891b241b2ab4ecd192b6755f69f0a157af9cfe2fc0f932e2ece169e1f67f63c7

Analysis

max time kernel
52s
max time network
57s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
07/08/2023, 01:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LotusTaleLauncher.exe
Size

10.4MB
MD5

7f036fcc3a0e09e12d23c21a32f23a8d
SHA1

7c630f43737fe091491303c7a416e149e28e1455
SHA256

891b241b2ab4ecd192b6755f69f0a157af9cfe2fc0f932e2ece169e1f67f63c7
SHA512

f7105f2128bea20524961b1e1bb2c335341d942ea6e8058c87d9d84476f74fa3dad58fca1b5a6d5518ea640a63a2d55810fe920908dd06d702db5a9e6b653b7d
SSDEEP

196608:kWw15GSNTwtY9qQ/OOq1oDYUFLX7xpe+6gYRBxfwtPtcDvlDBK/cR:kgs0Y9q+q1oDYUVeyYRaFqlDcs

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2800	LotusTaleLauncher.exe
2800	LotusTaleLauncher.exe
2800	LotusTaleLauncher.exe
2800	LotusTaleLauncher.exe
2800	LotusTaleLauncher.exe
2800	LotusTaleLauncher.exe
2800	LotusTaleLauncher.exe
2800	LotusTaleLauncher.exe
2800	LotusTaleLauncher.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2800	LotusTaleLauncher.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2800 wrote to memory of 2812	2800	LotusTaleLauncher.exe	30
PID 2800 wrote to memory of 2812	2800	LotusTaleLauncher.exe	30
PID 2800 wrote to memory of 2812	2800	LotusTaleLauncher.exe	30

C:\Users\Admin\AppData\Local\Temp\LotusTaleLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\LotusTaleLauncher.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start NtConfig.exe
  2⤵
  PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2800-54-0x0000000000D00000-0x0000000001778000-memory.dmp

Filesize
10.5MB

Download
memory/2800-55-0x000007FEF50D0000-0x000007FEF5ABC000-memory.dmp

Filesize
9.9MB

Download
memory/2800-56-0x000000001B9C0000-0x000000001BA40000-memory.dmp

Filesize
512KB

Download
memory/2800-57-0x000000001B9C0000-0x000000001BA40000-memory.dmp

Filesize
512KB

Download
memory/2800-59-0x0000000002D40000-0x0000000002D9A000-memory.dmp

Filesize
360KB

Download
memory/2800-58-0x000000001B9C0000-0x000000001BA40000-memory.dmp

Filesize
512KB

Download
memory/2800-61-0x0000000002DD0000-0x0000000002DD8000-memory.dmp

Filesize
32KB

Download
memory/2800-60-0x0000000002DA0000-0x0000000002DC6000-memory.dmp

Filesize
152KB

Download
memory/2800-62-0x000000001B290000-0x000000001B298000-memory.dmp

Filesize
32KB

Download
memory/2800-63-0x000000001B2A0000-0x000000001B2B4000-memory.dmp

Filesize
80KB

Download
memory/2800-64-0x000000001B880000-0x000000001B89E000-memory.dmp

Filesize
120KB

Download
memory/2800-65-0x000000001B280000-0x000000001B28A000-memory.dmp

Filesize
40KB

Download
memory/2800-66-0x000000001B6A0000-0x000000001B6AA000-memory.dmp

Filesize
40KB

Download
memory/2800-67-0x000000001B920000-0x000000001B92A000-memory.dmp

Filesize
40KB

Download
memory/2800-69-0x000000001B9C0000-0x000000001BA40000-memory.dmp

Filesize
512KB

Download
memory/2800-70-0x000000001B9C0000-0x000000001BA40000-memory.dmp

Filesize
512KB

Download
memory/2800-71-0x000007FEF50D0000-0x000007FEF5ABC000-memory.dmp

Filesize
9.9MB

Download
memory/2800-72-0x000000001B9C0000-0x000000001BA40000-memory.dmp

Filesize
512KB

Download
memory/2800-73-0x000000001B9C0000-0x000000001BA40000-memory.dmp

Filesize
512KB

Download
memory/2800-74-0x000007FEF50D0000-0x000007FEF5ABC000-memory.dmp

Filesize
9.9MB

Download