24324af517ae0675f0788d957290cc9989005bca9dc0321c84bb9c33b6536931

Analysis

max time kernel
146s
max time network
148s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
08/06/2023, 17:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24324af517ae0675f0788d957290cc9989005bca9dc0321c84bb9c33b6536931.exe
Size

209KB
MD5

1389defa51d53b043b8f3b355e6bb8c7
SHA1

74b76cafc9f65c149196a181cd839c393270c404
SHA256

24324af517ae0675f0788d957290cc9989005bca9dc0321c84bb9c33b6536931
SHA512

33e25e3e7928419fcc406c8e3c8e05bb3158d8a60cc33a54db271313a126aedc2e63f8a28a93ab2323e14b51ced6980eaf15367ea6d1efebce5c14ab076277d2
SSDEEP

3072:H/DmgskHbfHN+Pst60p0zuNmnKG7peNMQbuZAIqbey3lfbi:fDmfAfHN+wiuInRexuZAIij

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
4816	lamod.exe
2236	lamod.exe
4788	lamod.exe
4332	lamod.exe

Loads dropped DLL 1 IoCs

pid	Process
4772	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1516	schtasks.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4052	24324af517ae0675f0788d957290cc9989005bca9dc0321c84bb9c33b6536931.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4052 wrote to memory of 4816	4052	24324af517ae0675f0788d957290cc9989005bca9dc0321c84bb9c33b6536931.exe	67
PID 4052 wrote to memory of 4816	4052	24324af517ae0675f0788d957290cc9989005bca9dc0321c84bb9c33b6536931.exe	67
PID 4052 wrote to memory of 4816	4052	24324af517ae0675f0788d957290cc9989005bca9dc0321c84bb9c33b6536931.exe	67
PID 4816 wrote to memory of 1516	4816	lamod.exe	68
PID 4816 wrote to memory of 1516	4816	lamod.exe	68
PID 4816 wrote to memory of 1516	4816	lamod.exe	68
PID 4816 wrote to memory of 3548	4816	lamod.exe	70
PID 4816 wrote to memory of 3548	4816	lamod.exe	70
PID 4816 wrote to memory of 3548	4816	lamod.exe	70
PID 3548 wrote to memory of 2400	3548	cmd.exe	72
PID 3548 wrote to memory of 2400	3548	cmd.exe	72
PID 3548 wrote to memory of 2400	3548	cmd.exe	72
PID 3548 wrote to memory of 2396	3548	cmd.exe	73
PID 3548 wrote to memory of 2396	3548	cmd.exe	73
PID 3548 wrote to memory of 2396	3548	cmd.exe	73
PID 3548 wrote to memory of 3936	3548	cmd.exe	74
PID 3548 wrote to memory of 3936	3548	cmd.exe	74
PID 3548 wrote to memory of 3936	3548	cmd.exe	74
PID 3548 wrote to memory of 4716	3548	cmd.exe	75
PID 3548 wrote to memory of 4716	3548	cmd.exe	75
PID 3548 wrote to memory of 4716	3548	cmd.exe	75
PID 3548 wrote to memory of 2536	3548	cmd.exe	76
PID 3548 wrote to memory of 2536	3548	cmd.exe	76
PID 3548 wrote to memory of 2536	3548	cmd.exe	76
PID 3548 wrote to memory of 1416	3548	cmd.exe	77
PID 3548 wrote to memory of 1416	3548	cmd.exe	77
PID 3548 wrote to memory of 1416	3548	cmd.exe	77
PID 4816 wrote to memory of 4772	4816	lamod.exe	79
PID 4816 wrote to memory of 4772	4816	lamod.exe	79
PID 4816 wrote to memory of 4772	4816	lamod.exe	79

