Analysis
-
max time kernel
152s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
11/10/2023, 19:06
Static task
static1
Behavioral task
behavioral1
Sample
d98f926f3a2ea1308e2d80705591f91b_JC.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
d98f926f3a2ea1308e2d80705591f91b_JC.exe
Resource
win10v2004-20230915-en
General
-
Target
d98f926f3a2ea1308e2d80705591f91b_JC.exe
-
Size
472KB
-
MD5
d98f926f3a2ea1308e2d80705591f91b
-
SHA1
badd7d2f741c15d58139a1ebc3ac0f5152f195b1
-
SHA256
17e75f28d1566e91fc1e91a7782da24b1cf215fb7d5c2dfd746d7d4808049318
-
SHA512
eac1f64906642702597a2952ab5817ff632d8aa1ebfb7a0dd759e6cff4309764621fd41abb03f703fe28bf564266c5e7d426df053fc8c4a75fc1ee9961a88338
-
SSDEEP
6144:Wf+Jjjou35J6i5plrzuo6/LkeYvjoIHnv0RX/VwFdLD/7MsrYMC+9GXL9M8sG3dR:hj8u3ui5pl+uBvc/V0FdYxJdRqMt
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2528 LSASS.exe 884 LSASS.exe -
Loads dropped DLL 2 IoCs
pid Process 2528 LSASS.exe 2528 LSASS.exe -
Adds Run key to start application 2 TTPs 10 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d98f926f3a2ea1308e2d80705591f91b_JC.exe" REG.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe" REG.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe" REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe" REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d98f926f3a2ea1308e2d80705591f91b_JC.exe" REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe" REG.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe" REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe" REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe" REG.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe" REG.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: LSASS.exe File opened (read-only) \??\P: LSASS.exe File opened (read-only) \??\R: LSASS.exe File opened (read-only) \??\V: LSASS.exe File opened (read-only) \??\Z: LSASS.exe File opened (read-only) \??\G: LSASS.exe File opened (read-only) \??\K: LSASS.exe File opened (read-only) \??\M: LSASS.exe File opened (read-only) \??\N: LSASS.exe File opened (read-only) \??\O: LSASS.exe File opened (read-only) \??\Q: LSASS.exe File opened (read-only) \??\S: LSASS.exe File opened (read-only) \??\X: LSASS.exe File opened (read-only) \??\Y: LSASS.exe File opened (read-only) \??\I: LSASS.exe File opened (read-only) \??\L: LSASS.exe File opened (read-only) \??\W: LSASS.exe File opened (read-only) \??\H: LSASS.exe File opened (read-only) \??\J: LSASS.exe File opened (read-only) \??\T: LSASS.exe File opened (read-only) \??\U: LSASS.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\autorun.inf LSASS.exe File opened for modification C:\autorun.inf LSASS.exe File created F:\autorun.inf LSASS.exe File opened for modification F:\autorun.inf LSASS.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\LSASS.exe LSASS.exe File created C:\Windows\LSASS.exe d98f926f3a2ea1308e2d80705591f91b_JC.exe File opened for modification C:\Windows\LSASS.exe d98f926f3a2ea1308e2d80705591f91b_JC.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 59 IoCs
pid Process 2860 d98f926f3a2ea1308e2d80705591f91b_JC.exe 2860 d98f926f3a2ea1308e2d80705591f91b_JC.exe 2860 d98f926f3a2ea1308e2d80705591f91b_JC.exe 2528 LSASS.exe 2528 LSASS.exe 2528 LSASS.exe 2528 LSASS.exe 2528 LSASS.exe 2528 LSASS.exe 884 LSASS.exe 2528 LSASS.exe 2528 LSASS.exe 2528 LSASS.exe 2528 LSASS.exe 2528 LSASS.exe 2528 LSASS.exe 2528 LSASS.exe 2528 LSASS.exe 2528 LSASS.exe 2528 LSASS.exe 2528 LSASS.exe 2528 LSASS.exe 2528 LSASS.exe 2528 LSASS.exe 2528 LSASS.exe 2528 LSASS.exe 2528 LSASS.exe 2528 LSASS.exe 2528 LSASS.exe 2528 LSASS.exe 2528 LSASS.exe 2528 LSASS.exe 2528 LSASS.exe 2528 LSASS.exe 2528 LSASS.exe 2528 LSASS.exe 2528 LSASS.exe 2528 LSASS.exe 2528 LSASS.exe 2528 LSASS.exe 2528 LSASS.exe 2528 LSASS.exe 2528 LSASS.exe 2528 LSASS.exe 2528 LSASS.exe 2528 LSASS.exe 2528 LSASS.exe 2528 LSASS.exe 2528 LSASS.exe 2528 LSASS.exe 2528 LSASS.exe 2528 LSASS.exe 2528 LSASS.exe 2528 LSASS.exe 2528 LSASS.exe 2528 LSASS.exe 2528 LSASS.exe 2528 LSASS.exe 2528 LSASS.