e05273d47b94ed4314394c0f861d1b91d345656aa5ba8fb4efc528f2e1ab57d6

Analysis

max time kernel
140s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c67bdec0044352c877a585b4a4f5774.exe
Size

3.1MB
MD5

6c67bdec0044352c877a585b4a4f5774
SHA1

36ebc891e438fb2c65b00f61fbccf6b49ef3659f
SHA256

e05273d47b94ed4314394c0f861d1b91d345656aa5ba8fb4efc528f2e1ab57d6
SHA512

dfcf90eba7f4048603b4d3cd4404692c3703a7c1fddc39375ad311de0ee80cc61b093fe0bed66c423f363018cc341dfabf44fed60046eeb2ff75df3fed9937b7
SSDEEP

49152:O9fthFA9eOU75nADnIIXvqpY2qyL8vKBhRYBXIlJBQamuiQVlkH1b8LUVW:otvO+Vr2vqRL8iBzY6lTCVIlk8IW

Score

7^/10

Malware Config

Signatures

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe	6c67bdec0044352c877a585b4a4f5774.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe	6c67bdec0044352c877a585b4a4f5774.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe	lsass.exe

Executes dropped EXE 1 IoCs

pid	Process
2752	lsass.exe

Loads dropped DLL 2 IoCs

pid	Process
3012	6c67bdec0044352c877a585b4a4f5774.exe
3012	6c67bdec0044352c877a585b4a4f5774.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2752	3012	6c67bdec0044352c877a585b4a4f5774.exe	28
PID 3012 wrote to memory of 2752	3012	6c67bdec0044352c877a585b4a4f5774.exe	28
PID 3012 wrote to memory of 2752	3012	6c67bdec0044352c877a585b4a4f5774.exe	28
PID 3012 wrote to memory of 2752	3012	6c67bdec0044352c877a585b4a4f5774.exe	28

C:\Users\Admin\AppData\Local\Temp\6c67bdec0044352c877a585b4a4f5774.exe
"C:\Users\Admin\AppData\Local\Temp\6c67bdec0044352c877a585b4a4f5774.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe

Filesize
1.6MB

MD5
5fd6470f48224a4de16550d4a839a07f

SHA1
7288bf804cb5483cf3c7b24e1e7f31e897e51b3b

SHA256
045821b3c8b4c4139ec0e446562d1198b49f6b5a3cb25b195738679bca1870b7

SHA512
4e3bd1a47d2fdecd44aa1432bee45f477196474cddbca4d62a117c7933a382ca452bcb9a9b34398fe569bfa08a79f6424022c4975f8909616331ff96c377dab4

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe

Filesize
3.1MB

MD5
6c67bdec0044352c877a585b4a4f5774

SHA1
36ebc891e438fb2c65b00f61fbccf6b49ef3659f

SHA256
e05273d47b94ed4314394c0f861d1b91d345656aa5ba8fb4efc528f2e1ab57d6

SHA512
dfcf90eba7f4048603b4d3cd4404692c3703a7c1fddc39375ad311de0ee80cc61b093fe0bed66c423f363018cc341dfabf44fed60046eeb2ff75df3fed9937b7

Download Submit
memory/2752-11-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3012-9-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download