be969272e992c9a353fc91357a15acf2490ea1016b5f70de0115e53bc903d3a6

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
16/07/2024, 05:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

705dd07f937d04ddd4fb88cd8c5a9c70N.exe
Size

465KB
MD5

705dd07f937d04ddd4fb88cd8c5a9c70
SHA1

f4b91c1aecb8b1f780a29e322a4c3cb0588a728e
SHA256

be969272e992c9a353fc91357a15acf2490ea1016b5f70de0115e53bc903d3a6
SHA512

96b81123e74698a446a225a413ef9e3d48202763774132052deb09ded7e1953695bcdec189fcbf9ea78130a37b7f5877120f82f4617819a9c4b19d5b3f4e57bc
SSDEEP

6144:mBapC9DUIYmO5Kv5Q7X/l/rYvkW1VxxfnzrV9UAH0ctkPfc92F8NLpIh9jil:5pQD+mO5KWy/zrVbt4fcY69U9jI

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2288	LSASS.exe
2572	LSASS.exe

Loads dropped DLL 2 IoCs

pid	Process
2288	LSASS.exe
2288	LSASS.exe

Adds Run key to start application 2 TTPs 46 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysUtils = "C:\\Windows\\LSASS.exe"	REG.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	LSASS.exe
File opened (read-only)	\??\E:	LSASS.exe
File opened (read-only)	\??\I:	LSASS.exe
File opened (read-only)	\??\J:	LSASS.exe
File opened (read-only)	\??\L:	LSASS.exe
File opened (read-only)	\??\O:	LSASS.exe
File opened (read-only)	\??\P:	LSASS.exe
File opened (read-only)	\??\V:	LSASS.exe
File opened (read-only)	\??\H:	LSASS.exe
File opened (read-only)	\??\N:	LSASS.exe
File opened (read-only)	\??\T:	LSASS.exe
File opened (read-only)	\??\W:	LSASS.exe
File opened (read-only)	\??\K:	LSASS.exe
File opened (read-only)	\??\M:	LSASS.exe
File opened (read-only)	\??\R:	LSASS.exe
File opened (read-only)	\??\S:	LSASS.exe
File opened (read-only)	\??\Y:	LSASS.exe
File opened (read-only)	\??\G:	LSASS.exe
File opened (read-only)	\??\Q:	LSASS.exe
File opened (read-only)	\??\U:	LSASS.exe
File opened (read-only)	\??\X:	LSASS.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	F:\autorun.inf	LSASS.exe
File opened for modification	F:\autorun.inf	LSASS.exe
File created	C:\autorun.inf	LSASS.exe
File opened for modification	C:\autorun.inf	LSASS.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\LSASS.exe	705dd07f937d04ddd4fb88cd8c5a9c70N.exe
File opened for modification	C:\Windows\LSASS.exe	705dd07f937d04ddd4fb88cd8c5a9c70N.exe
File opened for modification	C:\Windows\LSASS.exe	LSASS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 61 IoCs

pid	Process
2260	705dd07f937d04ddd4fb88cd8c5a9c70N.exe
2260	705dd07f937d04ddd4fb88cd8c5a9c70N.exe
2288	LSASS.exe
2288	LSASS.exe
2288	LSASS.exe
2288	LSASS.exe
2572	LSASS.exe
2288	LSASS.exe
2288	LSASS.exe
2288	LSASS.exe
2288	LSASS.exe
2288	LSASS.exe
2288	LSASS.exe
2288	LSASS.exe
2288	LSASS.exe
2288	LSASS.exe
2288	LSASS.exe
2288	LSASS.exe
2288	LSASS.exe
2288	LSASS.exe
2288	LSASS.exe
2288	LSASS.exe
2288	LSASS.exe
2288	LSASS.exe
2288	LSASS.exe
2288	LSASS.exe
2288	LSASS.exe
2288	LSASS.exe
2288	LSASS.exe
2288	LSASS.exe
2288	LSASS.exe
2288	LSASS.exe
2288	LSASS.exe
2288	LSASS.exe
2288	LSASS.exe
2288	LSASS.exe
2288	LSASS.exe
2288	LSASS.exe
2288	LSASS.exe
2288	LSASS.exe
2288	LSASS.exe
2288	LSASS.exe
2288	LSASS.exe
2288	LSASS.exe
2288	LSASS.exe
2288	LSASS.exe
2288	LSASS.exe
2288	LSASS.exe
2288	LSASS.exe
2288	LSASS.exe
2288	LSASS.exe
2288	LSASS.exe
2288	LSASS.exe
2288	LSASS.exe
2288	LSASS.exe
2288	LSASS.exe
2288	LSASS.exe
2288	LSASS.exe
2288	LSASS.exe
2288	LSASS.exe
2288	LSASS.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 2288	2260	705dd07f937d04ddd4fb88cd8c5a9c70N.exe	29
PID 2260 wrote to memory of 2288	2260	705dd07f937d04ddd4fb88cd8c5a9c70N.exe	29
PID 2260 wrote to memory of 2288	2260	705dd07f937d04ddd4fb88cd8c5a9c70N.exe	29
PID 2260 wrote to memory of 2288	2260	705dd07f937d04ddd4fb88cd8c5a9c70N.exe	29
PID 2288 wrote to memory of 2716	2288	LSASS.exe	30
PID 2288 wrote to memory of 2716	2288	LSASS.exe	30
PID 2288 wrote to memory of 2716	2288	LSASS.exe	30
PID 2288 wrote to memory of 2716	2288	LSASS.exe	30
PID 2288 wrote to memory of 2780	2288	LSASS.exe	31
PID 2288 wrote to memory of 2780	2288	LSASS.exe	31
PID 2288 wrote to memory of 2780	2288	LSASS.exe	31
PID 2288 wrote to memory of 2780	2288	LSASS.exe	31
PID 2288 wrote to memory of 2572	2288	LSASS.exe	34
PID 2288 wrote to memory of 2572	2288	LSASS.exe	34
PID 2288 wrote to memory of 2572	2288	LSASS.exe	34
PID 2288 wrote to memory of 2572	2288	LSASS.exe	34
PID 2288 wrote to memory of 2980	2288	LSASS.exe	35
PID 2288 wrote to memory of 2980	2288	LSASS.exe	35
PID 2288 wrote to memory of 2980	2288	LSASS.exe	35
PID 2288 wrote to memory of 2980	2288	LSASS.exe	35
PID 2288 wrote to memory of 2704	2288	LSASS.exe	36
PID 2288 wrote to memory of 2704	2288	LSASS.exe	36
PID 2288 wrote to memory of 2704	2288	LSASS.exe	36
PID 2288 wrote to memory of 2704	2288	LSASS.exe	36
PID 2288 wrote to memory of 2736	2288	LSASS.exe	39
PID 2288 wrote to memory of 2736	2288	LSASS.exe	39
PID 2288 wrote to memory of 2736	2288	LSASS.exe	39
PID 2288 wrote to memory of 2736	2288	LSASS.exe	39
PID 2288 wrote to memory of 1844	2288	LSASS.exe	40
PID 2288 wrote to memory of 1844	2288	LSASS.exe	40
PID 2288 wrote to memory of 1844	2288	LSASS.exe	40
PID 2288 wrote to memory of 1844	2288	LSASS.exe	40
PID 2288 wrote to memory of 2180	2288	LSASS.exe	43
PID 2288 wrote to memory of 2180	2288	LSASS.exe	43
PID 2288 wrote to memory of 2180	2288	LSASS.exe	43
PID 2288 wrote to memory of 2180	2288	LSASS.exe	43
PID 2288 wrote to memory of 2124	2288	LSASS.exe	44
PID 2288 wrote to memory of 2124	2288	LSASS.exe	44
PID 2288 wrote to memory of 2124	2288	LSASS.exe	44
PID 2288 wrote to memory of 2124	2288	LSASS.exe	44
PID 2288 wrote to memory of 2940	2288	LSASS.exe	47
PID 2288 wrote to memory of 2940	2288	LSASS.exe	47
PID 2288 wrote to memory of 2940	2288	LSASS.exe	47
PID 2288 wrote to memory of 2940	2288	LSASS.exe	47
PID 2288 wrote to memory of 2628	2288	LSASS.exe	48
PID 2288 wrote to memory of 2628	2288	LSASS.exe	48
PID 2288 wrote to memory of 2628	2288	LSASS.exe	48
PID 2288 wrote to memory of 2628	2288	LSASS.exe	48
PID 2288 wrote to memory of 2884	2288	LSASS.exe	51
PID 2288 wrote to memory of 2884	2288	LSASS.exe	51
PID 2288 wrote to memory of 2884	2288	LSASS.exe	51
PID 2288 wrote to memory of 2884	2288	LSASS.exe	51
PID 2288 wrote to memory of 2068	2288	LSASS.exe	52
PID 2288 wrote to memory of 2068	2288	LSASS.exe	52
PID 2288 wrote to memory of 2068	2288	LSASS.exe	52
PID 2288 wrote to memory of 2068	2288	LSASS.exe	52
PID 2288 wrote to memory of 1232	2288	LSASS.exe	55
PID 2288 wrote to memory of 1232	2288	LSASS.exe	55
PID 2288 wrote to memory of 1232	2288	LSASS.exe	55
PID 2288 wrote to memory of 1232	2288	LSASS.exe	55
PID 2288 wrote to memory of 1380	2288	LSASS.exe	56
PID 2288 wrote to memory of 1380	2288	LSASS.exe	56
PID 2288 wrote to memory of 1380	2288	LSASS.exe	56
PID 2288 wrote to memory of 1380	2288	LSASS.exe	56

C:\Users\Admin\AppData\Local\Temp\705dd07f937d04ddd4fb88cd8c5a9c70N.exe
"C:\Users\Admin\AppData\Local\Temp\705dd07f937d04ddd4fb88cd8c5a9c70N.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Windows\LSASS.exe
  "C:\Windows\LSASS.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2716
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2780
- - C:\Users\Admin\LSASS.exe
    "C:\Users\Admin\LSASS.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2572
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2980
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2704
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2736
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1844
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2180
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2124
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2940
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2628
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2884
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2068
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1232
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1380
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2212
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2088
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2380
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1608
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2132
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2404
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:828
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2520
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2016
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1776
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2424
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1820
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1588
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2500
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2256
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2144
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2728
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2076
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2468
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2704
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:292
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1632
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2512
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2476
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2912
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2504
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2916
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2984
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1232
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1184
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2212
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\LSASS.exe

Filesize
465KB

MD5
7b942df49bb0a80796eb43afd859203d

SHA1
6509e1a816f9e204fc9b5e9ce84b7fe56ae0b590

SHA256
fc7537de541d99506fe87fb2ba6c774946f776d03c103725742714acea157815

SHA512
85ee3f1003a66f24364afe612f3e576a708643126923d34b820d2a00dd54e8fd87c470ecfb448f065a2f347f3b8c6dc4f188c8f478ea6b47bdce35c035524a57

Download Submit
C:\autorun.inf

Filesize
190B

MD5
b1445c7f646c6ca9a7597791af38d575

SHA1
91efaf63fa1f7a51ee2f9b1c3b0f8932f15439ce

SHA256
220517d50470c86d94020cebcd03af286898e65338f468dc5f860dc04af2c88e

SHA512
533349278b6d186f0f3947681e90dcc7f617e146736798e6fc23e79d61610f1f7b2e4b4241b296884622fbd6b1cf73dc694a852e05bf4235da8ed40b70c5683f

Download Submit
\Users\Admin\LSASS.exe

Filesize
465KB

MD5
3e4ab1b0e3c55d7781ed88dd2d2e05f6

SHA1
decbe868208a3adcc79a16b9dab331623648c1e7

SHA256
badbb303017bb95fd6e670df0e05f4ace6bfb29e56a962e4afe63da44cbd6adb

SHA512
fb93a4544941fabd7499a231b0bbbbcd9fa126d2e64eeb35934ff2ac5ff5c176316ceb9f6fcc4325ebf0f337df376239be292fce716238ee1b83d2e2981fe848

Download Submit
memory/2260-0-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2260-10-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2288-42-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2288-94-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2288-197-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2288-9-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2288-47-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2288-60-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2288-77-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2288-23-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2288-112-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2288-129-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2288-146-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2288-163-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2288-180-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2572-22-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download