1b0fb3b5cd0ff954ab04c5502d0be2270181da75cca92f84ab91e4142745ed56

Resubmissions

23/02/2024, 15:00

240223-sdjx1ace7v 10

23/02/2024, 14:44

240223-r4hbesbc58 10

Analysis

max time kernel
699s
max time network
700s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23/02/2024, 15:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lol.exe
Size

214KB
MD5

bd367e4170e17df14b5a6a15cdfd79b0
SHA1

206cb6b1336d890e2bb8f4f36cf27b9d78ca8b1a
SHA256

1b0fb3b5cd0ff954ab04c5502d0be2270181da75cca92f84ab91e4142745ed56
SHA512

c62163ea1be9652862112116200ca0153737b7af6b1439b820687c4bbaf52fb616c70bbd3ca55dfe3d24a178a99d831ef6819e685de5e838473b26ea6281b5f6
SSDEEP

6144:DXP9zPvM92B+64kQ2EJam2dNREz9FdOZMJwGuE4QyZom8exsrPR5TE7D0XuDTTo6:DX5s2B+64kQHam2dNREz9FdOZMJwGuEu

Score

7^/10

persistence

Malware Config

Signatures

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	lol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.url	lol.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	lol.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\lol.exe\" .."	lol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\lol.exe\" .."	lol.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
25	0.tcp.eu.ngrok.io
45	0.tcp.eu.ngrok.io
122	0.tcp.eu.ngrok.io
164	0.tcp.eu.ngrok.io
2	0.tcp.eu.ngrok.io
141	0.tcp.eu.ngrok.io
203	0.tcp.eu.ngrok.io
223	0.tcp.eu.ngrok.io
62	0.tcp.eu.ngrok.io
82	0.tcp.eu.ngrok.io
102	0.tcp.eu.ngrok.io
184	0.tcp.eu.ngrok.io
144	0.tcp.eu.ngrok.io

Kills process with taskkill 2 IoCs

evasion

pid	Process
972	TASKKILL.exe
2028	TASKKILL.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2696	lol.exe
2696	lol.exe
2696	lol.exe
2696	lol.exe
2696	lol.exe
2696	lol.exe
2696	lol.exe
2696	lol.exe
2696	lol.exe
2696	lol.exe
2696	lol.exe
2696	lol.exe
2696	lol.exe
2696	lol.exe
2696	lol.exe
2696	lol.exe
2696	lol.exe
2696	lol.exe
2696	lol.exe
2696	lol.exe
2696	lol.exe
2696	lol.exe
2696	lol.exe
2696	lol.exe
2696	lol.exe
2696	lol.exe
2696	lol.exe
2696	lol.exe
2696	lol.exe
2696	lol.exe
2696	lol.exe
2696	lol.exe
2696	lol.exe
2696	lol.exe
2696	lol.exe
2696	lol.exe
2696	lol.exe
2696	lol.exe
2696	lol.exe
2696	lol.exe
2696	lol.exe
2696	lol.exe
2696	lol.exe
2696	lol.exe
2696	lol.exe
2696	lol.exe
2696	lol.exe
2696	lol.exe
2696	lol.exe
2696	lol.exe
2696	lol.exe
2696	lol.exe
2696	lol.exe
2696	lol.exe
2696	lol.exe
2696	lol.exe
2696	lol.exe
2696	lol.exe
2696	lol.exe
2696	lol.exe
2696	lol.exe
2696	lol.exe
2696	lol.exe
2696	lol.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2696	lol.exe
Token: SeDebugPrivilege	972	TASKKILL.exe
Token: SeDebugPrivilege	2028	TASKKILL.exe
Token: 33	2696	lol.exe
Token: SeIncBasePriorityPrivilege	2696	lol.exe
Token: 33	2696	lol.exe
Token: SeIncBasePriorityPrivilege	2696	lol.exe
Token: 33	2696	lol.exe
Token: SeIncBasePriorityPrivilege	2696	lol.exe
Token: 33	2696	lol.exe
Token: SeIncBasePriorityPrivilege	2696	lol.exe
Token: 33	2696	lol.exe
Token: SeIncBasePriorityPrivilege	2696	lol.exe
Token: 33	2696	lol.exe
Token: SeIncBasePriorityPrivilege	2696	lol.exe
Token: 33	2696	lol.exe
Token: SeIncBasePriorityPrivilege	2696	lol.exe
Token: 33	2696	lol.exe
Token: SeIncBasePriorityPrivilege	2696	lol.exe
Token: 33	2696	lol.exe
Token: SeIncBasePriorityPrivilege	2696	lol.exe
Token: 33	2696	lol.exe
Token: SeIncBasePriorityPrivilege	2696	lol.exe
Token: 33	2696	lol.exe
Token: SeIncBasePriorityPrivilege	2696	lol.exe
Token: 33	2696	lol.exe
Token: SeIncBasePriorityPrivilege	2696	lol.exe
Token: 33	2696	lol.exe
Token: SeIncBasePriorityPrivilege	2696	lol.exe
Token: 33	2696	lol.exe
Token: SeIncBasePriorityPrivilege	2696	lol.exe
Token: 33	2696	lol.exe
Token: SeIncBasePriorityPrivilege	2696	lol.exe
Token: 33	2696	lol.exe
Token: SeIncBasePriorityPrivilege	2696	lol.exe
Token: 33	2696	lol.exe
Token: SeIncBasePriorityPrivilege	2696	lol.exe
Token: 33	2696	lol.exe
Token: SeIncBasePriorityPrivilege	2696	lol.exe
Token: 33	2696	lol.exe
Token: SeIncBasePriorityPrivilege	2696	lol.exe
Token: 33	2696	lol.exe
Token: SeIncBasePriorityPrivilege	2696	lol.exe
Token: 33	2696	lol.exe
Token: SeIncBasePriorityPrivilege	2696	lol.exe
Token: 33	2696	lol.exe
Token: SeIncBasePriorityPrivilege	2696	lol.exe
Token: 33	2696	lol.exe
Token: SeIncBasePriorityPrivilege	2696	lol.exe
Token: 33	2696	lol.exe
Token: SeIncBasePriorityPrivilege	2696	lol.exe
Token: 33	2696	lol.exe
Token: SeIncBasePriorityPrivilege	2696	lol.exe
Token: 33	2696	lol.exe
Token: SeIncBasePriorityPrivilege	2696	lol.exe
Token: 33	2696	lol.exe
Token: SeIncBasePriorityPrivilege	2696	lol.exe
Token: 33	2696	lol.exe
Token: SeIncBasePriorityPrivilege	2696	lol.exe
Token: 33	2696	lol.exe
Token: SeIncBasePriorityPrivilege	2696	lol.exe
Token: 33	2696	lol.exe
Token: SeIncBasePriorityPrivilege	2696	lol.exe
Token: 33	2696	lol.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 972	2696	lol.exe	28
PID 2696 wrote to memory of 972	2696	lol.exe	28
PID 2696 wrote to memory of 972	2696	lol.exe	28
PID 2696 wrote to memory of 972	2696	lol.exe	28
PID 2696 wrote to memory of 2028	2696	lol.exe	29
PID 2696 wrote to memory of 2028	2696	lol.exe	29
PID 2696 wrote to memory of 2028	2696	lol.exe	29
PID 2696 wrote to memory of 2028	2696	lol.exe	29

C:\Users\Admin\AppData\Local\Temp\lol.exe
"C:\Users\Admin\AppData\Local\Temp\lol.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /F /IM wscript.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:972
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /F /IM cmd.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2696-0-0x0000000074730000-0x0000000074CDB000-memory.dmp

Filesize
5.7MB

Download
memory/2696-2-0x0000000000CE0000-0x0000000000D20000-memory.dmp

Filesize
256KB

Download
memory/2696-1-0x0000000074730000-0x0000000074CDB000-memory.dmp

Filesize
5.7MB

Download
memory/2696-17-0x0000000074730000-0x0000000074CDB000-memory.dmp

Filesize
5.7MB

Download
memory/2696-18-0x0000000074730000-0x0000000074CDB000-memory.dmp

Filesize
5.7MB

Download
memory/2696-19-0x0000000000CE0000-0x0000000000D20000-memory.dmp

Filesize
256KB

Download