49e0b3dd4c0b710ad0574352db2b2c46610bec86a02d9abc3f981d583f3acadf | Triage

Resubmissions

02-06-2024 09:49

240602-ltmv9sad69 3

02-06-2024 09:48

240602-lstx7ahe9v 3

Analysis

max time kernel
91s
max time network
124s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
02-06-2024 09:49

Sharing

Report Analysis Logs

General

Target

processlasso_portable_64/_Start-ProcessLasso.bat
Size

119B
MD5

185077d189c98fb446268f11ddd67c80
SHA1

f909667122b3669971b42200673eeea9acc6abae
SHA256

01f21e44dad0a50f44e619c8856596cf09af674a0505012f9ed7f74128b01287
SHA512

18b894d91ede89f554ed6ad521252f44e7dbcbd4db24c7b717e5361f802b43bd5925b7cf1dcd36533da75f8c43b04afc6ac848dae5226e702e8a2e2e51c87904

Score

1^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

ProcessGovernor.exe

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	3640	ProcessGovernor.exe
Token: SeDebugPrivilege	3640	ProcessGovernor.exe
Token: SeChangeNotifyPrivilege	3640	ProcessGovernor.exe
Token: SeIncBasePriorityPrivilege	3640	ProcessGovernor.exe
Token: SeIncreaseQuotaPrivilege	3640	ProcessGovernor.exe
Token: SeProfSingleProcessPrivilege	3640	ProcessGovernor.exe
Token: SeCreateGlobalPrivilege	3640	ProcessGovernor.exe
Token: SeBackupPrivilege	3640	ProcessGovernor.exe
Token: SeRestorePrivilege	3640	ProcessGovernor.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1308 wrote to memory of 3640	1308	cmd.exe	ProcessGovernor.exe
PID 1308 wrote to memory of 3640	1308	cmd.exe	ProcessGovernor.exe
PID 1308 wrote to memory of 3204	1308	cmd.exe	ProcessLasso.exe
PID 1308 wrote to memory of 3204	1308	cmd.exe	ProcessLasso.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\processlasso_portable_64\_Start-ProcessLasso.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1308

C:\Users\Admin\AppData\Local\Temp\processlasso_portable_64\ProcessGovernor.exe
ProcessGovernor.exe "/logfolder=." "/configfolder=."
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3640

C:\Users\Admin\AppData\Local\Temp\processlasso_portable_64\ProcessLasso.exe
ProcessLasso.exe "/logfolder=." "/configfolder=."
2⤵
PID:3204

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads