6daddcc41e60864ddcc398feb869cd2a7bf79939498aaa4febd2c47d6bf993a5

Analysis

max time kernel
151s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05-03-2024 21:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6daddcc41e60864ddcc398feb869cd2a7bf79939498aaa4febd2c47d6bf993a5.exe
Size

455KB
MD5

ea618b542a89a36d9292596ffd6c2a18
SHA1

59e518e3d449a1b1c11d3a740193510f39d83729
SHA256

6daddcc41e60864ddcc398feb869cd2a7bf79939498aaa4febd2c47d6bf993a5
SHA512

da77609ebeaf730cb4c94fba5d3e033db37c872ff470cbdd4b51222239ca0a23a324c807c6e816dfd6630749c79ee6a09b0215150637313f2baf1c3c4df00fe6
SSDEEP

6144:mBapC9DUIYmO5Kv5Q7X/l/rYvkW1VxxfnzrV9UAH0ctkPfc92F8ALpIh9jil:5pQD+mO5KWy/zrVbt4fcYD9U9jI

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2628	LSASS.exe
2396	LSASS.exe

Loads dropped DLL 2 IoCs

pid	Process
2628	LSASS.exe
2628	LSASS.exe

Adds Run key to start application 2 TTPs 58 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6daddcc41e60864ddcc398feb869cd2a7bf79939498aaa4febd2c47d6bf993a5.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6daddcc41e60864ddcc398feb869cd2a7bf79939498aaa4febd2c47d6bf993a5.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	LSASS.exe
File opened (read-only)	\??\I:	LSASS.exe
File opened (read-only)	\??\O:	LSASS.exe
File opened (read-only)	\??\P:	LSASS.exe
File opened (read-only)	\??\V:	LSASS.exe
File opened (read-only)	\??\X:	LSASS.exe
File opened (read-only)	\??\Z:	LSASS.exe
File opened (read-only)	\??\E:	LSASS.exe
File opened (read-only)	\??\Q:	LSASS.exe
File opened (read-only)	\??\R:	LSASS.exe
File opened (read-only)	\??\U:	LSASS.exe
File opened (read-only)	\??\L:	LSASS.exe
File opened (read-only)	\??\N:	LSASS.exe
File opened (read-only)	\??\H:	LSASS.exe
File opened (read-only)	\??\K:	LSASS.exe
File opened (read-only)	\??\M:	LSASS.exe
File opened (read-only)	\??\S:	LSASS.exe
File opened (read-only)	\??\T:	LSASS.exe
File opened (read-only)	\??\W:	LSASS.exe
File opened (read-only)	\??\Y:	LSASS.exe
File opened (read-only)	\??\J:	LSASS.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	LSASS.exe
File opened for modification	C:\autorun.inf	LSASS.exe
File created	F:\autorun.inf	LSASS.exe
File opened for modification	F:\autorun.inf	LSASS.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\LSASS.exe	6daddcc41e60864ddcc398feb869cd2a7bf79939498aaa4febd2c47d6bf993a5.exe
File opened for modification	C:\Windows\LSASS.exe	6daddcc41e60864ddcc398feb869cd2a7bf79939498aaa4febd2c47d6bf993a5.exe
File opened for modification	C:\Windows\LSASS.exe	LSASS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3060	6daddcc41e60864ddcc398feb869cd2a7bf79939498aaa4febd2c47d6bf993a5.exe
3060	6daddcc41e60864ddcc398feb869cd2a7bf79939498aaa4febd2c47d6bf993a5.exe
3060	6daddcc41e60864ddcc398feb869cd2a7bf79939498aaa4febd2c47d6bf993a5.exe
2628	LSASS.exe
2628	LSASS.exe
2628	LSASS.exe
2628	LSASS.exe
2396	LSASS.exe
2628	LSASS.exe
2628	LSASS.exe
2628	LSASS.exe
2628	LSASS.exe
2628	LSASS.exe
2628	LSASS.exe
2628	LSASS.exe
2628	LSASS.exe
2628	LSASS.exe
2628	LSASS.exe
2628	LSASS.exe
2628	LSASS.exe
2628	LSASS.exe
2628	LSASS.exe
2628	LSASS.exe
2628	LSASS.exe
2628	LSASS.exe
2628	LSASS.exe
2628	LSASS.exe
2628	LSASS.exe
2628	LSASS.exe
2628	LSASS.exe
2628	LSASS.exe
2628	LSASS.exe
2628	LSASS.exe
2628	LSASS.exe
2628	LSASS.exe
2628	LSASS.exe
2628	LSASS.exe
2628	LSASS.exe
2628	LSASS.exe
2628	LSASS.exe
2628	LSASS.exe
2628	LSASS.exe
2628	LSASS.exe
2628	LSASS.exe
2628	LSASS.exe
2628	LSASS.exe
2628	LSASS.exe
2628	LSASS.exe
2628	LSASS.exe
2628	LSASS.exe
2628	LSASS.exe
2628	LSASS.exe
2628	LSASS.exe
2628	LSASS.exe
2628	LSASS.exe
2628	LSASS.exe
2628	LSASS.exe
2628	LSASS.exe
2628	LSASS.exe
2628	LSASS.exe
2628	LSASS.exe
2628	LSASS.exe
2628	LSASS.exe
2628	LSASS.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 2628	3060	6daddcc41e60864ddcc398feb869cd2a7bf79939498aaa4febd2c47d6bf993a5.exe	28
PID 3060 wrote to memory of 2628	3060	6daddcc41e60864ddcc398feb869cd2a7bf79939498aaa4febd2c47d6bf993a5.exe	28
PID 3060 wrote to memory of 2628	3060	6daddcc41e60864ddcc398feb869cd2a7bf79939498aaa4febd2c47d6bf993a5.exe	28
PID 3060 wrote to memory of 2628	3060	6daddcc41e60864ddcc398feb869cd2a7bf79939498aaa4febd2c47d6bf993a5.exe	28
PID 3060 wrote to memory of 2644	3060	6daddcc41e60864ddcc398feb869cd2a7bf79939498aaa4febd2c47d6bf993a5.exe	29
PID 3060 wrote to memory of 2644	3060	6daddcc41e60864ddcc398feb869cd2a7bf79939498aaa4febd2c47d6bf993a5.exe	29
PID 3060 wrote to memory of 2644	3060	6daddcc41e60864ddcc398feb869cd2a7bf79939498aaa4febd2c47d6bf993a5.exe	29
PID 3060 wrote to memory of 2644	3060	6daddcc41e60864ddcc398feb869cd2a7bf79939498aaa4febd2c47d6bf993a5.exe	29
PID 3060 wrote to memory of 2668	3060	6daddcc41e60864ddcc398feb869cd2a7bf79939498aaa4febd2c47d6bf993a5.exe	30
PID 3060 wrote to memory of 2668	3060	6daddcc41e60864ddcc398feb869cd2a7bf79939498aaa4febd2c47d6bf993a5.exe	30
PID 3060 wrote to memory of 2668	3060	6daddcc41e60864ddcc398feb869cd2a7bf79939498aaa4febd2c47d6bf993a5.exe	30
PID 3060 wrote to memory of 2668	3060	6daddcc41e60864ddcc398feb869cd2a7bf79939498aaa4febd2c47d6bf993a5.exe	30
PID 2628 wrote to memory of 2552	2628	LSASS.exe	33
PID 2628 wrote to memory of 2552	2628	LSASS.exe	33
PID 2628 wrote to memory of 2552	2628	LSASS.exe	33
PID 2628 wrote to memory of 2552	2628	LSASS.exe	33
PID 2628 wrote to memory of 2948	2628	LSASS.exe	34
PID 2628 wrote to memory of 2948	2628	LSASS.exe	34
PID 2628 wrote to memory of 2948	2628	LSASS.exe	34
PID 2628 wrote to memory of 2948	2628	LSASS.exe	34
PID 2628 wrote to memory of 2396	2628	LSASS.exe	37
PID 2628 wrote to memory of 2396	2628	LSASS.exe	37
PID 2628 wrote to memory of 2396	2628	LSASS.exe	37
PID 2628 wrote to memory of 2396	2628	LSASS.exe	37
PID 2628 wrote to memory of 1888	2628	LSASS.exe	38
PID 2628 wrote to memory of 1888	2628	LSASS.exe	38
PID 2628 wrote to memory of 1888	2628	LSASS.exe	38
PID 2628 wrote to memory of 1888	2628	LSASS.exe	38
PID 2628 wrote to memory of 2368	2628	LSASS.exe	39
PID 2628 wrote to memory of 2368	2628	LSASS.exe	39
PID 2628 wrote to memory of 2368	2628	LSASS.exe	39
PID 2628 wrote to memory of 2368	2628	LSASS.exe	39
PID 2628 wrote to memory of 2772	2628	LSASS.exe	42
PID 2628 wrote to memory of 2772	2628	LSASS.exe	42
PID 2628 wrote to memory of 2772	2628	LSASS.exe	42
PID 2628 wrote to memory of 2772	2628	LSASS.exe	42
PID 2628 wrote to memory of 2736	2628	LSASS.exe	43
PID 2628 wrote to memory of 2736	2628	LSASS.exe	43
PID 2628 wrote to memory of 2736	2628	LSASS.exe	43
PID 2628 wrote to memory of 2736	2628	LSASS.exe	43
PID 2628 wrote to memory of 572	2628	LSASS.exe	46
PID 2628 wrote to memory of 572	2628	LSASS.exe	46
PID 2628 wrote to memory of 572	2628	LSASS.exe	46
PID 2628 wrote to memory of 572	2628	LSASS.exe	46
PID 2628 wrote to memory of 1120	2628	LSASS.exe	47
PID 2628 wrote to memory of 1120	2628	LSASS.exe	47
PID 2628 wrote to memory of 1120	2628	LSASS.exe	47
PID 2628 wrote to memory of 1120	2628	LSASS.exe	47
PID 2628 wrote to memory of 1944	2628	LSASS.exe	50
PID 2628 wrote to memory of 1944	2628	LSASS.exe	50
PID 2628 wrote to memory of 1944	2628	LSASS.exe	50
PID 2628 wrote to memory of 1944	2628	LSASS.exe	50
PID 2628 wrote to memory of 2440	2628	LSASS.exe	51
PID 2628 wrote to memory of 2440	2628	LSASS.exe	51
PID 2628 wrote to memory of 2440	2628	LSASS.exe	51
PID 2628 wrote to memory of 2440	2628	LSASS.exe	51
PID 2628 wrote to memory of 292	2628	LSASS.exe	56
PID 2628 wrote to memory of 292	2628	LSASS.exe	56
PID 2628 wrote to memory of 292	2628	LSASS.exe	56
PID 2628 wrote to memory of 292	2628	LSASS.exe	56
PID 2628 wrote to memory of 1680	2628	LSASS.exe	57
PID 2628 wrote to memory of 1680	2628	LSASS.exe	57
PID 2628 wrote to memory of 1680	2628	LSASS.exe	57
PID 2628 wrote to memory of 1680	2628	LSASS.exe	57

C:\Users\Admin\AppData\Local\Temp\6daddcc41e60864ddcc398feb869cd2a7bf79939498aaa4febd2c47d6bf993a5.exe
"C:\Users\Admin\AppData\Local\Temp\6daddcc41e60864ddcc398feb869cd2a7bf79939498aaa4febd2c47d6bf993a5.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Windows\LSASS.exe
  "C:\Windows\LSASS.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2552
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2948
- - C:\Users\Admin\LSASS.exe
    "C:\Users\Admin\LSASS.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2396
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1888
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2368
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2772
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2736
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:572
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1120
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1944
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2440
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:292
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1680
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2128
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1900
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2848
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2316
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2700
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:768
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:924
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1828
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2232
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2928
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2212
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2088
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2072
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1596
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2500
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2600
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2544
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2888
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2428
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2444
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1140
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2368
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2760
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2752
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2932
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2972
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2012
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1652
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1632
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2108
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1900
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1204
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2188
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2252
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2152
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1100
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1068
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1904
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1960
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2924
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2824
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2332
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2204
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1704
- C:\Windows\SysWOW64\REG.exe
  REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\6daddcc41e60864ddcc398feb869cd2a7bf79939498aaa4febd2c47d6bf993a5.exe" /f
  2⤵
  - Adds Run key to start application
  PID:2644
- C:\Windows\SysWOW64\REG.exe
  REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\6daddcc41e60864ddcc398feb869cd2a7bf79939498aaa4febd2c47d6bf993a5.exe" /f
  2⤵
  - Adds Run key to start application
  PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\LSASS.exe

Filesize
455KB

MD5
8a0e8d47441dafd31882b213eb939660

SHA1
ea5079ff0ab80ac69b47383ae7d83505c166d20d

SHA256
8a74ce6ebeb26d3e208fc45d456b1c52638a6cbf58983ef9fe6f47aa5246f979

SHA512
551382d7f62073783447d6a2b841db37add82915483906556995a394e09bd82fa87842f9a005e1df38f3faee9ee2f12d591607da360ae8bb88036527066fe34d

Download Submit
C:\autorun.inf

Filesize
190B

MD5
b1445c7f646c6ca9a7597791af38d575

SHA1
91efaf63fa1f7a51ee2f9b1c3b0f8932f15439ce

SHA256
220517d50470c86d94020cebcd03af286898e65338f468dc5f860dc04af2c88e

SHA512
533349278b6d186f0f3947681e90dcc7f617e146736798e6fc23e79d61610f1f7b2e4b4241b296884622fbd6b1cf73dc694a852e05bf4235da8ed40b70c5683f

Download Submit
\Users\Admin\LSASS.exe

Filesize
455KB

MD5
697e126171f507456bf05f6c89ecdb72

SHA1
5ed1f1d8550297ca1ee58ebfbaf5909186fc7e43

SHA256
47fdf2afb985d9c51fc4a824628e59b6cf2b9fa33c6abf8c7832f559ee1366ad

SHA512
cf83969a584dca49359451e24f6d96cbd39bbc0b91a9fc48ea169bbf4d3aeddaa46b211c340e158393520c4a2b2940a6908097405f9cc64f4aedb1e3dabc5404

Download Submit
memory/2396-22-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2396-23-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2628-44-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2628-183-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2628-24-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2628-9-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2628-43-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2628-251-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2628-61-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2628-78-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2628-95-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2628-113-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2628-132-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2628-149-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2628-166-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2628-234-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2628-200-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2628-217-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3060-10-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3060-0-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download