715df0723fe28ce8ec37e9820591f3ab26fdd58859b984a6d77328626e1747d4

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 21:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1cedd10c9ff75b3a327d71bb48262e2c.exe
Size

284KB
MD5

1cedd10c9ff75b3a327d71bb48262e2c
SHA1

714ecbd82061ee7d79833d915736d7666111e761
SHA256

715df0723fe28ce8ec37e9820591f3ab26fdd58859b984a6d77328626e1747d4
SHA512

0cd74cbf82c4307f706e17acd912a3f673be7d137fe9e91d18aae6a25c4cb93bd2af2dce1feb919a8e1cbc4e0b2434a7153ce04b2fb38e7d59daf272afd8928d
SSDEEP

6144:6Zbf+b1vZSEyRlsblGulpn24/Zbf+b1UZ:2YnyeEulJ24FP

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 10 IoCs

pid	Process
1996	smss.exe
2248	1cedd10c9ff75b3a327d71bb48262e2c.exe.log
2552	lsass.exe
2676	smss.exe
2704	smss.exe
2564	smss.exe
2472	lsass.exe
1644	1cedd10c9ff75b3a327d71bb48262e2c.exe
2460	smss.exe
2568	smss.exe

Loads dropped DLL 20 IoCs

pid	Process
1748	1cedd10c9ff75b3a327d71bb48262e2c.exe
1748	1cedd10c9ff75b3a327d71bb48262e2c.exe
1748	1cedd10c9ff75b3a327d71bb48262e2c.exe
1748	1cedd10c9ff75b3a327d71bb48262e2c.exe
2248	1cedd10c9ff75b3a327d71bb48262e2c.exe.log
2248	1cedd10c9ff75b3a327d71bb48262e2c.exe.log
2248	1cedd10c9ff75b3a327d71bb48262e2c.exe.log
2248	1cedd10c9ff75b3a327d71bb48262e2c.exe.log
2552	lsass.exe
2552	lsass.exe
2552	lsass.exe
2552	lsass.exe
2248	1cedd10c9ff75b3a327d71bb48262e2c.exe.log
2248	1cedd10c9ff75b3a327d71bb48262e2c.exe.log
2248	1cedd10c9ff75b3a327d71bb48262e2c.exe.log
2248	1cedd10c9ff75b3a327d71bb48262e2c.exe.log
2552	lsass.exe
2552	lsass.exe
2552	lsass.exe
2552	lsass.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	lsass.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\E:\AUTORUN.INF	lsass.exe
File opened for modification	C:\AUTORUN.INF	lsass.exe
File created	C:\AUTORUN.INF	lsass.exe
File opened for modification	D:\AUTORUN.INF	lsass.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\com\smss.exe	1cedd10c9ff75b3a327d71bb48262e2c.exe
File created	C:\Windows\SysWOW64\com\lsass.exe	1cedd10c9ff75b3a327d71bb48262e2c.exe.log
File opened for modification	C:\Windows\SysWOW64\com\smss.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\com\smss.exe	lsass.exe
File created	C:\Windows\SysWOW64\com\smss.exe	lsass.exe
File created	C:\Windows\SysWOW64\com\smss.exe	1cedd10c9ff75b3a327d71bb48262e2c.exe
File opened for modification	C:\Windows\SysWOW64\com\smss.exe	1cedd10c9ff75b3a327d71bb48262e2c.exe.log
File created	C:\Windows\SysWOW64\com\smss.exe	1cedd10c9ff75b3a327d71bb48262e2c.exe.log
File created	C:\Windows\SysWOW64\com\smss.exe	lsass.exe

Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1644	1cedd10c9ff75b3a327d71bb48262e2c.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1644	1cedd10c9ff75b3a327d71bb48262e2c.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1748	1cedd10c9ff75b3a327d71bb48262e2c.exe
1748	1cedd10c9ff75b3a327d71bb48262e2c.exe
2248	1cedd10c9ff75b3a327d71bb48262e2c.exe.log
2248	1cedd10c9ff75b3a327d71bb48262e2c.exe.log
2552	lsass.exe
2552	lsass.exe
2472	lsass.exe
2472	lsass.exe
1644	1cedd10c9ff75b3a327d71bb48262e2c.exe
1644	1cedd10c9ff75b3a327d71bb48262e2c.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 1996	1748	1cedd10c9ff75b3a327d71bb48262e2c.exe	28
PID 1748 wrote to memory of 1996	1748	1cedd10c9ff75b3a327d71bb48262e2c.exe	28
PID 1748 wrote to memory of 1996	1748	1cedd10c9ff75b3a327d71bb48262e2c.exe	28
PID 1748 wrote to memory of 1996	1748	1cedd10c9ff75b3a327d71bb48262e2c.exe	28
PID 1748 wrote to memory of 2248	1748	1cedd10c9ff75b3a327d71bb48262e2c.exe	29
PID 1748 wrote to memory of 2248	1748	1cedd10c9ff75b3a327d71bb48262e2c.exe	29
PID 1748 wrote to memory of 2248	1748	1cedd10c9ff75b3a327d71bb48262e2c.exe	29
PID 1748 wrote to memory of 2248	1748	1cedd10c9ff75b3a327d71bb48262e2c.exe	29
PID 2248 wrote to memory of 2552	2248	1cedd10c9ff75b3a327d71bb48262e2c.exe.log	30
PID 2248 wrote to memory of 2552	2248	1cedd10c9ff75b3a327d71bb48262e2c.exe.log	30
PID 2248 wrote to memory of 2552	2248	1cedd10c9ff75b3a327d71bb48262e2c.exe.log	30
PID 2248 wrote to memory of 2552	2248	1cedd10c9ff75b3a327d71bb48262e2c.exe.log	30
PID 2248 wrote to memory of 2676	2248	1cedd10c9ff75b3a327d71bb48262e2c.exe.log	31
PID 2248 wrote to memory of 2676	2248	1cedd10c9ff75b3a327d71bb48262e2c.exe.log	31
PID 2248 wrote to memory of 2676	2248	1cedd10c9ff75b3a327d71bb48262e2c.exe.log	31
PID 2248 wrote to memory of 2676	2248	1cedd10c9ff75b3a327d71bb48262e2c.exe.log	31
PID 2552 wrote to memory of 2564	2552	lsass.exe	32
PID 2552 wrote to memory of 2564	2552	lsass.exe	32
PID 2552 wrote to memory of 2564	2552	lsass.exe	32
PID 2552 wrote to memory of 2564	2552	lsass.exe	32
PID 2552 wrote to memory of 2704	2552	lsass.exe	34
PID 2552 wrote to memory of 2704	2552	lsass.exe	34
PID 2552 wrote to memory of 2704	2552	lsass.exe	34
PID 2552 wrote to memory of 2704	2552	lsass.exe	34
PID 2248 wrote to memory of 1644	2248	1cedd10c9ff75b3a327d71bb48262e2c.exe.log	33
PID 2248 wrote to memory of 1644	2248	1cedd10c9ff75b3a327d71bb48262e2c.exe.log	33
PID 2248 wrote to memory of 1644	2248	1cedd10c9ff75b3a327d71bb48262e2c.exe.log	33
PID 2248 wrote to memory of 1644	2248	1cedd10c9ff75b3a327d71bb48262e2c.exe.log	33
PID 2248 wrote to memory of 2472	2248	1cedd10c9ff75b3a327d71bb48262e2c.exe.log	36
PID 2248 wrote to memory of 2472	2248	1cedd10c9ff75b3a327d71bb48262e2c.exe.log	36
PID 2248 wrote to memory of 2472	2248	1cedd10c9ff75b3a327d71bb48262e2c.exe.log	36
PID 2248 wrote to memory of 2472	2248	1cedd10c9ff75b3a327d71bb48262e2c.exe.log	36
PID 2552 wrote to memory of 2460	2552	lsass.exe	35
PID 2552 wrote to memory of 2460	2552	lsass.exe	35
PID 2552 wrote to memory of 2460	2552	lsass.exe	35
PID 2552 wrote to memory of 2460	2552	lsass.exe	35
PID 2552 wrote to memory of 2568	2552	lsass.exe	37
PID 2552 wrote to memory of 2568	2552	lsass.exe	37
PID 2552 wrote to memory of 2568	2552	lsass.exe	37
PID 2552 wrote to memory of 2568	2552	lsass.exe	37
PID 2552 wrote to memory of 2944	2552	lsass.exe	38
PID 2552 wrote to memory of 2944	2552	lsass.exe	38
PID 2552 wrote to memory of 2944	2552	lsass.exe	38
PID 2552 wrote to memory of 2944	2552	lsass.exe	38
PID 2944 wrote to memory of 1880	2944	cmd.exe	40
PID 2944 wrote to memory of 1880	2944	cmd.exe	40
PID 2944 wrote to memory of 1880	2944	cmd.exe	40
PID 2944 wrote to memory of 1880	2944	cmd.exe	40
PID 1880 wrote to memory of 2804	1880	net.exe	41
PID 1880 wrote to memory of 2804	1880	net.exe	41
PID 1880 wrote to memory of 2804	1880	net.exe	41
PID 1880 wrote to memory of 2804	1880	net.exe	41

C:\Users\Admin\AppData\Local\Temp\1cedd10c9ff75b3a327d71bb48262e2c.exe
"C:\Users\Admin\AppData\Local\Temp\1cedd10c9ff75b3a327d71bb48262e2c.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Windows\SysWOW64\com\smss.exe
  c:\users\admin\appdata\local\temp\1cedd10c9ff75b3a327d71bb48262e2c.exe|c:\users\admin\appdata\local\temp\1cedd10c9ff75b3a327d71bb48262e2c.exe.log
  2⤵
  - Executes dropped EXE
  PID:1996
- \??\c:\users\admin\appdata\local\temp\1cedd10c9ff75b3a327d71bb48262e2c.exe.log
  "c:\users\admin\appdata\local\temp\1cedd10c9ff75b3a327d71bb48262e2c.exe.log"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Windows\SysWOW64\com\lsass.exe
    "C:\Windows\system32\com\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Windows\SysWOW64\com\smss.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
      4⤵
      Executes dropped EXE
      PID:2564
  - - C:\Windows\SysWOW64\com\smss.exe
      C:\Windows\system32\com\lsass.exe|C:\pagefile.pif
      4⤵
      Executes dropped EXE
      PID:2704
  - - C:\Windows\SysWOW64\com\smss.exe
      C:\Windows\system32\com\lsass.exe|D:\pagefile.pif
      4⤵
      Executes dropped EXE
      PID:2460
  - - C:\Windows\SysWOW64\com\smss.exe
      C:\Windows\system32\com\lsass.exe|E:\pagefile.pif
      4⤵
      Executes dropped EXE
      PID:2568
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c net share
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2944
    - - C:\Windows\SysWOW64\net.exe
        
        net share
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1880
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 share
        6⤵
        
        PID:2804
- - C:\Windows\SysWOW64\com\smss.exe
    c:\users\admin\appdata\local\temp\1cedd10c9ff75b3a327d71bb48262e2c.~|c:\users\admin\appdata\local\temp\1cedd10c9ff75b3a327d71bb48262e2c.exe
    3⤵
    - Executes dropped EXE
    PID:2676
- - \??\c:\users\admin\appdata\local\temp\1cedd10c9ff75b3a327d71bb48262e2c.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:1644
- - C:\Windows\SysWOW64\com\lsass.exe
    ^c:\users\admin\appdata\local\temp\1cedd10c9ff75b3a327d71bb48262e2c.exe.log
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    PID:2472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\users\admin\appdata\local\temp\1cedd10c9ff75b3a327d71bb48262e2c.~

Filesize
148KB

MD5
4f59edd99568b5b510ca53699d1d4fd4

SHA1
5fbc27f5184b0617ef1e55e94a8b702d1ccd39f9

SHA256
b3248c737839df25f681742ed072f9413963c40e92671596f9891c72f31df109

SHA512
96c67c8e54aef0bc92bdacd98d9f9c009617d16d47bfc9bb04a1c7dcdf6b2c851e68672728315bcfd17daf488694103816a85d15c344e86f3002ab4a1395f3d8

Download Submit
\Users\Admin\AppData\Local\Temp\1cedd10c9ff75b3a327d71bb48262e2c.exe.log

Filesize
284KB

MD5
1cedd10c9ff75b3a327d71bb48262e2c

SHA1
714ecbd82061ee7d79833d915736d7666111e761

SHA256
715df0723fe28ce8ec37e9820591f3ab26fdd58859b984a6d77328626e1747d4

SHA512
0cd74cbf82c4307f706e17acd912a3f673be7d137fe9e91d18aae6a25c4cb93bd2af2dce1feb919a8e1cbc4e0b2434a7153ce04b2fb38e7d59daf272afd8928d

Download Submit
\Users\Admin\AppData\Local\Temp\1cedd10c9ff75b3a327d71bb48262e2c.exe.log

Filesize
214KB

MD5
6076eaa1734c49f3686c94ecf60a3214

SHA1
8fde39a1cb5626552c46f6b588c3685417bd933b

SHA256
4083334b9c60139bef1c2d1a605b95153ab64b9d70fa04ee87aa2267491339db

SHA512
e2e17535b554c400d5210a3614f4b6a3507f2890777881749d0fab403595b57d8e30c277c44892b2d8c3f38400d6339b09f0fc74d7a76405401b6cd498c497e3

Download Submit
\Windows\SysWOW64\com\lsass.exe

Filesize
68KB

MD5
7eb06e92a5ffc66fdb601a5043f293bd

SHA1
1cc49227dca4bd2ce7d6177e2f45de623114f65a

SHA256
166ee958289cc5e3cd1899b95d04eb190e2cfb2f577d283c94504f94224d5180

SHA512
0659f39902c3f78eacc1a18c34db365532acb59e76c76e202bae4f72c2382fd13bf70e67ed233c4363f4d1cc1cb8ee3b8bde79fb19760bce51810dd00ea39175

Download Submit
\Windows\SysWOW64\com\smss.exe

Filesize
9KB

MD5
90ab7c7ab34313bebf11394e8d0e83c0

SHA1
6aa1cd9620e82f9b5f5d53797bd9895340a63f92

SHA256
314b0d724385fab8147182367ca1f43bae22a4dcab1a88b3d2885b7af1545ad3

SHA512
46663f89b50f11e614b695dc80f666d5ec8f469ecbf159ea097cf6cfdcc7d7b5de8bfadd5a87d006b62349474cd69c9074efdeb262a06cf27c67415775f726ae

Download Submit
memory/1996-9-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2460-53-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2564-58-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2568-57-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2676-29-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2704-43-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads