2e95e13d097a54114acba1c0848613df559ec8c8e89c6e73949160beaa0bab37

General

Target

05664cb3771cde9654639248e54ace9f.exe
Size

529KB
MD5

05664cb3771cde9654639248e54ace9f
SHA1

01a9240d23d725ce5558cdc0863d4721a9642a31
SHA256

2e95e13d097a54114acba1c0848613df559ec8c8e89c6e73949160beaa0bab37
SHA512

bba35003325fa6a0abb4fea209a2188ff4c211c08876e07fe7db7e2b0f1f72df6b6f1041aac2f3a11ddd7958b9e3db5e21af66c6b658a47882e02df528dab0ed
SSDEEP

6144:AcFNz2bzRiJeNU6cue6lwQgsefK8wNqPDefKM11FK1idJ:AcKzRiwN5cueAng33vbefKsKidJ

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\""	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\""	05664cb3771cde9654639248e54ace9f.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
688	netsh.exe

Executes dropped EXE 2 IoCs

pid	Process
3364	lsass.exe
2748	lsass.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/724-0-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral2/memory/724-5-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral2/files/0x0008000000023120-13.dat	upx
behavioral2/memory/3364-15-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral2/files/0x0008000000023120-12.dat	upx
behavioral2/memory/3364-22-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral2/files/0x0008000000023120-20.dat	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\""	05664cb3771cde9654639248e54ace9f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\""	05664cb3771cde9654639248e54ace9f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\""	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\""	lsass.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 724 set thread context of 4956	724	05664cb3771cde9654639248e54ace9f.exe	91
PID 3364 set thread context of 2748	3364	lsass.exe	96

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
724	05664cb3771cde9654639248e54ace9f.exe
4956	05664cb3771cde9654639248e54ace9f.exe
3364	lsass.exe
2748	lsass.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 724 wrote to memory of 4956	724	05664cb3771cde9654639248e54ace9f.exe	91
PID 724 wrote to memory of 4956	724	05664cb3771cde9654639248e54ace9f.exe	91
PID 724 wrote to memory of 4956	724	05664cb3771cde9654639248e54ace9f.exe	91
PID 724 wrote to memory of 4956	724	05664cb3771cde9654639248e54ace9f.exe	91
PID 724 wrote to memory of 4956	724	05664cb3771cde9654639248e54ace9f.exe	91
PID 724 wrote to memory of 4956	724	05664cb3771cde9654639248e54ace9f.exe	91
PID 724 wrote to memory of 4956	724	05664cb3771cde9654639248e54ace9f.exe	91
PID 724 wrote to memory of 4956	724	05664cb3771cde9654639248e54ace9f.exe	91
PID 4956 wrote to memory of 688	4956	05664cb3771cde9654639248e54ace9f.exe	95
PID 4956 wrote to memory of 688	4956	05664cb3771cde9654639248e54ace9f.exe	95
PID 4956 wrote to memory of 688	4956	05664cb3771cde9654639248e54ace9f.exe	95
PID 4956 wrote to memory of 3364	4956	05664cb3771cde9654639248e54ace9f.exe	94
PID 4956 wrote to memory of 3364	4956	05664cb3771cde9654639248e54ace9f.exe	94
PID 4956 wrote to memory of 3364	4956	05664cb3771cde9654639248e54ace9f.exe	94
PID 3364 wrote to memory of 2748	3364	lsass.exe	96
PID 3364 wrote to memory of 2748	3364	lsass.exe	96
PID 3364 wrote to memory of 2748	3364	lsass.exe	96
PID 3364 wrote to memory of 2748	3364	lsass.exe	96
PID 3364 wrote to memory of 2748	3364	lsass.exe	96
PID 3364 wrote to memory of 2748	3364	lsass.exe	96
PID 3364 wrote to memory of 2748	3364	lsass.exe	96
PID 3364 wrote to memory of 2748	3364	lsass.exe	96

C:\Users\Admin\AppData\Local\Temp\05664cb3771cde9654639248e54ace9f.exe
"C:\Users\Admin\AppData\Local\Temp\05664cb3771cde9654639248e54ace9f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:724
- C:\Users\Admin\AppData\Local\Temp\05664cb3771cde9654639248e54ace9f.exe
  "C:\Users\Admin\AppData\Local\Temp\05664cb3771cde9654639248e54ace9f.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Users\Admin\AppData\Roaming\lsass.exe
    /d C:\Users\Admin\AppData\Local\Temp\05664cb3771cde9654639248e54ace9f.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3364
  - - C:\Users\Admin\AppData\Roaming\lsass.exe
      "C:\Users\Admin\AppData\Roaming\lsass.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetWindowsHookEx
      PID:2748
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\lsass.exe" CityScape Enable
    3⤵
    - Modifies Windows Firewall
    PID:688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\lsass.exe

Filesize
382KB

MD5
44aa99df81a6e0bbd558f13307de3e7d

SHA1
3310837e5bc0d4fb876645adef8f39dbc3cc57e7

SHA256
289dff15f4f921c4b3a599c5ce243cec95b4a9986ef0b8902f695356a9695332

SHA512
10065ff45b8edced517f22e9e565a74cb90f34e48e768618598b5bbd2547cdfda47ba90f8d0deb596fffe7b6fc2dff8d3ce70fc0baf8b8f002a19a17b578f021

Download Submit
C:\Users\Admin\AppData\Roaming\lsass.exe

Filesize
381KB

MD5
685f6a4e2b56161237a9be392c1f7d33

SHA1
b5767381416738c69e3349e8a9f1203e3ecf9f44

SHA256
be6d5b515de397ac882848e097efb5088a0669926ecd58810ac3ddf2aae8fa62

SHA512
a9de630b8941ab18fd13ea9f4e89c251f0091af900e042fed9f2ea4c5414258eae247e4dcac84379959e627341fa67eeb781e5deabba39115da4df5c8c324dcc

Download Submit
C:\Users\Admin\AppData\Roaming\lsass.exe

Filesize
92KB

MD5
dd73c7f8c1ca78a426b7cba7fc188eec

SHA1
c0fbf197151017d418f10286a7d9dc4c4b94f6c7

SHA256
785bea094f7318baf21ecd8cc530e0d58d8cef29a5ba98dde393ce2e3f42bc8c

SHA512
f3455812350e3bd5ced5088922cd491cc39ad94a18d33c0786ff048d9b6624e2862ebb6889078766d5e30ac99f8a39948ab3466bced58c5525401da74e5241b7

Download Submit
memory/724-0-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/724-5-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2748-28-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2748-26-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2748-27-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2748-31-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2748-32-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2748-34-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2748-36-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2748-37-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3364-15-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3364-22-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4956-17-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4956-3-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4956-6-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads