Analysis
-
max time kernel
135s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
08-06-2023 06:02
Static task
static1
Behavioral task
behavioral1
Sample
623f82c9bc2ff09fc9cfa027e69cfc00c3f7fc3995e8bef8748ebaf3fc9c1904.exe
Resource
win10v2004-20230220-en
General
-
Target
623f82c9bc2ff09fc9cfa027e69cfc00c3f7fc3995e8bef8748ebaf3fc9c1904.exe
-
Size
207KB
-
MD5
7dc001f7b0896cc92b77159ce2cb8dfa
-
SHA1
9b0d856d3ac42ec47789b11fa53583e198e061ba
-
SHA256
623f82c9bc2ff09fc9cfa027e69cfc00c3f7fc3995e8bef8748ebaf3fc9c1904
-
SHA512
f49873d29706e8170e7a0dd70274fceb46e3dbf87d81e6ba8934c6e4b880ee5fb24514bfa994fa50ff95740812716004d4388b892088c5d179928600cb8e41a3
-
SSDEEP
3072:H/DmgskHbfHN+Pst60p0zuNmnKG7peNMQbuZAIqbey3lfbi:fDmfAfHN+wiuInRexuZAIij
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
623f82c9bc2ff09fc9cfa027e69cfc00c3f7fc3995e8bef8748ebaf3fc9c1904.exelamod.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation 623f82c9bc2ff09fc9cfa027e69cfc00c3f7fc3995e8bef8748ebaf3fc9c1904.exe Key value queried \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation lamod.exe -
Executes dropped EXE 3 IoCs
Processes:
lamod.exelamod.exelamod.exepid process 2084 lamod.exe 384 lamod.exe 4900 lamod.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 4772 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
623f82c9bc2ff09fc9cfa027e69cfc00c3f7fc3995e8bef8748ebaf3fc9c1904.exepid process 232 623f82c9bc2ff09fc9cfa027e69cfc00c3f7fc3995e8bef8748ebaf3fc9c1904.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
623f82c9bc2ff09fc9cfa027e69cfc00c3f7fc3995e8bef8748ebaf3fc9c1904.exelamod.execmd.exedescription pid process target process PID 232 wrote to memory of 2084 232 623f82c9bc2ff09fc9cfa027e69cfc00c3f7fc3995e8bef8748ebaf3fc9c1904.exe lamod.exe PID 232 wrote to memory of 2084 232 623f82c9bc2ff09fc9cfa027e69cfc00c3f7fc3995e8bef8748ebaf3fc9c1904.exe lamod.exe PID 232 wrote to memory of 2084 232 623f82c9bc2ff09fc9cfa027e69cfc00c3f7fc3995e8bef8748ebaf3fc9c1904.exe lamod.exe PID 2084 wrote to memory of 732 2084 lamod.exe schtasks.exe PID 2084 wrote to memory of 732 2084 lamod.exe schtasks.exe PID 2084 wrote to memory of 732 2084 lamod.exe schtasks.exe PID 2084 wrote to memory of 2276 2084 lamod.exe cmd.exe PID 2084 wrote to memory of 2276 2084 lamod.exe cmd.exe PID 2084 wrote to memory of 2276 2084 lamod.exe cmd.exe PID 2276 wrote to memory of 1492 2276 cmd.exe cmd.exe PID 2276 wrote to memory of 1492 2276 cmd.exe cmd.exe PID 2276 wrote to memory of 1492 2276 cmd.exe cmd.exe PID 2276 wrote to memory of 4416 2276 cmd.exe cacls.exe PID 2276 wrote to memory of 4416 2276 cmd.exe cacls.exe PID 2276 wrote to memory of 4416 2276 cmd.exe cacls.exe PID 2276 wrote to memory of 5048 2276 cmd.exe cacls.exe PID 2276 wrote to memory of 5048 2276 cmd.exe cacls.exe PID 2276 wrote to memory of 5048 2276 cmd.exe cacls.exe PID 2276 wrote to memory of 2860 2276 cmd.exe cmd.exe PID 2276 wrote to memory of 2860 2276 cmd.exe cmd.exe PID 2276 wrote to memory of 2860 2276 cmd.exe cmd.exe PID 2276 wrote to memory of 4916 2276 cmd.exe cacls.exe PID 2276 wrote to memory of 4916 2276 cmd.exe cacls.exe PID 2276 wrote to memory of 4916 2276 cmd.exe cacls.exe PID 2276 wrote to memory of 5072 2276 cmd.exe cacls.exe PID 2276 wrote to memory of 5072 2276 cmd.exe cacls.exe PID 2276 wrote to memory of 5072 2276 cmd.exe cacls.exe PID 2084 wrote to memory of 4772 2084 lamod.exe rundll32.exe PID 2084 wrote to memory of 4772 2084 lamod.exe rundll32.exe PID 2084 wrote to memory of 4772 2084 lamod.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\623f82c9bc2ff09fc9cfa027e69cfc00c3f7fc3995e8bef8748ebaf3fc9c1904.exe"C:\Users\Admin\AppData\Local\Temp\623f82c9bc2ff09fc9cfa027e69cfc00c3f7fc3995e8bef8748ebaf3fc9c1904.exe"1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe"C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN lamod.exe /TR "C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "lamod.exe" /P "Admin:N"&&CACLS "lamod.exe" /P "Admin:R" /E&&echo Y|CACLS "..\a9e2a16078" /P "Admin:N"&&CACLS "..\a9e2a16078" /P "Admin:R" /E&&Exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "lamod.exe" /P "Admin:N"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "lamod.exe" /P "Admin:R" /E4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\a9e2a16078" /P "Admin:N"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\a9e2a16078" /P "Admin:R" /E4⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main3⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exeC:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exeC:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exeFilesize
207KB
MD57dc001f7b0896cc92b77159ce2cb8dfa
SHA19b0d856d3ac42ec47789b11fa53583e198e061ba
SHA256623f82c9bc2ff09fc9cfa027e69cfc00c3f7fc3995e8bef8748ebaf3fc9c1904
SHA512f49873d29706e8170e7a0dd70274fceb46e3dbf87d81e6ba8934c6e4b880ee5fb24514bfa994fa50ff95740812716004d4388b892088c5d179928600cb8e41a3
-
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exeFilesize
207KB
MD57dc001f7b0896cc92b77159ce2cb8dfa
SHA19b0d856d3ac42ec47789b11fa53583e198e061ba
SHA256623f82c9bc2ff09fc9cfa027e69cfc00c3f7fc3995e8bef8748ebaf3fc9c1904
SHA512f49873d29706e8170e7a0dd70274fceb46e3dbf87d81e6ba8934c6e4b880ee5fb24514bfa994fa50ff95740812716004d4388b892088c5d179928600cb8e41a3
-
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exeFilesize
207KB
MD57dc001f7b0896cc92b77159ce2cb8dfa
SHA19b0d856d3ac42ec47789b11fa53583e198e061ba
SHA256623f82c9bc2ff09fc9cfa027e69cfc00c3f7fc3995e8bef8748ebaf3fc9c1904
SHA512f49873d29706e8170e7a0dd70274fceb46e3dbf87d81e6ba8934c6e4b880ee5fb24514bfa994fa50ff95740812716004d4388b892088c5d179928600cb8e41a3
-
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exeFilesize
207KB
MD57dc001f7b0896cc92b77159ce2cb8dfa
SHA19b0d856d3ac42ec47789b11fa53583e198e061ba
SHA256623f82c9bc2ff09fc9cfa027e69cfc00c3f7fc3995e8bef8748ebaf3fc9c1904
SHA512f49873d29706e8170e7a0dd70274fceb46e3dbf87d81e6ba8934c6e4b880ee5fb24514bfa994fa50ff95740812716004d4388b892088c5d179928600cb8e41a3
-
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exeFilesize
207KB
MD57dc001f7b0896cc92b77159ce2cb8dfa
SHA19b0d856d3ac42ec47789b11fa53583e198e061ba
SHA256623f82c9bc2ff09fc9cfa027e69cfc00c3f7fc3995e8bef8748ebaf3fc9c1904
SHA512f49873d29706e8170e7a0dd70274fceb46e3dbf87d81e6ba8934c6e4b880ee5fb24514bfa994fa50ff95740812716004d4388b892088c5d179928600cb8e41a3
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
89KB
MD5a5ed103ec4719a27ab3d3c01dac66f01
SHA1c830d6980d7edea60568a518eccd36c0bc2a4924
SHA256dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36
SHA512b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
89KB
MD5a5ed103ec4719a27ab3d3c01dac66f01
SHA1c830d6980d7edea60568a518eccd36c0bc2a4924
SHA256dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36
SHA512b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
89KB
MD5a5ed103ec4719a27ab3d3c01dac66f01
SHA1c830d6980d7edea60568a518eccd36c0bc2a4924
SHA256dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36
SHA512b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dllFilesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5