Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2023 02:43
Behavioral task
behavioral1
Sample
Lammer.exe
Resource
win10-20231020-en
Behavioral task
behavioral2
Sample
Lammer.exe
Resource
win10v2004-20231127-en
Behavioral task
behavioral3
Sample
Lammer.exe
Resource
win11-20231128-en
General
-
Target
Lammer.exe
-
Size
23KB
-
MD5
d0c2d069ebad310d330724ecb8c34383
-
SHA1
948c7dac951630a93d1d50cdc18a785a66bde4f3
-
SHA256
33e10bdcff6ab52e473ffeff0c0a853fd8786c3c26b896a05b7091fbcccb9555
-
SHA512
5ca77dad6ef30a5fc7031819f9d1311ec8f168c94c5678a712c8aeb82bf7101b85824a5f1e7b96ecc2746cf50f56e0c0d6c80a0ab471a67a4744b4015bcb075b
-
SSDEEP
384:JluBPiZCMfdfSJrQbsLRGSIxYVL46pg/i8BD9BmRvR6JZlbw8hqIusZzZoT:+OmhtIiRpcnuZ
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Lammer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\277e7c3302a3fa2bce6fdf09291934dd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Lammer.exe\" .." Lammer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\277e7c3302a3fa2bce6fdf09291934dd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Lammer.exe\" .." Lammer.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Lammer.exepid process 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe 3340 Lammer.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
Lammer.exedescription pid process Token: SeDebugPrivilege 3340 Lammer.exe Token: 33 3340 Lammer.exe Token: SeIncBasePriorityPrivilege 3340 Lammer.exe Token: 33 3340 Lammer.exe Token: SeIncBasePriorityPrivilege 3340 Lammer.exe Token: 33 3340 Lammer.exe Token: SeIncBasePriorityPrivilege 3340 Lammer.exe Token: 33 3340 Lammer.exe Token: SeIncBasePriorityPrivilege 3340 Lammer.exe Token: 33 3340 Lammer.exe Token: SeIncBasePriorityPrivilege 3340 Lammer.exe Token: 33 3340 Lammer.exe Token: SeIncBasePriorityPrivilege 3340 Lammer.exe Token: 33 3340 Lammer.exe Token: SeIncBasePriorityPrivilege 3340 Lammer.exe Token: 33 3340 Lammer.exe Token: SeIncBasePriorityPrivilege 3340 Lammer.exe Token: 33 3340 Lammer.exe Token: SeIncBasePriorityPrivilege 3340 Lammer.exe Token: 33 3340 Lammer.exe Token: SeIncBasePriorityPrivilege 3340 Lammer.exe Token: 33 3340 Lammer.exe Token: SeIncBasePriorityPrivilege 3340 Lammer.exe Token: 33 3340 Lammer.exe Token: SeIncBasePriorityPrivilege 3340 Lammer.exe Token: 33 3340 Lammer.exe Token: SeIncBasePriorityPrivilege 3340 Lammer.exe Token: 33 3340 Lammer.exe Token: SeIncBasePriorityPrivilege 3340 Lammer.exe Token: 33 3340 Lammer.exe Token: SeIncBasePriorityPrivilege 3340 Lammer.exe Token: 33 3340 Lammer.exe Token: SeIncBasePriorityPrivilege 3340 Lammer.exe Token: 33 3340 Lammer.exe Token: SeIncBasePriorityPrivilege 3340 Lammer.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Lammer.exedescription pid process target process PID 3340 wrote to memory of 2720 3340 Lammer.exe netsh.exe PID 3340 wrote to memory of 2720 3340 Lammer.exe netsh.exe PID 3340 wrote to memory of 2720 3340 Lammer.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Lammer.exe"C:\Users\Admin\AppData\Local\Temp\Lammer.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Lammer.exe" "Lammer.exe" ENABLE2⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3340-0-0x0000000075410000-0x00000000759C1000-memory.dmpFilesize
5.7MB
-
memory/3340-1-0x0000000075410000-0x00000000759C1000-memory.dmpFilesize
5.7MB
-
memory/3340-2-0x0000000001240000-0x0000000001250000-memory.dmpFilesize
64KB
-
memory/3340-3-0x0000000075410000-0x00000000759C1000-memory.dmpFilesize
5.7MB
-
memory/3340-4-0x0000000075410000-0x00000000759C1000-memory.dmpFilesize
5.7MB
-
memory/3340-5-0x0000000001240000-0x0000000001250000-memory.dmpFilesize
64KB
-
memory/3340-6-0x0000000001240000-0x0000000001250000-memory.dmpFilesize
64KB
-
memory/3340-7-0x0000000001240000-0x0000000001250000-memory.dmpFilesize
64KB