Analysis
-
max time kernel
141s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
31/12/2023, 14:03
Static task
static1
Behavioral task
behavioral1
Sample
39138f5e46859b22773c478d6e66860f.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
39138f5e46859b22773c478d6e66860f.exe
Resource
win10v2004-20231222-en
General
-
Target
39138f5e46859b22773c478d6e66860f.exe
-
Size
311KB
-
MD5
39138f5e46859b22773c478d6e66860f
-
SHA1
deb1cefdbfb3db5566f4cf179f42e611a7da8603
-
SHA256
68cfb3456fe856e99449354268b7e63c4255249c174a63361643aa57400c73ec
-
SHA512
b05aa449ebc610e477b4e5641a91ff3c73f89195cc939a7e491fe32a0a57bf43a29ef8a3e549814f82c8cf38d959e67409051209a16727c2d1322bf485ddd952
-
SSDEEP
6144:2RL59axiy59ITq/MFUMK4wBgFb1TLdXDiEuiBJYJaH5t:2H9aH59jFMvwmb1TLwEIof
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run 39138f5e46859b22773c478d6e66860f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\lsass = "C:\\Windows\\lsass.exe" 39138f5e46859b22773c478d6e66860f.exe -
Executes dropped EXE 1 IoCs
pid Process 1320 lsass.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\lsass.exe 39138f5e46859b22773c478d6e66860f.exe File created C:\Windows\lsass.exe 39138f5e46859b22773c478d6e66860f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 2632 ipconfig.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2244 wrote to memory of 1320 2244 39138f5e46859b22773c478d6e66860f.exe 16 PID 2244 wrote to memory of 1320 2244 39138f5e46859b22773c478d6e66860f.exe 16 PID 2244 wrote to memory of 1320 2244 39138f5e46859b22773c478d6e66860f.exe 16 PID 2244 wrote to memory of 1320 2244 39138f5e46859b22773c478d6e66860f.exe 16 PID 1320 wrote to memory of 2632 1320 lsass.exe 30 PID 1320 wrote to memory of 2632 1320 lsass.exe 30 PID 1320 wrote to memory of 2632 1320 lsass.exe 30 PID 1320 wrote to memory of 2632 1320 lsass.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\39138f5e46859b22773c478d6e66860f.exe"C:\Users\Admin\AppData\Local\Temp\39138f5e46859b22773c478d6e66860f.exe"1⤵
- Adds policy Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\lsass.exe"C:\Windows\lsass.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\System32\ipconfig.exe" /flushdns3⤵
- Gathers network information
PID:2632
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
32KB
MD58bac57f86a181023c85aec627f9b005e
SHA142ae15db7ea197767ff528ec8520d72d6ed37f82
SHA256f903b32c4543e8a5079e51ac91c6e53729e2d9c81406d8bca9a8f799a7088f0b
SHA5120b231a14aa23d22bda8071b84d0a5219ea5a4277686440834b35edf99c172b9cab1d344512d6cde8f493a0b0f01542178e804554af19e03b8a5d484ee09598be
-
Filesize
27KB
MD56e8fa1e86465c06f1a1f599b7169d88a
SHA1d4f466fc42187e507ec7b92e6fde136866140f5b
SHA256e328afacfa372c81bd2f4db3baf1fe4e2fb2b985e0d25c9ac6b0d253c4cfdfcd
SHA512bad76281a3598d4bcafbe716791b9182eaae7ca78525779530ce14e609fbc18bbe849e9577eb839de61bf52c0d066ee24d964f84dee293c1f3536593c50a93ad
-
Filesize
85KB
MD58681f636f68df5af85f77376ced3b500
SHA1172a9fb3ac4fb95715cfbeb122c963193828230f
SHA256ce1534f377d49df6704f15456d744ffaec3bacf35e8d7fcbfedd41f73014899e
SHA512d53c9fbc868ee839fafe3540d983c4716013d9cb134c941b2ec971fc5c794a6e53dfc8301c4b0d6dcfab03d5a723147843c0da0003b4506923b43c0d060e668e