59e1c372719bb13c713c58520e22110015b17a212ca2740cb795d7b90c799b86

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24/04/2024, 16:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

59e1c372719bb13c713c58520e22110015b17a212ca2740cb795d7b90c799b86.exe
Size

460KB
MD5

53b436a8740958314a8a4f1205c1464d
SHA1

2c50c162e2c591732e7e0b2def08c64e7007dc50
SHA256

59e1c372719bb13c713c58520e22110015b17a212ca2740cb795d7b90c799b86
SHA512

7eee8cb1c8826ae900ab5af26b67fdf84df73a2c0019e3fa3060983cbd7ed36e029f48215e220e112d05f4e7c61ecacfc4dc191b256378fddb0ddb44c60d57ca
SSDEEP

6144:EBapC9DUIYmO5Kv5Q7X/l/rYvkW1VxxfnzrV9UAH0ctkPfc92F8+yLpIh9jhl:zpQD+mO5KWy/zrVbt4fcY7y9U9jv

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2364	LSASS.exe
2004	LSASS.exe

Loads dropped DLL 2 IoCs

pid	Process
2364	LSASS.exe
2364	LSASS.exe

Adds Run key to start application 2 TTPs 58 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	LSASS.exe
File opened (read-only)	\??\G:	LSASS.exe
File opened (read-only)	\??\J:	LSASS.exe
File opened (read-only)	\??\K:	LSASS.exe
File opened (read-only)	\??\L:	LSASS.exe
File opened (read-only)	\??\U:	LSASS.exe
File opened (read-only)	\??\W:	LSASS.exe
File opened (read-only)	\??\X:	LSASS.exe
File opened (read-only)	\??\V:	LSASS.exe
File opened (read-only)	\??\Y:	LSASS.exe
File opened (read-only)	\??\M:	LSASS.exe
File opened (read-only)	\??\O:	LSASS.exe
File opened (read-only)	\??\R:	LSASS.exe
File opened (read-only)	\??\T:	LSASS.exe
File opened (read-only)	\??\Q:	LSASS.exe
File opened (read-only)	\??\S:	LSASS.exe
File opened (read-only)	\??\Z:	LSASS.exe
File opened (read-only)	\??\H:	LSASS.exe
File opened (read-only)	\??\I:	LSASS.exe
File opened (read-only)	\??\N:	LSASS.exe
File opened (read-only)	\??\P:	LSASS.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	LSASS.exe
File opened for modification	C:\autorun.inf	LSASS.exe
File created	F:\autorun.inf	LSASS.exe
File opened for modification	F:\autorun.inf	LSASS.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\LSASS.exe	59e1c372719bb13c713c58520e22110015b17a212ca2740cb795d7b90c799b86.exe
File opened for modification	C:\Windows\LSASS.exe	59e1c372719bb13c713c58520e22110015b17a212ca2740cb795d7b90c799b86.exe
File opened for modification	C:\Windows\LSASS.exe	LSASS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2228	59e1c372719bb13c713c58520e22110015b17a212ca2740cb795d7b90c799b86.exe
2228	59e1c372719bb13c713c58520e22110015b17a212ca2740cb795d7b90c799b86.exe
2228	59e1c372719bb13c713c58520e22110015b17a212ca2740cb795d7b90c799b86.exe
2228	59e1c372719bb13c713c58520e22110015b17a212ca2740cb795d7b90c799b86.exe
2364	LSASS.exe
2364	LSASS.exe
2364	LSASS.exe
2364	LSASS.exe
2004	LSASS.exe
2004	LSASS.exe
2364	LSASS.exe
2364	LSASS.exe
2364	LSASS.exe
2364	LSASS.exe
2364	LSASS.exe
2364	LSASS.exe
2364	LSASS.exe
2364	LSASS.exe
2364	LSASS.exe
2364	LSASS.exe
2364	LSASS.exe
2364	LSASS.exe
2364	LSASS.exe
2364	LSASS.exe
2364	LSASS.exe
2364	LSASS.exe
2364	LSASS.exe
2364	LSASS.exe
2364	LSASS.exe
2364	LSASS.exe
2364	LSASS.exe
2364	LSASS.exe
2364	LSASS.exe
2364	LSASS.exe
2364	LSASS.exe
2364	LSASS.exe
2364	LSASS.exe
2364	LSASS.exe
2364	LSASS.exe
2364	LSASS.exe
2364	LSASS.exe
2364	LSASS.exe
2364	LSASS.exe
2364	LSASS.exe
2364	LSASS.exe
2364	LSASS.exe
2364	LSASS.exe
2364	LSASS.exe
2364	LSASS.exe
2364	LSASS.exe
2364	LSASS.exe
2364	LSASS.exe
2364	LSASS.exe
2364	LSASS.exe
2364	LSASS.exe
2364	LSASS.exe
2364	LSASS.exe
2364	LSASS.exe
2364	LSASS.exe
2364	LSASS.exe
2364	LSASS.exe
2364	LSASS.exe
2364	LSASS.exe
2364	LSASS.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 2364	2228	59e1c372719bb13c713c58520e22110015b17a212ca2740cb795d7b90c799b86.exe	30
PID 2228 wrote to memory of 2364	2228	59e1c372719bb13c713c58520e22110015b17a212ca2740cb795d7b90c799b86.exe	30
PID 2228 wrote to memory of 2364	2228	59e1c372719bb13c713c58520e22110015b17a212ca2740cb795d7b90c799b86.exe	30
PID 2228 wrote to memory of 2364	2228	59e1c372719bb13c713c58520e22110015b17a212ca2740cb795d7b90c799b86.exe	30
PID 2364 wrote to memory of 2244	2364	LSASS.exe	31
PID 2364 wrote to memory of 2244	2364	LSASS.exe	31
PID 2364 wrote to memory of 2244	2364	LSASS.exe	31
PID 2364 wrote to memory of 2244	2364	LSASS.exe	31
PID 2364 wrote to memory of 1236	2364	LSASS.exe	32
PID 2364 wrote to memory of 1236	2364	LSASS.exe	32
PID 2364 wrote to memory of 1236	2364	LSASS.exe	32
PID 2364 wrote to memory of 1236	2364	LSASS.exe	32
PID 2364 wrote to memory of 2004	2364	LSASS.exe	35
PID 2364 wrote to memory of 2004	2364	LSASS.exe	35
PID 2364 wrote to memory of 2004	2364	LSASS.exe	35
PID 2364 wrote to memory of 2004	2364	LSASS.exe	35
PID 2364 wrote to memory of 1388	2364	LSASS.exe	36
PID 2364 wrote to memory of 1388	2364	LSASS.exe	36
PID 2364 wrote to memory of 1388	2364	LSASS.exe	36
PID 2364 wrote to memory of 1388	2364	LSASS.exe	36
PID 2364 wrote to memory of 516	2364	LSASS.exe	37
PID 2364 wrote to memory of 516	2364	LSASS.exe	37
PID 2364 wrote to memory of 516	2364	LSASS.exe	37
PID 2364 wrote to memory of 516	2364	LSASS.exe	37
PID 2364 wrote to memory of 956	2364	LSASS.exe	40
PID 2364 wrote to memory of 956	2364	LSASS.exe	40
PID 2364 wrote to memory of 956	2364	LSASS.exe	40
PID 2364 wrote to memory of 956	2364	LSASS.exe	40
PID 2364 wrote to memory of 1772	2364	LSASS.exe	41
PID 2364 wrote to memory of 1772	2364	LSASS.exe	41
PID 2364 wrote to memory of 1772	2364	LSASS.exe	41
PID 2364 wrote to memory of 1772	2364	LSASS.exe	41
PID 2364 wrote to memory of 1136	2364	LSASS.exe	44
PID 2364 wrote to memory of 1136	2364	LSASS.exe	44
PID 2364 wrote to memory of 1136	2364	LSASS.exe	44
PID 2364 wrote to memory of 1136	2364	LSASS.exe	44
PID 2364 wrote to memory of 1332	2364	LSASS.exe	45
PID 2364 wrote to memory of 1332	2364	LSASS.exe	45
PID 2364 wrote to memory of 1332	2364	LSASS.exe	45
PID 2364 wrote to memory of 1332	2364	LSASS.exe	45
PID 2364 wrote to memory of 2848	2364	LSASS.exe	48
PID 2364 wrote to memory of 2848	2364	LSASS.exe	48
PID 2364 wrote to memory of 2848	2364	LSASS.exe	48
PID 2364 wrote to memory of 2848	2364	LSASS.exe	48
PID 2364 wrote to memory of 2836	2364	LSASS.exe	49
PID 2364 wrote to memory of 2836	2364	LSASS.exe	49
PID 2364 wrote to memory of 2836	2364	LSASS.exe	49
PID 2364 wrote to memory of 2836	2364	LSASS.exe	49
PID 2364 wrote to memory of 2620	2364	LSASS.exe	52
PID 2364 wrote to memory of 2620	2364	LSASS.exe	52
PID 2364 wrote to memory of 2620	2364	LSASS.exe	52
PID 2364 wrote to memory of 2620	2364	LSASS.exe	52
PID 2364 wrote to memory of 1944	2364	LSASS.exe	53
PID 2364 wrote to memory of 1944	2364	LSASS.exe	53
PID 2364 wrote to memory of 1944	2364	LSASS.exe	53
PID 2364 wrote to memory of 1944	2364	LSASS.exe	53
PID 2364 wrote to memory of 2936	2364	LSASS.exe	56
PID 2364 wrote to memory of 2936	2364	LSASS.exe	56
PID 2364 wrote to memory of 2936	2364	LSASS.exe	56
PID 2364 wrote to memory of 2936	2364	LSASS.exe	56
PID 2364 wrote to memory of 2928	2364	LSASS.exe	57
PID 2364 wrote to memory of 2928	2364	LSASS.exe	57
PID 2364 wrote to memory of 2928	2364	LSASS.exe	57
PID 2364 wrote to memory of 2928	2364	LSASS.exe	57

C:\Users\Admin\AppData\Local\Temp\59e1c372719bb13c713c58520e22110015b17a212ca2740cb795d7b90c799b86.exe
"C:\Users\Admin\AppData\Local\Temp\59e1c372719bb13c713c58520e22110015b17a212ca2740cb795d7b90c799b86.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\LSASS.exe
  "C:\Windows\LSASS.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2244
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1236
- - C:\Users\Admin\LSASS.exe
    "C:\Users\Admin\LSASS.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2004
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1388
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:516
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:956
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1772
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1136
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1332
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2848
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2836
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2620
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1944
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2936
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2928
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1644
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:3060
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:916
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:964
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2804
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1528
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:848
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2072
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2120
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2112
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2080
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2076
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1988
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1204
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2564
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1972
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1436
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:576
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1628
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:548
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1844
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:656
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2460
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2480
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2632
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2560
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2684
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2852
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2940
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2944
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:3004
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1812
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1404
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:980
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2492
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2588
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1056
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2088
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:692
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2052
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2316
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2184
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:988
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\LSASS.exe

Filesize
460KB

MD5
0a61422c810da8af87e06d51164c1384

SHA1
7df41088d444b699b115daa550b414987d7cc5d7

SHA256
4cefad962ecef68022c5bce927ce156bb6fae901d504eb187f11d0382b0d4717

SHA512
bb8a41ceb360dd2961c5990adef39eedaed0b2d41b640f1f06ee5fa974955f2ab1cd206e76b50f2f2516ec2ee44ac87492befd947bc2b7ea993e5fa97580dd48

Download Submit
C:\autorun.inf

Filesize
190B

MD5
b1445c7f646c6ca9a7597791af38d575

SHA1
91efaf63fa1f7a51ee2f9b1c3b0f8932f15439ce

SHA256
220517d50470c86d94020cebcd03af286898e65338f468dc5f860dc04af2c88e

SHA512
533349278b6d186f0f3947681e90dcc7f617e146736798e6fc23e79d61610f1f7b2e4b4241b296884622fbd6b1cf73dc694a852e05bf4235da8ed40b70c5683f

Download Submit
\Users\Admin\LSASS.exe

Filesize
460KB

MD5
703ae8c00491a77bfc152a1ee755c00e

SHA1
7a3acc56491c5de4b288be761a0219b3cf825319

SHA256
482cbd3b51514fc11dc731a04d7d3a6faa1e642ee2c86dcc3f8af4781cfab932

SHA512
a498abfc76bd47571a6f4893f78d11cb6fa8d307d2bc33c91f452037e980400bccfdecc9d6dfa03c300b6883f0005b6366e49c2ed17d139254146ba3c5a4c5b8

Download Submit
memory/2004-22-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2004-23-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2228-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2228-10-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2364-60-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2364-129-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2364-43-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2364-9-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2364-77-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2364-94-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2364-112-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2364-24-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2364-146-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2364-163-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2364-180-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2364-197-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2364-214-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2364-231-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2364-248-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download