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 2860 wrote to memory of 2528 2860 d98f926f3a2ea1308e2d80705591f91b_JC.exe 30 PID 2860 wrote to memory of 2528 2860 d98f926f3a2ea1308e2d80705591f91b_JC.exe 30 PID 2860 wrote to memory of 2528 2860 d98f926f3a2ea1308e2d80705591f91b_JC.exe 30 PID 2860 wrote to memory of 2528 2860 d98f926f3a2ea1308e2d80705591f91b_JC.exe 30 PID 2860 wrote to memory of 2708 2860 d98f926f3a2ea1308e2d80705591f91b_JC.exe 31 PID 2860 wrote to memory of 2708 2860 d98f926f3a2ea1308e2d80705591f91b_JC.exe 31 PID 2860 wrote to memory of 2708 2860 d98f926f3a2ea1308e2d80705591f91b_JC.exe 31 PID 2860 wrote to memory of 2708 2860 d98f926f3a2ea1308e2d80705591f91b_JC.exe 31 PID 2860 wrote to memory of 2688 2860 d98f926f3a2ea1308e2d80705591f91b_JC.exe 32 PID 2860 wrote to memory of 2688 2860 d98f926f3a2ea1308e2d80705591f91b_JC.exe 32 PID 2860 wrote to memory of 2688 2860 d98f926f3a2ea1308e2d80705591f91b_JC.exe 32 PID 2860 wrote to memory of 2688 2860 d98f926f3a2ea1308e2d80705591f91b_JC.exe 32 PID 2528 wrote to memory of 2536 2528 LSASS.exe 35 PID 2528 wrote to memory of 2536 2528 LSASS.exe 35 PID 2528 wrote to memory of 2536 2528 LSASS.exe 35 PID 2528 wrote to memory of 2536 2528 LSASS.exe 35 PID 2528 wrote to memory of 2560 2528 LSASS.exe 36 PID 2528 wrote to memory of 2560 2528 LSASS.exe 36 PID 2528 wrote to memory of 2560 2528 LSASS.exe 36 PID 2528 wrote to memory of 2560 2528 LSASS.exe 36 PID 2528 wrote to memory of 884 2528 LSASS.exe 39 PID 2528 wrote to memory of 884 2528 LSASS.exe 39 PID 2528 wrote to memory of 884 2528 LSASS.exe 39 PID 2528 wrote to memory of 884 2528 LSASS.exe 39 PID 2528 wrote to memory of 2748 2528 LSASS.exe 40 PID 2528 wrote to memory of 2748 2528 LSASS.exe 40 PID 2528 wrote to memory of 2748 2528 LSASS.exe 40 PID 2528 wrote to memory of 2748 2528 LSASS.exe 40 PID 2528 wrote to memory of 2772 2528 LSASS.exe 41 PID 2528 wrote to memory of 2772 2528 LSASS.exe 41 PID 2528 wrote to memory of 2772 2528 LSASS.exe 41 PID 2528 wrote to memory of 2772 2528 LSASS.exe 41 PID 2528 wrote to memory of 1492 2528 LSASS.exe 44 PID 2528 wrote to memory of 1492 2528 LSASS.exe 44 PID 2528 wrote to memory of 1492 2528 LSASS.exe 44 PID 2528 wrote to memory of 1492 2528 LSASS.exe 44 PID 2528 wrote to memory of 1900 2528 LSASS.exe 45 PID 2528 wrote to memory of 1900 2528 LSASS.exe 45 PID 2528 wrote to memory of 1900 2528 LSASS.exe 45 PID 2528 wrote to memory of 1900 2528 LSASS.exe 45 PID 2528 wrote to memory of 2900 2528 LSASS.exe 48 PID 2528 wrote to memory of 2900 2528 LSASS.exe 48 PID 2528 wrote to memory of 2900 2528 LSASS.exe 48 PID 2528 wrote to memory of 2900 2528 LSASS.exe 48 PID 2528 wrote to memory of 2320 2528 LSASS.exe 50 PID 2528 wrote to memory of 2320 2528 LSASS.exe 50 PID 2528 wrote to memory of 2320 2528 LSASS.exe 50 PID 2528 wrote to memory of 2320 2528 LSASS.exe 50
Processes
-
C:\Users\Admin\AppData\Local\Temp\d98f926f3a2ea1308e2d80705591f91b_JC.exe"C:\Users\Admin\AppData\Local\Temp\d98f926f3a2ea1308e2d80705591f91b_JC.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\LSASS.exe"C:\Windows\LSASS.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\REG.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f3⤵
- Adds Run key to start application
PID:2536
-
-
C:\Windows\SysWOW64\REG.exeREG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f3⤵
- Adds Run key to start application
PID:2560
-
-
C:\Users\Admin\LSASS.exe"C:\Users\Admin\LSASS.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:884
-
-
C:\Windows\SysWOW64\REG.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f3⤵
- Adds Run key to start application
PID:2748
-
-
C:\Windows\SysWOW64\REG.exeREG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f3⤵
- Adds Run key to start application
PID:2772
-
-
C:\Windows\SysWOW64\REG.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f3⤵
- Adds Run key to start application
PID:1492
-
-
C:\Windows\SysWOW64\REG.exeREG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f3⤵
- Adds Run key to start application
PID:1900
-
-
C:\Windows\SysWOW64\REG.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f3⤵
- Adds Run key to start application
PID:2900
-
-
C:\Windows\SysWOW64\REG.exeREG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f3⤵
- Adds Run key to start application
PID:2320
-
-
-
C:\Windows\SysWOW64\REG.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\d98f926f3a2ea1308e2d80705591f91b_JC.exe" /f2⤵
- Adds Run key to start application
PID:2708
-
-
C:\Windows\SysWOW64\REG.exeREG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\d98f926f3a2ea1308e2d80705591f91b_JC.exe" /f2⤵
- Adds Run key to start application
PID:2688
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
472KB
MD56e94fc3df7e1d93481cd0ed1b2c937f3
SHA13400d7106954fe59ee4aedbf893e1b51760e4da6
SHA256d0951f70acad72dce56632f89427f38cbfd562c6e079c899e425578d9cb02b23
SHA51237b4d2a4c485e09c031f9c3f9a8d6d000afb66ac49087755d5a4abd688c2d4f50b07b099f1ab5c6eacfacdb1d60bf41ea8ec03822c7e675c7bcb658a9b26666f
-
Filesize
472KB
MD557ff21ad32f0700cdfb876244061675d
SHA1706ab68a1c68c13e2cbe450295fc77b59ca3f1c7
SHA2568f01201099772475a3a77245dc5391a6b1abb6c1766a01da1de2247375808808
SHA5125b6bb47c50e24d669735e39cbd51757e4d7fe5e4e3bb4b3793507e14180386470611452cc3ee0a4e5a78d100ae8181862571fc6873b98e6bc6c8564181c6553e
-
Filesize
472KB
MD557ff21ad32f0700cdfb876244061675d
SHA1706ab68a1c68c13e2cbe450295fc77b59ca3f1c7
SHA2568f01201099772475a3a77245dc5391a6b1abb6c1766a01da1de2247375808808
SHA5125b6bb47c50e24d669735e39cbd51757e4d7fe5e4e3bb4b3793507e14180386470611452cc3ee0a4e5a78d100ae8181862571fc6873b98e6bc6c8564181c6553e
-
Filesize
472KB
MD557ff21ad32f0700cdfb876244061675d
SHA1706ab68a1c68c13e2cbe450295fc77b59ca3f1c7
SHA2568f01201099772475a3a77245dc5391a6b1abb6c1766a01da1de2247375808808
SHA5125b6bb47c50e24d669735e39cbd51757e4d7fe5e4e3bb4b3793507e14180386470611452cc3ee0a4e5a78d100ae8181862571fc6873b98e6bc6c8564181c6553e
-
Filesize
190B
MD5b1445c7f646c6ca9a7597791af38d575
SHA191efaf63fa1f7a51ee2f9b1c3b0f8932f15439ce
SHA256220517d50470c86d94020cebcd03af286898e65338f468dc5f860dc04af2c88e
SHA512533349278b6d186f0f3947681e90dcc7f617e146736798e6fc23e79d61610f1f7b2e4b4241b296884622fbd6b1cf73dc694a852e05bf4235da8ed40b70c5683f
-
Filesize
472KB
MD56e94fc3df7e1d93481cd0ed1b2c937f3
SHA13400d7106954fe59ee4aedbf893e1b51760e4da6
SHA256d0951f70acad72dce56632f89427f38cbfd562c6e079c899e425578d9cb02b23
SHA51237b4d2a4c485e09c031f9c3f9a8d6d000afb66ac49087755d5a4abd688c2d4f50b07b099f1ab5c6eacfacdb1d60bf41ea8ec03822c7e675c7bcb658a9b26666f
-
Filesize
472KB
MD56e94fc3df7e1d93481cd0ed1b2c937f3
SHA13400d7106954fe59ee4aedbf893e1b51760e4da6
SHA256d0951f70acad72dce56632f89427f38cbfd562c6e079c899e425578d9cb02b23
SHA51237b4d2a4c485e09c031f9c3f9a8d6d000afb66ac49087755d5a4abd688c2d4f50b07b099f1ab5c6eacfacdb1d60bf41ea8ec03822c7e675c7bcb658a9b26666f