Malware Analysis Report

2025-01-17 22:49

Sample ID 240603-qtqz5sgb3y
Target b0a92fee716e4afce790db933453cfacc10445c6cf37329f62741d902ffdbee5
SHA256 b0a92fee716e4afce790db933453cfacc10445c6cf37329f62741d902ffdbee5
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b0a92fee716e4afce790db933453cfacc10445c6cf37329f62741d902ffdbee5

Threat Level: Shows suspicious behavior

The file b0a92fee716e4afce790db933453cfacc10445c6cf37329f62741d902ffdbee5 was found to be: Shows suspicious behavior.

Malicious Activity Summary


Loads dropped DLL

Executes dropped EXE

Enumerates connected drives

AutoIT Executable

Unsigned PE

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 13:33

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 13:33

Reported

2024-06-03 13:36

Platform

win7-20240419-en

Max time kernel

118s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b0a92fee716e4afce790db933453cfacc10445c6cf37329f62741d902ffdbee5.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LSPF.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\LSPF.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\LSPF.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\LSPF.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\LSPF.exe N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\LSPF.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\LSPF.exe N/A
File opened (read-only) \??\d: C:\Users\Admin\AppData\Local\Temp\LSPF.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\LSPF.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\LSPF.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\LSPF.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\LSPF.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\LSPF.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\LSPF.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\LSPF.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\LSPF.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\LSPF.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\LSPF.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\LSPF.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\LSPF.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\LSPF.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\LSPF.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\LSPF.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\LSPF.exe N/A
File opened (read-only) \??\f: C:\Users\Admin\AppData\Local\Temp\LSPF.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\LSPF.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\LSPF.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\LSPF.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\LSPF.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0a92fee716e4afce790db933453cfacc10445c6cf37329f62741d902ffdbee5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b0a92fee716e4afce790db933453cfacc10445c6cf37329f62741d902ffdbee5.exe

"C:\Users\Admin\AppData\Local\Temp\b0a92fee716e4afce790db933453cfacc10445c6cf37329f62741d902ffdbee5.exe"

C:\Users\Admin\AppData\Local\Temp\LSPF.exe

C:\Users\Admin\AppData\Local\Temp\LSPF.exe

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\LSPF.exe

MD5 ec5303f9d93530e3662f94a3b9fd645c
SHA1 129cdfcadb94e34a9751758bf7213e39e42bbf3b
SHA256 897925d9738316cfb49acc60bfa3daed1b5775984ced61205a2543657765d49b
SHA512 bdc9eb63d3da4209e2a32f8e9623b5ec8092efdd3ccfa5547a1c35c7e8c1e21e0624afe0496a8a35a6f2b464747273bcba44f3ab236d1800384adeee0a7a8a6f

memory/2256-8-0x0000000002B10000-0x0000000002C39000-memory.dmp

memory/2028-19-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2028-18-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2028-17-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2028-16-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/2028-15-0x00000000003B0000-0x00000000003B1000-memory.dmp

memory/2028-14-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2028-13-0x0000000000280000-0x0000000000281000-memory.dmp

memory/2028-12-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2028-11-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2028-25-0x0000000000B10000-0x0000000000B12000-memory.dmp

memory/2028-24-0x0000000000B00000-0x0000000000B01000-memory.dmp

memory/2028-23-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

memory/2028-22-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

memory/2028-21-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

memory/2028-20-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

memory/2028-27-0x0000000000400000-0x0000000000529000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 13:33

Reported

2024-06-03 13:36

Platform

win10v2004-20240426-en

Max time kernel

93s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b0a92fee716e4afce790db933453cfacc10445c6cf37329f62741d902ffdbee5.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LSPF.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\LSPF.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\LSPF.exe N/A
File opened (read-only) \??\f: C:\Users\Admin\AppData\Local\Temp\LSPF.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\LSPF.exe N/A
File opened (read-only) \??\d: C:\Users\Admin\AppData\Local\Temp\LSPF.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\LSPF.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\LSPF.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\LSPF.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\LSPF.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\LSPF.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\LSPF.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\LSPF.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\LSPF.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\LSPF.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\LSPF.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\LSPF.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\LSPF.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\LSPF.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\LSPF.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\LSPF.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\LSPF.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\LSPF.exe N/A
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\LSPF.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\LSPF.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\LSPF.exe N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\LSPF.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\LSPF.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\LSPF.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b0a92fee716e4afce790db933453cfacc10445c6cf37329f62741d902ffdbee5.exe

"C:\Users\Admin\AppData\Local\Temp\b0a92fee716e4afce790db933453cfacc10445c6cf37329f62741d902ffdbee5.exe"

C:\Users\Admin\AppData\Local\Temp\LSPF.exe

C:\Users\Admin\AppData\Local\Temp\LSPF.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 216.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\LSPF.exe

MD5 ec5303f9d93530e3662f94a3b9fd645c
SHA1 129cdfcadb94e34a9751758bf7213e39e42bbf3b
SHA256 897925d9738316cfb49acc60bfa3daed1b5775984ced61205a2543657765d49b
SHA512 bdc9eb63d3da4209e2a32f8e9623b5ec8092efdd3ccfa5547a1c35c7e8c1e21e0624afe0496a8a35a6f2b464747273bcba44f3ab236d1800384adeee0a7a8a6f

memory/2688-7-0x0000000000400000-0x0000000000529000-memory.dmp

memory/2688-23-0x0000000003370000-0x0000000003371000-memory.dmp

memory/2688-22-0x0000000003360000-0x0000000003361000-memory.dmp

memory/2688-21-0x0000000003350000-0x0000000003351000-memory.dmp

memory/2688-20-0x0000000003340000-0x0000000003341000-memory.dmp

memory/2688-19-0x0000000003330000-0x0000000003331000-memory.dmp

memory/2688-17-0x0000000002FC0000-0x0000000002FC1000-memory.dmp

memory/2688-16-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

memory/2688-18-0x0000000003320000-0x0000000003321000-memory.dmp

memory/2688-15-0x0000000002FA0000-0x0000000002FA1000-memory.dmp

memory/2688-14-0x0000000002F90000-0x0000000002F91000-memory.dmp

memory/2688-13-0x0000000002F80000-0x0000000002F81000-memory.dmp

memory/2688-12-0x0000000002F70000-0x0000000002F72000-memory.dmp

memory/2688-11-0x0000000001840000-0x0000000001841000-memory.dmp

memory/2688-10-0x0000000001850000-0x0000000001851000-memory.dmp

memory/2688-9-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

memory/2688-25-0x0000000000400000-0x0000000000529000-memory.dmp