4932262152b570800f0e595a0034ee2305edef7ed1d1e7914b771a40ea03c9aa

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
05/03/2024, 20:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4932262152b570800f0e595a0034ee2305edef7ed1d1e7914b771a40ea03c9aa.exe
Size

472KB
MD5

322e4700befb566eba9229da6658b653
SHA1

1248ee6b70b64c941d3bb9bde4cfdf28231894d8
SHA256

4932262152b570800f0e595a0034ee2305edef7ed1d1e7914b771a40ea03c9aa
SHA512

d0ebb218cd78e026ace19ca6850509cc84e87a933454d7eaaa0db6e2adbad9e512c77213bc2e58acf95e800d749fe573a806817020a33653f31a38a8560fdf4c
SSDEEP

6144:cf+Jjjou35J6i5plrzuo6/LkeYvjoIHnv0RX/VwFdLD/7MsrYMC+9GXL9M8sG3dr:bj8u3ui5pl+uBvc/V0FdYxJdRqMv

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2976	LSASS.exe
2420	LSASS.exe

Loads dropped DLL 2 IoCs

pid	Process
2976	LSASS.exe
2976	LSASS.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	LSASS.exe
File opened (read-only)	\??\O:	LSASS.exe
File opened (read-only)	\??\M:	LSASS.exe
File opened (read-only)	\??\R:	LSASS.exe
File opened (read-only)	\??\Z:	LSASS.exe
File opened (read-only)	\??\I:	LSASS.exe
File opened (read-only)	\??\H:	LSASS.exe
File opened (read-only)	\??\J:	LSASS.exe
File opened (read-only)	\??\K:	LSASS.exe
File opened (read-only)	\??\L:	LSASS.exe
File opened (read-only)	\??\P:	LSASS.exe
File opened (read-only)	\??\Q:	LSASS.exe
File opened (read-only)	\??\X:	LSASS.exe
File opened (read-only)	\??\G:	LSASS.exe
File opened (read-only)	\??\N:	LSASS.exe
File opened (read-only)	\??\S:	LSASS.exe
File opened (read-only)	\??\T:	LSASS.exe
File opened (read-only)	\??\U:	LSASS.exe
File opened (read-only)	\??\V:	LSASS.exe
File opened (read-only)	\??\Y:	LSASS.exe
File opened (read-only)	\??\E:	LSASS.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	LSASS.exe
File opened for modification	C:\autorun.inf	LSASS.exe
File created	F:\autorun.inf	LSASS.exe
File opened for modification	F:\autorun.inf	LSASS.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\LSASS.exe	4932262152b570800f0e595a0034ee2305edef7ed1d1e7914b771a40ea03c9aa.exe
File opened for modification	C:\Windows\LSASS.exe	4932262152b570800f0e595a0034ee2305edef7ed1d1e7914b771a40ea03c9aa.exe
File opened for modification	C:\Windows\LSASS.exe	LSASS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1568	4932262152b570800f0e595a0034ee2305edef7ed1d1e7914b771a40ea03c9aa.exe
1568	4932262152b570800f0e595a0034ee2305edef7ed1d1e7914b771a40ea03c9aa.exe
2976	LSASS.exe
2976	LSASS.exe
2976	LSASS.exe
2976	LSASS.exe
2976	LSASS.exe
2420	LSASS.exe
2976	LSASS.exe
2976	LSASS.exe
2976	LSASS.exe
2976	LSASS.exe
2976	LSASS.exe
2976	LSASS.exe
2976	LSASS.exe
2976	LSASS.exe
2976	LSASS.exe
2976	LSASS.exe
2976	LSASS.exe
2976	LSASS.exe
2976	LSASS.exe
2976	LSASS.exe
2976	LSASS.exe
2976	LSASS.exe
2976	LSASS.exe
2976	LSASS.exe
2976	LSASS.exe
2976	LSASS.exe
2976	LSASS.exe
2976	LSASS.exe
2976	LSASS.exe
2976	LSASS.exe
2976	LSASS.exe
2976	LSASS.exe
2976	LSASS.exe
2976	LSASS.exe
2976	LSASS.exe
2976	LSASS.exe
2976	LSASS.exe
2976	LSASS.exe
2976	LSASS.exe
2976	LSASS.exe
2976	LSASS.exe
2976	LSASS.exe
2976	LSASS.exe
2976	LSASS.exe
2976	LSASS.exe
2976	LSASS.exe
2976	LSASS.exe
2976	LSASS.exe
2976	LSASS.exe
2976	LSASS.exe
2976	LSASS.exe
2976	LSASS.exe
2976	LSASS.exe
2976	LSASS.exe
2976	LSASS.exe
2976	LSASS.exe
2976	LSASS.exe
2976	LSASS.exe
2976	LSASS.exe
2976	LSASS.exe
2976	LSASS.exe
2976	LSASS.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1568 wrote to memory of 2976	1568	4932262152b570800f0e595a0034ee2305edef7ed1d1e7914b771a40ea03c9aa.exe	28
PID 1568 wrote to memory of 2976	1568	4932262152b570800f0e595a0034ee2305edef7ed1d1e7914b771a40ea03c9aa.exe	28
PID 1568 wrote to memory of 2976	1568	4932262152b570800f0e595a0034ee2305edef7ed1d1e7914b771a40ea03c9aa.exe	28
PID 1568 wrote to memory of 2976	1568	4932262152b570800f0e595a0034ee2305edef7ed1d1e7914b771a40ea03c9aa.exe	28
PID 2976 wrote to memory of 2432	2976	LSASS.exe	29
PID 2976 wrote to memory of 2432	2976	LSASS.exe	29
PID 2976 wrote to memory of 2432	2976	LSASS.exe	29
PID 2976 wrote to memory of 2432	2976	LSASS.exe	29
PID 2976 wrote to memory of 2628	2976	LSASS.exe	30
PID 2976 wrote to memory of 2628	2976	LSASS.exe	30
PID 2976 wrote to memory of 2628	2976	LSASS.exe	30
PID 2976 wrote to memory of 2628	2976	LSASS.exe	30
PID 2976 wrote to memory of 2420	2976	LSASS.exe	33
PID 2976 wrote to memory of 2420	2976	LSASS.exe	33
PID 2976 wrote to memory of 2420	2976	LSASS.exe	33
PID 2976 wrote to memory of 2420	2976	LSASS.exe	33
PID 2976 wrote to memory of 1288	2976	LSASS.exe	34
PID 2976 wrote to memory of 1288	2976	LSASS.exe	34
PID 2976 wrote to memory of 1288	2976	LSASS.exe	34
PID 2976 wrote to memory of 1288	2976	LSASS.exe	34
PID 2976 wrote to memory of 2396	2976	LSASS.exe	35
PID 2976 wrote to memory of 2396	2976	LSASS.exe	35
PID 2976 wrote to memory of 2396	2976	LSASS.exe	35
PID 2976 wrote to memory of 2396	2976	LSASS.exe	35
PID 2976 wrote to memory of 1432	2976	LSASS.exe	38
PID 2976 wrote to memory of 1432	2976	LSASS.exe	38
PID 2976 wrote to memory of 1432	2976	LSASS.exe	38
PID 2976 wrote to memory of 1432	2976	LSASS.exe	38
PID 2976 wrote to memory of 1332	2976	LSASS.exe	39
PID 2976 wrote to memory of 1332	2976	LSASS.exe	39
PID 2976 wrote to memory of 1332	2976	LSASS.exe	39
PID 2976 wrote to memory of 1332	2976	LSASS.exe	39
PID 2976 wrote to memory of 1828	2976	LSASS.exe	44
PID 2976 wrote to memory of 1828	2976	LSASS.exe	44
PID 2976 wrote to memory of 1828	2976	LSASS.exe	44
PID 2976 wrote to memory of 1828	2976	LSASS.exe	44
PID 2976 wrote to memory of 1824	2976	LSASS.exe	45
PID 2976 wrote to memory of 1824	2976	LSASS.exe	45
PID 2976 wrote to memory of 1824	2976	LSASS.exe	45
PID 2976 wrote to memory of 1824	2976	LSASS.exe	45

C:\Users\Admin\AppData\Local\Temp\4932262152b570800f0e595a0034ee2305edef7ed1d1e7914b771a40ea03c9aa.exe
"C:\Users\Admin\AppData\Local\Temp\4932262152b570800f0e595a0034ee2305edef7ed1d1e7914b771a40ea03c9aa.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1568
- C:\Windows\LSASS.exe
  "C:\Windows\LSASS.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2432
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2628
- - C:\Users\Admin\LSASS.exe
    "C:\Users\Admin\LSASS.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2420
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1288
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2396
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1432
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1332
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1828
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\LSASS.exe

Filesize
472KB

MD5
18e9e66cd233a6d5577593e00c9cfbf7

SHA1
571c08ed5f048064e3f7392246cb98181b112e85

SHA256
2b50749387fa6783bbde05dce8ef98437cb1e1384b919d455199e8b676c96075

SHA512
4969a15f696aceb5372dc7d10e9f513d08e65692213a3b6c8a87cf55240c5d8ea288733e18de3bf5bd72ab9bb86b62d3be9f4b80ba85a82031e32e2ee81bee1f

Download Submit
C:\autorun.inf

Filesize
190B

MD5
b1445c7f646c6ca9a7597791af38d575

SHA1
91efaf63fa1f7a51ee2f9b1c3b0f8932f15439ce

SHA256
220517d50470c86d94020cebcd03af286898e65338f468dc5f860dc04af2c88e

SHA512
533349278b6d186f0f3947681e90dcc7f617e146736798e6fc23e79d61610f1f7b2e4b4241b296884622fbd6b1cf73dc694a852e05bf4235da8ed40b70c5683f

Download Submit
\Users\Admin\LSASS.exe

Filesize
472KB

MD5
e2d751c41c183e89c86de2f7c59406fc

SHA1
42cb96f181751862c86404c4ab5cdbbb5768055a

SHA256
91a1dfdf8462e6aa985e49b307581ed90d64a28cdf8e8c4bf756eb1bf1337e07

SHA512
049ef86b38c474826eb47d90e99ca804d48b50cdead03c556bd8d65a547f2f0237924d25d946b7f2107a364f354a8999ced21ddbe57f20fdfed535f21b2fb65f

Download Submit
memory/1568-14-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1568-1-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1568-10-0x000000000B760000-0x000000000B7DD000-memory.dmp

Filesize
500KB

Download
memory/1568-0-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1568-6-0x000000000B760000-0x000000000B7DD000-memory.dmp

Filesize
500KB

Download
memory/2420-29-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2420-28-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2420-27-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2976-49-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2976-106-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2976-30-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2976-12-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2976-50-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2976-13-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2976-59-0x000000000B640000-0x000000000B6BD000-memory.dmp

Filesize
500KB

Download
memory/2976-72-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2976-89-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2976-26-0x000000000B640000-0x000000000B6BD000-memory.dmp

Filesize
500KB

Download
memory/2976-124-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2976-145-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2976-162-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2976-179-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2976-200-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2976-217-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2976-234-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2976-251-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2976-272-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download