0d923f57089f82baaf9b8aa2fdebc0f906337be3c41ab0cd78553aee51cd77fd

General

Target

acf068bafccdcbfb89a0f204b69cfe64.exe
Size

66KB
MD5

acf068bafccdcbfb89a0f204b69cfe64
SHA1

521d2c612ce20ef39367d34391ce8335eafadf5c
SHA256

0d923f57089f82baaf9b8aa2fdebc0f906337be3c41ab0cd78553aee51cd77fd
SHA512

2a57197c166f6e88912ed2f9e3abe63de221c7336375fe9b88e000479475481049ba24e006fe80eb2ecc06f7b30666b36434681d9f0a4a4f392d8831e9d01931
SSDEEP

1536:d9yppfstVIqE5N9HW6BPUyQdh6JIBchD7VqhSkwGn/Ir0S:ny7vqkWAPUyQd2d7R1L

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1200	helperlcsass.exe

Executes dropped EXE 3 IoCs

pid	Process
1200	helperlcsass.exe
2640	lcsass.exe
2408	helperlcsass.exe

Loads dropped DLL 6 IoCs

pid	Process
2156	acf068bafccdcbfb89a0f204b69cfe64.exe
2156	acf068bafccdcbfb89a0f204b69cfe64.exe
1200	helperlcsass.exe
1200	helperlcsass.exe
2640	lcsass.exe
2640	lcsass.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dsgb = "C:\\Windows\\SysWOW64\\lcsass.exe"	lcsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\dsgb = "C:\\Windows\\SysWOW64\\lcsass.exe"	lcsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dsgb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\acf068bafccdcbfb89a0f204b69cfe64.exe"	acf068bafccdcbfb89a0f204b69cfe64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\dsgb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\acf068bafccdcbfb89a0f204b69cfe64.exe"	acf068bafccdcbfb89a0f204b69cfe64.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\helperlcsass.exe	lcsass.exe
File opened for modification	C:\Windows\SysWOW64\lcsass.exe	helperlcsass.exe
File opened for modification	C:\Windows\SysWOW64\helperlcsass.exe	acf068bafccdcbfb89a0f204b69cfe64.exe
File created	C:\Windows\SysWOW64\helperlcsass.exe	acf068bafccdcbfb89a0f204b69cfe64.exe
File created	C:\Windows\SysWOW64\lcsass.exe	helperlcsass.exe
File opened for modification	C:\Windows\SysWOW64\lcsass.exe	helperlcsass.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 1200	2156	acf068bafccdcbfb89a0f204b69cfe64.exe	28
PID 2156 wrote to memory of 1200	2156	acf068bafccdcbfb89a0f204b69cfe64.exe	28
PID 2156 wrote to memory of 1200	2156	acf068bafccdcbfb89a0f204b69cfe64.exe	28
PID 2156 wrote to memory of 1200	2156	acf068bafccdcbfb89a0f204b69cfe64.exe	28
PID 1200 wrote to memory of 2640	1200	helperlcsass.exe	29
PID 1200 wrote to memory of 2640	1200	helperlcsass.exe	29
PID 1200 wrote to memory of 2640	1200	helperlcsass.exe	29
PID 1200 wrote to memory of 2640	1200	helperlcsass.exe	29
PID 2640 wrote to memory of 2408	2640	lcsass.exe	30
PID 2640 wrote to memory of 2408	2640	lcsass.exe	30
PID 2640 wrote to memory of 2408	2640	lcsass.exe	30
PID 2640 wrote to memory of 2408	2640	lcsass.exe	30

C:\Users\Admin\AppData\Local\Temp\acf068bafccdcbfb89a0f204b69cfe64.exe
"C:\Users\Admin\AppData\Local\Temp\acf068bafccdcbfb89a0f204b69cfe64.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\SysWOW64\helperlcsass.exe
  C:\Users\Admin\AppData\Local\Temp\acf068bafccdcbfb89a0f204b69cfe64.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1200
- - C:\Windows\SysWOW64\lcsass.exe
    C:\Windows\system32\lcsass.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Windows\SysWOW64\helperlcsass.exe
      C:\Windows\SysWOW64\lcsass.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\helperlcsass.exe

Filesize
2KB

MD5
e648bac4f1ea6e8dbf92cbf7f4857eee

SHA1
97c294a94f8efc22b7fd57b0813a64c8548426f0

SHA256
0424a7c2c74405105ebfa622bc3cb46b3083612910f5309537d2a2df3e284c7d

SHA512
e128077982ef473db97d4227713adc9debb195a1a00bfbcce6492db5967b5077e9b3296b3be666cb82dd15214dc7432a82ff6ef82700c5b20c0bf2252c5d7156

Download Submit
\Windows\SysWOW64\lcsass.exe

Filesize
66KB

MD5
acf068bafccdcbfb89a0f204b69cfe64

SHA1
521d2c612ce20ef39367d34391ce8335eafadf5c

SHA256
0d923f57089f82baaf9b8aa2fdebc0f906337be3c41ab0cd78553aee51cd77fd

SHA512
2a57197c166f6e88912ed2f9e3abe63de221c7336375fe9b88e000479475481049ba24e006fe80eb2ecc06f7b30666b36434681d9f0a4a4f392d8831e9d01931

Download Submit
memory/1200-15-0x00000000002B0000-0x00000000002F8000-memory.dmp

Filesize
288KB

Download
memory/1200-32-0x00000000002B0000-0x00000000002F8000-memory.dmp

Filesize
288KB

Download
memory/2156-0-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2156-10-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2640-30-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads