Analysis
-
max time kernel
4s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
29-12-2023 22:48
Static task
static1
Behavioral task
behavioral1
Sample
06124cef4a32855eeb6e46d135329238.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
06124cef4a32855eeb6e46d135329238.exe
Resource
win10v2004-20231215-en
General
-
Target
06124cef4a32855eeb6e46d135329238.exe
-
Size
15KB
-
MD5
06124cef4a32855eeb6e46d135329238
-
SHA1
104bc1756b5afe2e4ddae886ee7c583e4631146a
-
SHA256
87ba2978645a3425c63cb1b0ab5830357fcf71080e2fb982250300257e1e6ebe
-
SHA512
1cd07b1d5d215360cc16389997498894336da7f696088df44a8ed15a41d7d02b39602c59f05c8199c45b8056293605e5fcde3814dab0f160df7c4ebb4ba3bc80
-
SSDEEP
384:ohoB/wEE8qmd00mJM0kPGDUdnPofWeyE1nrJ1Sh5MI0d:dZLqm8M0kPGDUFQfWet1n+MI
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 2376 06124cef4a32855eeb6e46d135329238.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LotusHlp = "C:\\Windows\\LotusHlp.exe" 06124cef4a32855eeb6e46d135329238.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\LotusHlp.dll 06124cef4a32855eeb6e46d135329238.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\LotusHlp.exe 06124cef4a32855eeb6e46d135329238.exe File opened for modification C:\Windows\LotusHlp.exe 06124cef4a32855eeb6e46d135329238.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2376 06124cef4a32855eeb6e46d135329238.exe 2376 06124cef4a32855eeb6e46d135329238.exe 2376 06124cef4a32855eeb6e46d135329238.exe 2376 06124cef4a32855eeb6e46d135329238.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2376 06124cef4a32855eeb6e46d135329238.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 2376 wrote to memory of 3528 2376 06124cef4a32855eeb6e46d135329238.exe 45 PID 2376 wrote to memory of 3528 2376 06124cef4a32855eeb6e46d135329238.exe 45
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3528
-
C:\Users\Admin\AppData\Local\Temp\06124cef4a32855eeb6e46d135329238.exe"C:\Users\Admin\AppData\Local\Temp\06124cef4a32855eeb6e46d135329238.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2376
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
26KB
MD58300e566ebb130528fe6ebb9fa160d98
SHA19a12e80f26c5c04a8547632a269fdd9fae40e75a
SHA256ffacd7b254ce156bb807457138162e38636335388357d4bfecb9e2bc2bc354ce
SHA512f1d913ec7cf806aa6dacbdfd2eeaa51634c8e66a39c897e415bdfd8b9394ad9c436b4c819a98721277b7eeb0211239ed6df16d7e8deb20d1ed55b512d9981d53