529b1e59756b3db5e47e11801940a85a90ecb84771f480fc08a0979ed3a942ce

General

Target

c4d9d92d02453ba90ce7cb7dd36129c6.exe
Size

225KB
MD5

c4d9d92d02453ba90ce7cb7dd36129c6
SHA1

bf19f1a04314688314fa2b53df67bf02b6e62750
SHA256

529b1e59756b3db5e47e11801940a85a90ecb84771f480fc08a0979ed3a942ce
SHA512

84e979427fb9202249c3db7d87482639827c03da78b595801a6b3f9aa3d41f437babcae604c3b55b99c8175649ec6cc3ebc88db4b72f3bd3386e73999be8f7ff
SSDEEP

3072:d3QfUsjDosf+UtmBgajmOPXqAYYccKAl0gPXJ/H9RSAYijDmRJ:B6mSimOPXqAYhC5PXJf9RSiuL

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2820	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2244	lsxtjf.exe

Loads dropped DLL 4 IoCs

pid	Process
2820	cmd.exe
2820	cmd.exe
2244	lsxtjf.exe
2244	lsxtjf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
3008	taskkill.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2528	PING.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2244	lsxtjf.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3008	taskkill.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2244	lsxtjf.exe
2244	lsxtjf.exe
2244	lsxtjf.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2244	lsxtjf.exe
2244	lsxtjf.exe
2244	lsxtjf.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 2820	2964	c4d9d92d02453ba90ce7cb7dd36129c6.exe	28
PID 2964 wrote to memory of 2820	2964	c4d9d92d02453ba90ce7cb7dd36129c6.exe	28
PID 2964 wrote to memory of 2820	2964	c4d9d92d02453ba90ce7cb7dd36129c6.exe	28
PID 2964 wrote to memory of 2820	2964	c4d9d92d02453ba90ce7cb7dd36129c6.exe	28
PID 2820 wrote to memory of 3008	2820	cmd.exe	30
PID 2820 wrote to memory of 3008	2820	cmd.exe	30
PID 2820 wrote to memory of 3008	2820	cmd.exe	30
PID 2820 wrote to memory of 3008	2820	cmd.exe	30
PID 2820 wrote to memory of 2528	2820	cmd.exe	32
PID 2820 wrote to memory of 2528	2820	cmd.exe	32
PID 2820 wrote to memory of 2528	2820	cmd.exe	32
PID 2820 wrote to memory of 2528	2820	cmd.exe	32
PID 2820 wrote to memory of 2244	2820	cmd.exe	33
PID 2820 wrote to memory of 2244	2820	cmd.exe	33
PID 2820 wrote to memory of 2244	2820	cmd.exe	33
PID 2820 wrote to memory of 2244	2820	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\c4d9d92d02453ba90ce7cb7dd36129c6.exe
"C:\Users\Admin\AppData\Local\Temp\c4d9d92d02453ba90ce7cb7dd36129c6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /pid 2964 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\c4d9d92d02453ba90ce7cb7dd36129c6.exe" & start C:\Users\Admin\AppData\Local\lsxtjf.exe -f
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /pid 2964
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3008
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 3 127.1
    3⤵
    - Runs ping.exe
    PID:2528
- - C:\Users\Admin\AppData\Local\lsxtjf.exe
    C:\Users\Admin\AppData\Local\lsxtjf.exe -f
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\lsxtjf.exe

Filesize
128KB

MD5
5d99797c1573510a6fe10302f52c5722

SHA1
afcba9078237faaca26d3bb066c10afb5356bae5

SHA256
3e869b908e007b85357c862867bf39173c9b7a63d7056158fd23b39a8317d077

SHA512
6c9e5d9a2bf8c453117bc1e126e3f9cc544c3a65875a008edb1b0df721c3cde9a10fc6c177c588d027ea370852a34492af11b569c376323575ea6386ea8bded2

Download Submit
C:\Users\Admin\AppData\Local\lsxtjf.exe

Filesize
42KB

MD5
dbb0e7c66a805bec118906036cfa07a6

SHA1
c6df50038befce6e2ed5d9c57bff0273f7611b29

SHA256
a94d73f52ead05b24eb47aa6ce47b725d502f95ff1f341b0d99fa8b2e219ac17

SHA512
8698dfd5e919dbb4e30c8ecd0d1d013c958c132cded37c82057d702209305d308e700798651ff9528b6058b7e1f4434b4dd2fd0d498d99735bdf16a684e5c52b

Download Submit
\Users\Admin\AppData\Local\lsxtjf.exe

Filesize
225KB

MD5
c4d9d92d02453ba90ce7cb7dd36129c6

SHA1
bf19f1a04314688314fa2b53df67bf02b6e62750

SHA256
529b1e59756b3db5e47e11801940a85a90ecb84771f480fc08a0979ed3a942ce

SHA512
84e979427fb9202249c3db7d87482639827c03da78b595801a6b3f9aa3d41f437babcae604c3b55b99c8175649ec6cc3ebc88db4b72f3bd3386e73999be8f7ff

Download Submit
\Users\Admin\AppData\Local\lsxtjf.exe

Filesize
64KB

MD5
f0ae26465d6a042f4bfd3ed3c49f272e

SHA1
db3e90105036fa68d18ad3dd6b70c46169eb2812

SHA256
c614e73d0747df184ad7122759b784017d9c49a90f260f67f4ceaa1cdc4549e5

SHA512
828af7c3e98b18508f8ea2f82efe7f68b15388a1e1fa1aa08bf99715abe02e7e7769eee917a3071fb58ec330745cf4ad0f44d6f707a2455ee50e4c90a129dccc

Download Submit
memory/2244-9-0x0000000001000000-0x00000000010D0000-memory.dmp

Filesize
832KB

Download
memory/2244-19-0x0000000001000000-0x00000000010D0000-memory.dmp

Filesize
832KB

Download
memory/2244-22-0x0000000001000000-0x00000000010D0000-memory.dmp

Filesize
832KB

Download
memory/2244-21-0x0000000001000000-0x00000000010D0000-memory.dmp

Filesize
832KB

Download
memory/2244-20-0x0000000001000000-0x00000000010D0000-memory.dmp

Filesize
832KB

Download
memory/2244-11-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/2244-14-0x0000000001000000-0x00000000010D0000-memory.dmp

Filesize
832KB

Download
memory/2244-15-0x0000000001000000-0x00000000010D0000-memory.dmp

Filesize
832KB

Download
memory/2244-16-0x0000000001000000-0x00000000010D0000-memory.dmp

Filesize
832KB

Download
memory/2244-18-0x0000000001000000-0x00000000010D0000-memory.dmp

Filesize
832KB

Download
memory/2964-4-0x0000000001000000-0x00000000010D0000-memory.dmp

Filesize
832KB

Download
memory/2964-0-0x0000000000470000-0x0000000000471000-memory.dmp

Filesize
4KB

Download
memory/2964-1-0x0000000001000000-0x00000000010D0000-memory.dmp

Filesize
832KB

Download
memory/2964-2-0x0000000000420000-0x0000000000422000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing