87ba2978645a3425c63cb1b0ab5830357fcf71080e2fb982250300257e1e6ebe

Analysis

max time kernel
3s
max time network
19s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/12/2023, 22:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

06124cef4a32855eeb6e46d135329238.exe
Size

15KB
MD5

06124cef4a32855eeb6e46d135329238
SHA1

104bc1756b5afe2e4ddae886ee7c583e4631146a
SHA256

87ba2978645a3425c63cb1b0ab5830357fcf71080e2fb982250300257e1e6ebe
SHA512

1cd07b1d5d215360cc16389997498894336da7f696088df44a8ed15a41d7d02b39602c59f05c8199c45b8056293605e5fcde3814dab0f160df7c4ebb4ba3bc80
SSDEEP

384:ohoB/wEE8qmd00mJM0kPGDUdnPofWeyE1nrJ1Sh5MI0d:dZLqm8M0kPGDUFQfWet1n+MI

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
3036	06124cef4a32855eeb6e46d135329238.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\LotusHlp = "C:\\Windows\\LotusHlp.exe"	06124cef4a32855eeb6e46d135329238.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\LotusHlp.dll	06124cef4a32855eeb6e46d135329238.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\LotusHlp.exe	06124cef4a32855eeb6e46d135329238.exe
File opened for modification	C:\Windows\LotusHlp.exe	06124cef4a32855eeb6e46d135329238.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3036	06124cef4a32855eeb6e46d135329238.exe
3036	06124cef4a32855eeb6e46d135329238.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3036	06124cef4a32855eeb6e46d135329238.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 1264	3036	06124cef4a32855eeb6e46d135329238.exe	16
PID 3036 wrote to memory of 1264	3036	06124cef4a32855eeb6e46d135329238.exe	16

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1264
- C:\Users\Admin\AppData\Local\Temp\06124cef4a32855eeb6e46d135329238.exe
  "C:\Users\Admin\AppData\Local\Temp\06124cef4a32855eeb6e46d135329238.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\LotusHlp.dll

Filesize
26KB

MD5
8300e566ebb130528fe6ebb9fa160d98

SHA1
9a12e80f26c5c04a8547632a269fdd9fae40e75a

SHA256
ffacd7b254ce156bb807457138162e38636335388357d4bfecb9e2bc2bc354ce

SHA512
f1d913ec7cf806aa6dacbdfd2eeaa51634c8e66a39c897e415bdfd8b9394ad9c436b4c819a98721277b7eeb0211239ed6df16d7e8deb20d1ed55b512d9981d53

Download Submit
memory/1264-3-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/3036-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3036-11-0x0000000010000000-0x000000001000A000-memory.dmp

Filesize
40KB

Download