257f8251ab61b944b75deafc681030a20b6dd5ae03b8540d8f482a6c291efb96

Resubmissions

06-07-2024 22:02

240706-1x4eratgrl 7

06-07-2024 19:00

240706-xnn2xssgpc 10

Analysis

max time kernel
1733s
max time network
1146s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06-07-2024 19:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pl.cmd
Size

77B
MD5

aa54d58336d2565c369498d035737f8a
SHA1

c6a8791264081a6f854b30ac11477bdd83a8cbee
SHA256

9af8add66b2bb4a0252b65e0f13238055b601d689e8d29455d5b2c87f901fd7b
SHA512

82d9eeab7cb95f012b55d531ba7af84546be650702f40ca294c74858eca5eadc0ed7a87bc65122df4093e483dffe1e04e306845871955b2dc4f5113f1cf34838

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ProcessLasso.exe

pid process

244 ProcessLasso.exe

pid	process
244	ProcessLasso.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

InstallHelper.exeProcessLasso.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	InstallHelper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	InstallHelper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ProcessLasso.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ProcessLasso.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

InstallHelper.exe

pid	process
4012	InstallHelper.exe
4012	InstallHelper.exe
4012	InstallHelper.exe
4012	InstallHelper.exe
4012	InstallHelper.exe
4012	InstallHelper.exe
4012	InstallHelper.exe
4012	InstallHelper.exe
4012	InstallHelper.exe
4012	InstallHelper.exe
4012	InstallHelper.exe
4012	InstallHelper.exe
4012	InstallHelper.exe
4012	InstallHelper.exe
4012	InstallHelper.exe
4012	InstallHelper.exe
4012	InstallHelper.exe
4012	InstallHelper.exe
4012	InstallHelper.exe
4012	InstallHelper.exe
4012	InstallHelper.exe
4012	InstallHelper.exe
4012	InstallHelper.exe
4012	InstallHelper.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

InstallHelper.exeProcessLasso.exe

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	4012	InstallHelper.exe
Token: SeDebugPrivilege	4012	InstallHelper.exe
Token: SeChangeNotifyPrivilege	4012	InstallHelper.exe
Token: SeIncBasePriorityPrivilege	4012	InstallHelper.exe
Token: SeIncreaseQuotaPrivilege	4012	InstallHelper.exe
Token: SeProfSingleProcessPrivilege	4012	InstallHelper.exe
Token: SeAssignPrimaryTokenPrivilege	244	ProcessLasso.exe
Token: SeDebugPrivilege	244	ProcessLasso.exe
Token: SeChangeNotifyPrivilege	244	ProcessLasso.exe
Token: SeIncBasePriorityPrivilege	244	ProcessLasso.exe
Token: SeIncreaseQuotaPrivilege	244	ProcessLasso.exe
Token: SeCreateGlobalPrivilege	244	ProcessLasso.exe
Token: SeProfSingleProcessPrivilege	244	ProcessLasso.exe
Token: SeBackupPrivilege	244	ProcessLasso.exe
Token: SeRestorePrivilege	244	ProcessLasso.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

cmd.exeProcessLassoLauncher.exe

description	pid	process	target process
PID 3340 wrote to memory of 4012	3340	cmd.exe	InstallHelper.exe
PID 3340 wrote to memory of 4012	3340	cmd.exe	InstallHelper.exe
PID 3340 wrote to memory of 1232	3340	cmd.exe	ProcessLassoLauncher.exe
PID 3340 wrote to memory of 1232	3340	cmd.exe	ProcessLassoLauncher.exe
PID 1232 wrote to memory of 244	1232	ProcessLassoLauncher.exe	ProcessLasso.exe
PID 1232 wrote to memory of 244	1232	ProcessLassoLauncher.exe	ProcessLasso.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\pl.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:3340

C:\Users\Admin\AppData\Local\Temp\InstallHelper.exe
InstallHelper.exe /terminate
2⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4012

C:\Users\Admin\AppData\Local\Temp\ProcessLassoLauncher.exe
ProcessLassoLauncher.exe /showwindow
2⤵
- Suspicious use of WriteProcessMemory
PID:1232

C:\Users\Admin\AppData\Local\Temp\ProcessLasso.exe
"C:\Users\Admin\AppData\Local\Temp\ProcessLasso.exe" "ProcessLassoLauncher.exe" "/showwindow"
3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ProcessLasso.exe

Filesize
1.8MB

MD5
8fcf7cf04f9b344724759ee830e97ff7

SHA1
7e89c71637362333246cb6f7b30f34a2b7693407

SHA256
449c423ae1a63259989c85176dcc808f767346944eb40eac270ce27795abc1c2

SHA512
3acc527ac9014db980d4c511fd416e32d627f616eb09559a2c3b0cb038a86eee6adf526488053fd09e34ba66fec6109bc534178e4371147d1b23f29803668759

Download Submit