Overview

overview

8

Static

static

3

LCALPC.exe

windows7-x64

3

LCALPC.exe

windows10-2004-x64

8

Resubmissions

18/09/2023, 11:22

230918-ngklgsgh6w 8

18/09/2023, 11:20

230918-nfx57agh51 7

18/09/2023, 04:17

230918-ewdbaaeh8s 3

Analysis

  • max time kernel
    110s
  • max time network
    117s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/09/2023, 11:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LCALPC.exe

  • Size

    3.3MB

  • MD5

    4c268a0c963b7809565ce22c296a8c79

  • SHA1

    8c218f1d34d56a4feae367e019c958175286c993

  • SHA256

    112a0ff26e12fdd7fd499eec86d2050fa12eb5d9a74ec9f5cfc820c676f88409

  • SHA512

    1e6372a932832e4df14adb7d584fce6d594571354d753af597a46f60936d4d492543d07f3158c3c4b85dd8303300095d090b28b08426415c0305bd06b095f851

  • SSDEEP

    49152:XX3YnLOQYsZfQ74C6SkgSbXP31+frjUYuHi7nT8poTMFvfuJ1kZ7NrjHQe85QB:XlRsZ47/QXoHUOfAoj1x6B

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\LCALPC.exe
    "C:\Users\Admin\AppData\Local\Temp\LCALPC.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1276
    • C:\Windows\system32\wbem\wmic.exe
      wmic os get oslanguage /FORMAT:LIST
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4664
    • C:\Users\Admin\AppData\Local\Temp\LCALPC.exe
      "C:\Users\Admin\AppData\Local\Temp\LCALPC.exe" -fullinstall
      2⤵
      • Sets service image path in registry
      • Drops file in Program Files directory
      PID:3352
  • C:\Program Files\Mesh Agent\MeshAgent.exe
    "C:\Program Files\Mesh Agent\MeshAgent.exe"
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Modifies data under HKEY_USERS
    PID:1776
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Checks processor information in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4260
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1560
    • C:\Windows\System32\lykac0.exe
      "C:\Windows\System32\lykac0.exe"
      1⤵
        PID:3796
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /4
        1⤵
          PID:484
        • C:\Windows\system32\mmc.exe
          "C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s
          1⤵
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2256

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\Mesh Agent\MeshAgent.exe
          Filesize

          3.3MB

          MD5

          4c268a0c963b7809565ce22c296a8c79

          SHA1

          8c218f1d34d56a4feae367e019c958175286c993

          SHA256

          112a0ff26e12fdd7fd499eec86d2050fa12eb5d9a74ec9f5cfc820c676f88409

          SHA512

          1e6372a932832e4df14adb7d584fce6d594571354d753af597a46f60936d4d492543d07f3158c3c4b85dd8303300095d090b28b08426415c0305bd06b095f851

          Download Submit

        • C:\Program Files\Mesh Agent\MeshAgent.exe
          Filesize

          3.3MB

          MD5

          4c268a0c963b7809565ce22c296a8c79

          SHA1

          8c218f1d34d56a4feae367e019c958175286c993

          SHA256

          112a0ff26e12fdd7fd499eec86d2050fa12eb5d9a74ec9f5cfc820c676f88409

          SHA512

          1e6372a932832e4df14adb7d584fce6d594571354d753af597a46f60936d4d492543d07f3158c3c4b85dd8303300095d090b28b08426415c0305bd06b095f851

          Download Submit

        • memory/2256-39-0x00007FFA2F9B0000-0x00007FFA30471000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2256-35-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2256-48-0x00007FFA2F9B0000-0x00007FFA30471000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2256-45-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2256-44-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2256-43-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2256-34-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2256-42-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2256-41-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2256-40-0x000000001FC50000-0x000000001FD50000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/2256-33-0x00007FFA2F9B0000-0x00007FFA30471000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2256-38-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2256-37-0x00007FF451290000-0x00007FF4512A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2256-36-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4260-19-0x0000013FDE0C0000-0x0000013FDE0C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4260-28-0x0000013FDE0C0000-0x0000013FDE0C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4260-20-0x0000013FDE0C0000-0x0000013FDE0C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4260-30-0x0000013FDE0C0000-0x0000013FDE0C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4260-31-0x0000013FDE0C0000-0x0000013FDE0C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4260-29-0x0000013FDE0C0000-0x0000013FDE0C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4260-27-0x0000013FDE0C0000-0x0000013FDE0C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4260-26-0x0000013FDE0C0000-0x0000013FDE0C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4260-25-0x0000013FDE0C0000-0x0000013FDE0C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4260-21-0x0000013FDE0C0000-0x0000013FDE0C1000-memory.dmp

          Filesize

          4KB

          Download