C:\Users\Admin\AppData\Local\Temp\24324af517ae0675f0788d957290cc9989005bca9dc0321c84bb9c33b6536931.exe
"C:\Users\Admin\AppData\Local\Temp\24324af517ae0675f0788d957290cc9989005bca9dc0321c84bb9c33b6536931.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4052
- C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
  "C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4816
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN lamod.exe /TR "C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:1516
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "lamod.exe" /P "Admin:N"&&CACLS "lamod.exe" /P "Admin:R" /E&&echo Y|CACLS "..\a9e2a16078" /P "Admin:N"&&CACLS "..\a9e2a16078" /P "Admin:R" /E&&Exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3548
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:2400
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "lamod.exe" /P "Admin:N"
      4⤵
      PID:2396
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "lamod.exe" /P "Admin:R" /E
      4⤵
      PID:3936
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:4716
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\a9e2a16078" /P "Admin:N"
      4⤵
      PID:2536
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\a9e2a16078" /P "Admin:R" /E
      4⤵
      PID:1416
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:4772

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
- Executes dropped EXE
PID:2236

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
- Executes dropped EXE
PID:4788

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
- Executes dropped EXE
PID:4332

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe

Filesize
209KB

MD5
1389defa51d53b043b8f3b355e6bb8c7

SHA1
74b76cafc9f65c149196a181cd839c393270c404

SHA256
24324af517ae0675f0788d957290cc9989005bca9dc0321c84bb9c33b6536931

SHA512
33e25e3e7928419fcc406c8e3c8e05bb3158d8a60cc33a54db271313a126aedc2e63f8a28a93ab2323e14b51ced6980eaf15367ea6d1efebce5c14ab076277d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe

Filesize
209KB

MD5
1389defa51d53b043b8f3b355e6bb8c7

SHA1
74b76cafc9f65c149196a181cd839c393270c404

SHA256
24324af517ae0675f0788d957290cc9989005bca9dc0321c84bb9c33b6536931

SHA512
33e25e3e7928419fcc406c8e3c8e05bb3158d8a60cc33a54db271313a126aedc2e63f8a28a93ab2323e14b51ced6980eaf15367ea6d1efebce5c14ab076277d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe

Filesize
209KB

MD5
1389defa51d53b043b8f3b355e6bb8c7

SHA1
74b76cafc9f65c149196a181cd839c393270c404

SHA256
24324af517ae0675f0788d957290cc9989005bca9dc0321c84bb9c33b6536931

SHA512
33e25e3e7928419fcc406c8e3c8e05bb3158d8a60cc33a54db271313a126aedc2e63f8a28a93ab2323e14b51ced6980eaf15367ea6d1efebce5c14ab076277d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe

Filesize
209KB

MD5
1389defa51d53b043b8f3b355e6bb8c7

SHA1
74b76cafc9f65c149196a181cd839c393270c404

SHA256
24324af517ae0675f0788d957290cc9989005bca9dc0321c84bb9c33b6536931

SHA512
33e25e3e7928419fcc406c8e3c8e05bb3158d8a60cc33a54db271313a126aedc2e63f8a28a93ab2323e14b51ced6980eaf15367ea6d1efebce5c14ab076277d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe

Filesize
209KB

MD5
1389defa51d53b043b8f3b355e6bb8c7

SHA1
74b76cafc9f65c149196a181cd839c393270c404

SHA256
24324af517ae0675f0788d957290cc9989005bca9dc0321c84bb9c33b6536931

SHA512
33e25e3e7928419fcc406c8e3c8e05bb3158d8a60cc33a54db271313a126aedc2e63f8a28a93ab2323e14b51ced6980eaf15367ea6d1efebce5c14ab076277d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe

Filesize
209KB

MD5
1389defa51d53b043b8f3b355e6bb8c7

SHA1
74b76cafc9f65c149196a181cd839c393270c404

SHA256
24324af517ae0675f0788d957290cc9989005bca9dc0321c84bb9c33b6536931

SHA512
33e25e3e7928419fcc406c8e3c8e05bb3158d8a60cc33a54db271313a126aedc2e63f8a28a93ab2323e14b51ced6980eaf15367ea6d1efebce5c14ab076277d2

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads