdf7c8f3cb7f6cfe19ad9f0bb8ac
SHA1

7c07447426c8b0188c01b8d49a347da2c42c45ab
SHA256

3beb6926f920b26bb1a7ca4f8cee1f20eeea2bc660ddd2b16b04c7cd01d97231
SHA512

607e5e1e51858cfc920da5bf6eca67f5643818dbad35caff6b70d9cf9751c189d529fc8633224b8c7a486a684cbb44a353b5372515ef4483ae5d55caa84c2c7b
SSDEEP

3072:H/DmgskHbfHN+Pst60p0zuNmnKG7peNMQbuZAIqbey3lfbi:fDmfAfHN+wiuInRexuZAIij

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1128	lamod.exe
1988	lamod.exe
1700	lamod.exe

Loads dropped DLL 5 IoCs

pid	Process
2036	2fd6cdf7c8f3cb7f6cfe19ad9f0bb8ac.exe
848	rundll32.exe
848	rundll32.exe
848	rundll32.exe
848	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1856	schtasks.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2036	2fd6cdf7c8f3cb7f6cfe19ad9f0bb8ac.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 1128	2036	2fd6cdf7c8f3cb7f6cfe19ad9f0bb8ac.exe	27
PID 2036 wrote to memory of 1128	2036	2fd6cdf7c8f3cb7f6cfe19ad9f0bb8ac.exe	27
PID 2036 wrote to memory of 1128	2036	2fd6cdf7c8f3cb7f6cfe19ad9f0bb8ac.exe	27
PID 2036 wrote to memory of 1128	2036	2fd6cdf7c8f3cb7f6cfe19ad9f0bb8ac.exe	27
PID 1128 wrote to memory of 1856	1128	lamod.exe	28
PID 1128 wrote to memory of 1856	1128	lamod.exe	28
PID 1128 wrote to memory of 1856	1128	lamod.exe	28
PID 1128 wrote to memory of 1856	1128	lamod.exe	28
PID 1128 wrote to memory of 860	1128	lamod.exe	30
PID 1128 wrote to memory of 860	1128	lamod.exe	30
PID 1128 wrote to memory of 860	1128	lamod.exe	30
PID 1128 wrote to memory of 860	1128	lamod.exe	30
PID 860 wrote to memory of 1676	860	cmd.exe	32
PID 860 wrote to memory of 1676	860	cmd.exe	32
PID 860 wrote to memory of 1676	860	cmd.exe	32
PID 860 wrote to memory of 1676	860	cmd.exe	32
PID 860 wrote to memory of 1944	860	cmd.exe	33
PID 860 wrote to memory of 1944	860	cmd.exe	33
PID 860 wrote to memory of 1944	860	cmd.exe	33
PID 860 wrote to memory of 1944	860	cmd.exe	33
PID 860 wrote to memory of 980	860	cmd.exe	34
PID 860 wrote to memory of 980	860	cmd.exe	34
PID 860 wrote to memory of 980	860	cmd.exe	34
PID 860 wrote to memory of 980	860	cmd.exe	34
PID 860 wrote to memory of 1872	860	cmd.exe	35
PID 860 wrote to memory of 1872	860	cmd.exe	35
PID 860 wrote to memory of 1872	860	cmd.exe	35
PID 860 wrote to memory of 1872	860	cmd.exe	35
PID 860 wrote to memory of 392	860	cmd.exe	36
PID 860 wrote to memory of 392	860	cmd.exe	36
PID 860 wrote to memory of 392	860	cmd.exe	36
PID 860 wrote to memory of 392	860	cmd.exe	36
PID 860 wrote to memory of 824	860	cmd.exe	37
PID 860 wrote to memory of 824	860	cmd.exe	37
PID 860 wrote to memory of 824	860	cmd.exe	37
PID 860 wrote to memory of 824	860	cmd.exe	37
PID 1440 wrote to memory of 1988	1440	taskeng.exe	41
PID 1440 wrote to memory of 1988	1440	taskeng.exe	41
PID 1440 wrote to memory of 1988	1440	taskeng.exe	41
PID 1440 wrote to memory of 1988	1440	taskeng.exe	41
PID 1128 wrote to memory of 848	1128	lamod.exe	42
PID 1128 wrote to memory of 848	1128	lamod.exe	42
PID 1128 wrote to memory of 848	1128	lamod.exe	42
PID 1128 wrote to memory of 848	1128	lamod.exe	42
PID 1128 wrote to memory of 848	1128	lamod.exe	42
PID 1128 wrote to memory of 848	1128	lamod.exe	42
PID 1128 wrote to memory of 848	1128	lamod.exe	42
PID 1440 wrote to memory of 1700	1440	taskeng.exe	43
PID 1440 wrote to memory of 1700	1440	taskeng.exe	43
PID 1440 wrote to memory of 1700	1440	taskeng.exe	43
PID 1440 wrote to memory of 1700	1440	taskeng.exe	43

C:\Users\Admin\AppData\Local\Temp\2fd6cdf7c8f3cb7f6cfe19ad9f0bb8ac.exe
"C:\Users\Admin\AppData\Local\Temp\2fd6cdf7c8f3cb7f6cfe19ad9f0bb8ac.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
  "C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1128
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN lamod.exe /TR "C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:1856
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "lamod.exe" /P "Admin:N"&&CACLS "lamod.exe" /P "Admin:R" /E&&echo Y|CACLS "..\a9e2a16078" /P "Admin:N"&&CACLS "..\a9e2a16078" /P "Admin:R" /E&&Exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:860
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:1676
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "lamod.exe" /P "Admin:N"
      4⤵
      PID:1944
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "lamod.exe" /P "Admin:R" /E
      4⤵
      PID:980
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:1872
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\a9e2a16078" /P "Admin:N"
      4⤵
      PID:392
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\a9e2a16078" /P "Admin:R" /E
      4⤵
      PID:824
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:848

C:\Windows\system32\taskeng.exe
taskeng.exe {86EB0181-0E2D-445F-8FEF-F203BA7CC19A} S-1-5-21-3948302646-268491222-1934009652-1000:KXZDHPUW\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1440
- C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
  C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
  2⤵
  - Executes dropped EXE
  PID:1988
- C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
  C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
  2⤵
  - Executes dropped EXE
  PID:1700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe

Filesize
206KB

MD5
2fd6cdf7c8f3cb7f6cfe19ad9f0bb8ac

SHA1
7c07447426c8b0188c01b8d49a347da2c42c45ab

SHA256
3beb6926f920b26bb1a7ca4f8cee1f20eeea2bc660ddd2b16b04c7cd01d97231

SHA512
607e5e1e51858cfc920da5bf6eca67f5643818dbad35caff6b70d9cf9751c189d529fc8633224b8c7a486a684cbb44a353b5372515ef4483ae5d55caa84c2c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe

Filesize
206KB

MD5
2fd6cdf7c8f3cb7f6cfe19ad9f0bb8ac

SHA1
7c07447426c8b0188c01b8d49a347da2c42c45ab

SHA256
3beb6926f920b26bb1a7ca4f8cee1f20eeea2bc660ddd2b16b04c7cd01d97231

SHA512
607e5e1e51858cfc920da5bf6eca67f5643818dbad35caff6b70d9cf9751c189d529fc8633224b8c7a486a684cbb44a353b5372515ef4483ae5d55caa84c2c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe

Filesize
206KB

MD5
2fd6cdf7c8f3cb7f6cfe19ad9f0bb8ac

SHA1
7c07447426c8b0188c01b8d49a347da2c42c45ab

SHA256
3beb6926f920b26bb1a7ca4f8cee1f20eeea2bc660ddd2b16b04c7cd01d97231

SHA512
607e5e1e51858cfc920da5bf6eca67f5643818dbad35caff6b70d9cf9751c189d529fc8633224b8c7a486a684cbb44a353b5372515ef4483ae5d55caa84c2c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe

Filesize
206KB

MD5
2fd6cdf7c8f3cb7f6cfe19ad9f0bb8ac

SHA1
7c07447426c8b0188c01b8d49a347da2c42c45ab

SHA256
3beb6926f920b26bb1a7ca4f8cee1f20eeea2bc660ddd2b16b04c7cd01d97231

SHA512
607e5e1e51858cfc920da5bf6eca67f5643818dbad35caff6b70d9cf9751c189d529fc8633224b8c7a486a684cbb44a353b5372515ef4483ae5d55caa84c2c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe

Filesize
206KB

MD5
2fd6cdf7c8f3cb7f6cfe19ad9f0bb8ac

SHA1
7c07447426c8b0188c01b8d49a347da2c42c45ab

SHA256
3beb6926f920b26bb1a7ca4f8cee1f20eeea2bc660ddd2b16b04c7cd01d97231

SHA512
607e5e1e51858cfc920da5bf6eca67f5643818dbad35caff6b70d9cf9751c189d529fc8633224b8c7a486a684cbb44a353b5372515ef4483ae5d55caa84c2c7b

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe

Filesize
206KB

MD5
2fd6cdf7c8f3cb7f6cfe19ad9f0bb8ac

SHA1
7c07447426c8b0188c01b8d49a347da2c42c45ab

SHA256
3beb6926f920b26bb1a7ca4f8cee1f20eeea2bc660ddd2b16b04c7cd01d97231

SHA512
607e5e1e51858cfc920da5bf6eca67f5643818dbad35caff6b70d9cf9751c189d529fc8633224b8c7a486a684cbb44a353b5372515ef4483ae5d55caa84c2c7b

Download Submit
\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads