579b7b00510619a113523c881918fc0df8d133002481a2f039f3fdaa12daa99f

General

Target

579b7b00510619a113523c881918fc0df8d133002481a2f039f3fdaa12daa99f.exe
Size

2.5MB
MD5

9c4c4026d1c0a81313c857a4ab173fd7
SHA1

986ecf56d52929166ddd6e1e5413d37f8cde17c5
SHA256

579b7b00510619a113523c881918fc0df8d133002481a2f039f3fdaa12daa99f
SHA512

9699c9576693f2d2dc5e8a4a635d0558840eb8dfb2781e06a4d3c74e2eab3afb8ac7a15ac9380b3f9b4281cd717b81b3107453a2866cc18dfd74bf30da4564fa
SSDEEP

49152:L57O+7kuk5S+4EIwDuobPXpgVhYE8awyugeC5V9gJxNF8Vy:LZOAkukAbEhTbPpg7Yp0omfgvNFG

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	579b7b00510619a113523c881918fc0df8d133002481a2f039f3fdaa12daa99f.exe

Executes dropped EXE 3 IoCs

pid	Process
4940	PostUpdate.exe
3664	bitsumsessionagent.exe
3456	processlasso.exe

Loads dropped DLL 3 IoCs

pid	Process
4940	PostUpdate.exe
4940	PostUpdate.exe
3456	processlasso.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PostUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PostUpdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	processlasso.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	processlasso.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3664	bitsumsessionagent.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	3456	processlasso.exe
Token: SeDebugPrivilege	3456	processlasso.exe
Token: SeChangeNotifyPrivilege	3456	processlasso.exe
Token: SeIncBasePriorityPrivilege	3456	processlasso.exe
Token: SeIncreaseQuotaPrivilege	3456	processlasso.exe
Token: SeCreateGlobalPrivilege	3456	processlasso.exe
Token: SeProfSingleProcessPrivilege	3456	processlasso.exe
Token: SeBackupPrivilege	3456	processlasso.exe
Token: SeRestorePrivilege	3456	processlasso.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 4940	1620	579b7b00510619a113523c881918fc0df8d133002481a2f039f3fdaa12daa99f.exe	84
PID 1620 wrote to memory of 4940	1620	579b7b00510619a113523c881918fc0df8d133002481a2f039f3fdaa12daa99f.exe	84
PID 1620 wrote to memory of 4940	1620	579b7b00510619a113523c881918fc0df8d133002481a2f039f3fdaa12daa99f.exe	84
PID 4940 wrote to memory of 3456	4940	PostUpdate.exe	87
PID 4940 wrote to memory of 3456	4940	PostUpdate.exe	87
PID 4940 wrote to memory of 3456	4940	PostUpdate.exe	87

C:\Users\Admin\AppData\Local\Temp\579b7b00510619a113523c881918fc0df8d133002481a2f039f3fdaa12daa99f.exe
"C:\Users\Admin\AppData\Local\Temp\579b7b00510619a113523c881918fc0df8d133002481a2f039f3fdaa12daa99f.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Users\Admin\AppData\Local\Temp\PostUpdate.exe
  "C:\Users\Admin\AppData\Local\Temp\PostUpdate.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Users\Admin\AppData\Local\Temp\processlasso.exe
    /postupdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:3456

C:\Users\Admin\AppData\Local\Temp\bitsumsessionagent.exe
C:\Users\Admin\AppData\Local\Temp\bitsumsessionagent.exe ----------------------------------------------------------------
1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:3664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PostUpdate.exe

Filesize
623KB

MD5
86d1ae26a030b81a16cf49608ee39462

SHA1
d9e141dbe50e4449a2aa533789993a1e194bd0c5

SHA256
5cf07f89c3cc1bacfe43330fa1c3426a5c4088e088ddf9cf49ee9adf076da51d

SHA512
adbe5212e7af5c27a007235821189020c5e772bb440a03bbbc211b17457f2b2eacc77413bab8e155cc662201bd6da494771c5a807bc9279738e207b84b23f082

Download Submit
C:\Users\Admin\AppData\Local\Temp\ProcessLasso.exe

Filesize
1.5MB

MD5
845ec660358a0697c62b2fba3cb76b46

SHA1
816a347b5a4dfd7ef538ad14829dc16d334803cf

SHA256
402660d5100642ad4e21eabe4a94f80e6b148baf0e2afbd239119890c7419053

SHA512
308879c88a9fba32c8f0e916717ac3fced418ba7cd968be685892dcd08752fa319c5286af9e25f13d2ee3d155708e09f655862553806a827c8051e7328b2e238

Download Submit
C:\Users\Admin\AppData\Local\Temp\QuickUpgrade.exe.Replacement

Filesize
430KB

MD5
8872b16bd6355792aa9baf3054382800

SHA1
959b4d1c84b3f60b2744629bb578cb6380390014

SHA256
ff31808cd7e4a71a51a850851072a8b9b94239e7fd102baa03f283592313b768

SHA512
51bb288454ec9164f1e273d0901e69312714b05d03f6ec4e904cefe76b84c17f8df1df891859c0ced218681be07a0d607484b198c11787ffd7746cd0afa02369

Download Submit
C:\Users\Admin\AppData\Local\Temp\bitsumsessionagent.exe

Filesize
142KB

MD5
99c7bcf13df67040d06fafa13ac8959a

SHA1
437a04fba5c2bee4dcbda04428121b98788d9592

SHA256
b2d2c05397f7bfaa9794f78e2d3b8a9151eb47bca953fd20cf3f987cf1eef6a1

SHA512
963b094320287a4e243496987ce0048f41f5394686743384e2421bb3b62505a8a001e4bc8720f6945e14658b409365f66cc52641c7d857c877bea498438ae058

Download Submit
C:\Users\Admin\AppData\Local\Temp\pl_rsrc_english.dll

Filesize
1.9MB

MD5
6c558bbbf78a3b89c20d53cfe066c022

SHA1
275159bd55992cf2f006b593c73e2f97f2c94912

SHA256
82128258f3dd976967fdb61fded90f64e0643a84aa6dcc9bad66515446aced35

SHA512
b82418b6483bc87fa2075350a55499313cd0bb9bb584ddfd2172ec877e850d4a9aa50f901cee5ea2e63a28d943e6926489b002bc8206466d2b2d771176039dbf

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads