68cfb3456fe856e99449354268b7e63c4255249c174a63361643aa57400c73ec

General

Target

39138f5e46859b22773c478d6e66860f.exe
Size

311KB
MD5

39138f5e46859b22773c478d6e66860f
SHA1

deb1cefdbfb3db5566f4cf179f42e611a7da8603
SHA256

68cfb3456fe856e99449354268b7e63c4255249c174a63361643aa57400c73ec
SHA512

b05aa449ebc610e477b4e5641a91ff3c73f89195cc939a7e491fe32a0a57bf43a29ef8a3e549814f82c8cf38d959e67409051209a16727c2d1322bf485ddd952
SSDEEP

6144:2RL59axiy59ITq/MFUMK4wBgFb1TLdXDiEuiBJYJaH5t:2H9aH59jFMvwmb1TLwEIof

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run	39138f5e46859b22773c478d6e66860f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\lsass = "C:\\Windows\\lsass.exe"	39138f5e46859b22773c478d6e66860f.exe

Executes dropped EXE 1 IoCs

pid	Process
1320	lsass.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\lsass.exe	39138f5e46859b22773c478d6e66860f.exe
File created	C:\Windows\lsass.exe	39138f5e46859b22773c478d6e66860f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2632	ipconfig.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 1320	2244	39138f5e46859b22773c478d6e66860f.exe	16
PID 2244 wrote to memory of 1320	2244	39138f5e46859b22773c478d6e66860f.exe	16
PID 2244 wrote to memory of 1320	2244	39138f5e46859b22773c478d6e66860f.exe	16
PID 2244 wrote to memory of 1320	2244	39138f5e46859b22773c478d6e66860f.exe	16
PID 1320 wrote to memory of 2632	1320	lsass.exe	30
PID 1320 wrote to memory of 2632	1320	lsass.exe	30
PID 1320 wrote to memory of 2632	1320	lsass.exe	30
PID 1320 wrote to memory of 2632	1320	lsass.exe	30

C:\Users\Admin\AppData\Local\Temp\39138f5e46859b22773c478d6e66860f.exe
"C:\Users\Admin\AppData\Local\Temp\39138f5e46859b22773c478d6e66860f.exe"
1⤵
- Adds policy Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\lsass.exe
  "C:\Windows\lsass.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1320
- - C:\Windows\SysWOW64\ipconfig.exe
    "C:\Windows\System32\ipconfig.exe" /flushdns
    3⤵
    - Gathers network information
    PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\lsass.exe

Filesize
32KB

MD5
8bac57f86a181023c85aec627f9b005e

SHA1
42ae15db7ea197767ff528ec8520d72d6ed37f82

SHA256
f903b32c4543e8a5079e51ac91c6e53729e2d9c81406d8bca9a8f799a7088f0b

SHA512
0b231a14aa23d22bda8071b84d0a5219ea5a4277686440834b35edf99c172b9cab1d344512d6cde8f493a0b0f01542178e804554af19e03b8a5d484ee09598be

Download Submit
C:\Windows\lsass.exe

Filesize
27KB

MD5
6e8fa1e86465c06f1a1f599b7169d88a

SHA1
d4f466fc42187e507ec7b92e6fde136866140f5b

SHA256
e328afacfa372c81bd2f4db3baf1fe4e2fb2b985e0d25c9ac6b0d253c4cfdfcd

SHA512
bad76281a3598d4bcafbe716791b9182eaae7ca78525779530ce14e609fbc18bbe849e9577eb839de61bf52c0d066ee24d964f84dee293c1f3536593c50a93ad

Download Submit
C:\Windows\lsass.exe

Filesize
85KB

MD5
8681f636f68df5af85f77376ced3b500

SHA1
172a9fb3ac4fb95715cfbeb122c963193828230f

SHA256
ce1534f377d49df6704f15456d744ffaec3bacf35e8d7fcbfedd41f73014899e

SHA512
d53c9fbc868ee839fafe3540d983c4716013d9cb134c941b2ec971fc5c794a6e53dfc8301c4b0d6dcfab03d5a723147843c0da0003b4506923b43c0d060e668e

Download Submit
memory/1320-30-0x0000000001D50000-0x0000000001D51000-memory.dmp

Filesize
4KB

Download
memory/1320-32-0x0000000001D50000-0x0000000001D51000-memory.dmp

Filesize
4KB

Download
memory/1320-29-0x0000000001D50000-0x0000000001D51000-memory.dmp

Filesize
4KB

Download
memory/1320-28-0x0000000001D50000-0x0000000001D51000-memory.dmp

Filesize
4KB

Download
memory/1320-27-0x0000000001D50000-0x0000000001D51000-memory.dmp

Filesize
4KB

Download
memory/1320-31-0x0000000001D50000-0x0000000001D51000-memory.dmp

Filesize
4KB

Download
memory/1320-35-0x0000000001D50000-0x0000000001D51000-memory.dmp

Filesize
4KB

Download
memory/1320-34-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1320-36-0x0000000001D50000-0x0000000001D51000-memory.dmp

Filesize
4KB

Download
memory/1320-37-0x0000000001D50000-0x0000000001D51000-memory.dmp

Filesize
4KB

Download
memory/1320-33-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1320-38-0x0000000001D50000-0x0000000001D51000-memory.dmp

Filesize
4KB

Download
memory/1320-39-0x0000000001D50000-0x0000000001D51000-memory.dmp

Filesize
4KB

Download
memory/1320-40-0x0000000001D50000-0x0000000001D51000-memory.dmp

Filesize
4KB

Download
memory/2244-12-0x0000000002790000-0x0000000002791000-memory.dmp

Filesize
4KB

Download
memory/2244-4-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

Filesize
4KB

Download
memory/2244-11-0x0000000002710000-0x0000000002715000-memory.dmp

Filesize
20KB

Download
memory/2244-10-0x0000000001DB0000-0x0000000001DB1000-memory.dmp

Filesize
4KB

Download
memory/2244-9-0x0000000001E00000-0x0000000001E01000-memory.dmp

Filesize
4KB

Download
memory/2244-8-0x0000000002720000-0x0000000002722000-memory.dmp

Filesize
8KB

Download
memory/2244-7-0x0000000001D60000-0x0000000001D61000-memory.dmp

Filesize
4KB

Download
memory/2244-6-0x0000000001E20000-0x0000000001E21000-memory.dmp

Filesize
4KB

Download
memory/2244-5-0x0000000001DC0000-0x0000000001DC1000-memory.dmp

Filesize
4KB

Download
memory/2244-1-0x00000000004C0000-0x000000000050C000-memory.dmp

Filesize
304KB

Download
memory/2244-2-0x0000000001DE0000-0x0000000001DE1000-memory.dmp

Filesize
4KB

Download
memory/2244-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2244-13-0x0000000002770000-0x0000000002771000-memory.dmp

Filesize
4KB

Download
memory/2244-14-0x0000000001D50000-0x0000000001D51000-memory.dmp

Filesize
4KB

Download
memory/2244-15-0x0000000002780000-0x0000000002781000-memory.dmp

Filesize
4KB

Download
memory/2244-17-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/2244-22-0x0000000001D50000-0x0000000001D51000-memory.dmp

Filesize
4KB

Download
memory/2244-23-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2244-25-0x0000000001D50000-0x0000000001D51000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads