8f80684a8bb4903d94ab74bd54e1cdb89cd70a7072fdf51f23200f44510cce0c

Analysis

max time kernel
128s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22/07/2024, 15:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Process Lasso 14.2.0.32.exe
Size

4.9MB
MD5

315fe6eb3b3e3e0f0567e0c6b6d3b9ea
SHA1

65323656903c05c2866556080beee6a3511e8c40
SHA256

80c9bd5849e8dbbb38568978b995ae785b8bbfc5de218d938568e7281260789d
SHA512

d11d428de015ffc5744fd5c3b7c3ddb4bcbb0681691ff683f217d8ec9e427301cf76a1754e9f18164a933cd5a2af03eedc13609e7a695b208b04ba9cc5112bc8
SSDEEP

98304:PnsI+4x8J/GDtYR7VPf4R6fjEwOBRbIK9hnb9mm:EI+4K/Gt6fjjOdb0m

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 10 IoCs

pid	Process
1620	Process Lasso 14.2.0.32.tmp
4176	installHelper.exe
5048	installHelper.exe
1728	installHelper.exe
3740	installHelper.exe
4428	ProcessLasso.exe
3352	bitsumsessionagent.exe
3328	srvstub.exe
376	processgovernor.exe
4292	ProcessLasso.exe

Loads dropped DLL 14 IoCs

pid	Process
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
4176	installHelper.exe
5048	installHelper.exe
1728	installHelper.exe
3740	installHelper.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
376	processgovernor.exe
376	processgovernor.exe
4292	ProcessLasso.exe
4292	ProcessLasso.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Process Lasso\pl_rsrc_finnish.dll	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-M3RFO.tmp	Process Lasso 14.2.0.32.tmp
File opened for modification	C:\Program Files\Process Lasso\pl_rsrc_english.dll	Process Lasso 14.2.0.32.tmp
File opened for modification	C:\Program Files\Process Lasso\pl_rsrc_italian.dll	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-LFPPJ.tmp	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-2H6G4.tmp	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-O2770.tmp	Process Lasso 14.2.0.32.tmp
File opened for modification	C:\Program Files\Process Lasso\ProcessGovernor.exe	Process Lasso 14.2.0.32.tmp
File opened for modification	C:\Program Files\Process Lasso\pl_rsrc_spanish.dll	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-G1UH5.tmp	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-VI4AJ.tmp	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-07GKV.tmp	Process Lasso 14.2.0.32.tmp
File opened for modification	C:\Program Files\Process Lasso\pl_rsrc_german.dll	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-VL6J5.tmp	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-9AJ5D.tmp	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-OG6SD.tmp	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-21KKL.tmp	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-O12LP.tmp	Process Lasso 14.2.0.32.tmp
File opened for modification	C:\Program Files\Process Lasso\pl_rsrc_french.dll	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-H30LE.tmp	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-U57I3.tmp	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-VHBTT.tmp	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-CGS6O.tmp	Process Lasso 14.2.0.32.tmp
File opened for modification	C:\Program Files\Process Lasso\vistammsc.exe	Process Lasso 14.2.0.32.tmp
File opened for modification	C:\Program Files\Process Lasso\QuickUpgrade.exe	Process Lasso 14.2.0.32.tmp
File opened for modification	C:\Program Files\Process Lasso\pl_rsrc_ptbr.dll	Process Lasso 14.2.0.32.tmp
File opened for modification	C:\Program Files\Process Lasso\InstallHelper.exe	Process Lasso 14.2.0.32.tmp
File opened for modification	C:\Program Files\Process Lasso\testlasso.exe	Process Lasso 14.2.0.32.tmp
File opened for modification	C:\Program Files\Process Lasso\unins000.dat	Process Lasso 14.2.0.32.tmp
File opened for modification	C:\Program Files\Process Lasso\pl_rsrc_korean.dll	Process Lasso 14.2.0.32.tmp
File opened for modification	C:\Program Files\Process Lasso\pl_rsrc_slovenian.dll	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-S66F4.tmp	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-UFV5J.tmp	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-2RIMC.tmp	Process Lasso 14.2.0.32.tmp
File opened for modification	C:\Program Files\Process Lasso\Insights.exe	Process Lasso 14.2.0.32.tmp
File opened for modification	C:\Program Files\Process Lasso\bitsumsessionagent.exe	Process Lasso 14.2.0.32.tmp
File opened for modification	C:\Program Files\Process Lasso\ProcessLasso.exe	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-02AEA.tmp	Process Lasso 14.2.0.32.tmp
File opened for modification	C:\Program Files\Process Lasso\pl_rsrc_chinese.dll	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-CIUHR.tmp	Process Lasso 14.2.0.32.tmp
File opened for modification	C:\Program Files\Process Lasso\pl_rsrc_russian.dll	Process Lasso 14.2.0.32.tmp
File opened for modification	C:\Program Files\Process Lasso\ProcessLassoLauncher.exe	Process Lasso 14.2.0.32.tmp
File opened for modification	C:\Program Files\Process Lasso\TweakScheduler.exe	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-P63GM.tmp	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-G0ATK.tmp	Process Lasso 14.2.0.32.tmp
File opened for modification	C:\Program Files\Process Lasso\LogViewer.exe	Process Lasso 14.2.0.32.tmp
File opened for modification	C:\Program Files\Process Lasso\pl_rsrc_japanese.dll	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\unins000.dat	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-H6DU6.tmp	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-K2ILI.tmp	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-SAU8C.tmp	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-5GNLD.tmp	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-F3DON.tmp	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-TURIP.tmp	Process Lasso 14.2.0.32.tmp
File opened for modification	C:\Program Files\Process Lasso\pl_rsrc_bulgarian.dll	Process Lasso 14.2.0.32.tmp
File opened for modification	C:\Program Files\Process Lasso\CPUEater.exe	Process Lasso 14.2.0.32.tmp
File opened for modification	C:\Program Files\Process Lasso\ThreadRacer.exe	Process Lasso 14.2.0.32.tmp
File opened for modification	C:\Program Files\Process Lasso\pl_rsrc_polish.dll	Process Lasso 14.2.0.32.tmp
File opened for modification	C:\Program Files\Process Lasso\pl_rsrc_chinese_traditional.dll	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-3UL48.tmp	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-LVK4P.tmp	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-P3N4K.tmp	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-FPI3V.tmp	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-5C3J3.tmp	Process Lasso 14.2.0.32.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	installHelper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	processgovernor.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ProcessLasso.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ProcessLasso.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	installHelper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	installHelper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ProcessLasso.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ProcessLasso.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	processgovernor.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	installHelper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	installHelper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	installHelper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	installHelper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	installHelper.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\ProcessLasso\ProcessLasso = 09040000	processgovernor.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\ProcessLasso	processgovernor.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\ProcessLasso\Language = "1033"	processgovernor.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\ProcessLasso\InstallerLanguageDWORD = "1033"	processgovernor.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\ProcessLasso	processgovernor.exe

Runs .reg file with regedit 1 IoCs

pid	Process
2700	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	4176	installHelper.exe
Token: SeDebugPrivilege	4176	installHelper.exe
Token: SeChangeNotifyPrivilege	4176	installHelper.exe
Token: SeIncBasePriorityPrivilege	4176	installHelper.exe
Token: SeIncreaseQuotaPrivilege	4176	installHelper.exe
Token: SeProfSingleProcessPrivilege	4176	installHelper.exe
Token: SeAssignPrimaryTokenPrivilege	5048	installHelper.exe
Token: SeDebugPrivilege	5048	installHelper.exe
Token: SeChangeNotifyPrivilege	5048	installHelper.exe
Token: SeIncBasePriorityPrivilege	5048	installHelper.exe
Token: SeIncreaseQuotaPrivilege	5048	installHelper.exe
Token: SeProfSingleProcessPrivilege	5048	installHelper.exe
Token: SeAssignPrimaryTokenPrivilege	1728	installHelper.exe
Token: SeDebugPrivilege	1728	installHelper.exe
Token: SeChangeNotifyPrivilege	1728	installHelper.exe
Token: SeIncBasePriorityPrivilege	1728	installHelper.exe
Token: SeIncreaseQuotaPrivilege	1728	installHelper.exe
Token: SeProfSingleProcessPrivilege	1728	installHelper.exe
Token: SeAssignPrimaryTokenPrivilege	3740	installHelper.exe
Token: SeDebugPrivilege	3740	installHelper.exe
Token: SeChangeNotifyPrivilege	3740	installHelper.exe
Token: SeIncBasePriorityPrivilege	3740	installHelper.exe
Token: SeIncreaseQuotaPrivilege	3740	installHelper.exe
Token: SeProfSingleProcessPrivilege	3740	installHelper.exe
Token: SeAssignPrimaryTokenPrivilege	4428	ProcessLasso.exe
Token: SeDebugPrivilege	4428	ProcessLasso.exe
Token: SeChangeNotifyPrivilege	4428	ProcessLasso.exe
Token: SeIncBasePriorityPrivilege	4428	ProcessLasso.exe
Token: SeIncreaseQuotaPrivilege	4428	ProcessLasso.exe
Token: SeCreateGlobalPrivilege	4428	ProcessLasso.exe
Token: SeProfSingleProcessPrivilege	4428	ProcessLasso.exe
Token: SeBackupPrivilege	4428	ProcessLasso.exe
Token: SeRestorePrivilege	4428	ProcessLasso.exe
Token: SeAssignPrimaryTokenPrivilege	3328	srvstub.exe
Token: SeCreateGlobalPrivilege	3328	srvstub.exe
Token: SeAssignPrimaryTokenPrivilege	376	processgovernor.exe
Token: SeDebugPrivilege	376	processgovernor.exe
Token: SeChangeNotifyPrivilege	376	processgovernor.exe
Token: SeIncBasePriorityPrivilege	376	processgovernor.exe
Token: SeIncreaseQuotaPrivilege	376	processgovernor.exe
Token: SeProfSingleProcessPrivilege	376	processgovernor.exe
Token: SeCreateGlobalPrivilege	376	processgovernor.exe
Token: SeBackupPrivilege	376	processgovernor.exe
Token: SeRestorePrivilege	376	processgovernor.exe
Token: SeAssignPrimaryTokenPrivilege	4292	ProcessLasso.exe
Token: SeDebugPrivilege	4292	ProcessLasso.exe
Token: SeChangeNotifyPrivilege	4292	ProcessLasso.exe
Token: SeIncBasePriorityPrivilege	4292	ProcessLasso.exe
Token: SeIncreaseQuotaPrivilege	4292	ProcessLasso.exe
Token: SeCreateGlobalPrivilege	4292	ProcessLasso.exe
Token: SeProfSingleProcessPrivilege	4292	ProcessLasso.exe
Token: SeBackupPrivilege	4292	ProcessLasso.exe
Token: SeRestorePrivilege	4292	ProcessLasso.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1620	Process Lasso 14.2.0.32.tmp
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe

Suspicious use of SendNotifyMessage 63 IoCs

pid	Process
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe
4428	ProcessLasso.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp
1620	Process Lasso 14.2.0.32.tmp

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3788 wrote to memory of 1620	3788	Process Lasso 14.2.0.32.exe	84
PID 3788 wrote to memory of 1620	3788	Process Lasso 14.2.0.32.exe	84
PID 3788 wrote to memory of 1620	3788	Process Lasso 14.2.0.32.exe	84
PID 1620 wrote to memory of 2700	1620	Process Lasso 14.2.0.32.tmp	97
PID 1620 wrote to memory of 2700	1620	Process Lasso 14.2.0.32.tmp	97
PID 1620 wrote to memory of 4176	1620	Process Lasso 14.2.0.32.tmp	98
PID 1620 wrote to memory of 4176	1620	Process Lasso 14.2.0.32.tmp	98
PID 1620 wrote to memory of 5048	1620	Process Lasso 14.2.0.32.tmp	99
PID 1620 wrote to memory of 5048	1620	Process Lasso 14.2.0.32.tmp	99
PID 1620 wrote to memory of 1728	1620	Process Lasso 14.2.0.32.tmp	100
PID 1620 wrote to memory of 1728	1620	Process Lasso 14.2.0.32.tmp	100
PID 1620 wrote to memory of 3740	1620	Process Lasso 14.2.0.32.tmp	101
PID 1620 wrote to memory of 3740	1620	Process Lasso 14.2.0.32.tmp	101
PID 1620 wrote to memory of 4428	1620	Process Lasso 14.2.0.32.tmp	102
PID 1620 wrote to memory of 4428	1620	Process Lasso 14.2.0.32.tmp	102
PID 3328 wrote to memory of 376	3328	srvstub.exe	107
PID 3328 wrote to memory of 376	3328	srvstub.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Process Lasso 14.2.0.32.exe
"C:\Users\Admin\AppData\Local\Temp\Process Lasso 14.2.0.32.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3788
- C:\Users\Admin\AppData\Local\Temp\is-MGQT2.tmp\Process Lasso 14.2.0.32.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-MGQT2.tmp\Process Lasso 14.2.0.32.tmp" /SL5="$E0064,4754140,60928,C:\Users\Admin\AppData\Local\Temp\Process Lasso 14.2.0.32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\regedit.exe
    "C:\Windows\regedit.exe" /S "C:\Users\Admin\AppData\Local\Temp\settings.reg"
    3⤵
    - Runs .reg file with regedit
    PID:2700
- - C:\Program Files\Process Lasso\installHelper.exe
    "C:\Program Files\Process Lasso\installHelper.exe" /firstinstall
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:4176
- - C:\Program Files\Process Lasso\installHelper.exe
    "C:\Program Files\Process Lasso\installHelper.exe" /migrate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:5048
- - C:\Program Files\Process Lasso\installHelper.exe
    "C:\Program Files\Process Lasso\installHelper.exe" /powerinstall
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:1728
- - C:\Program Files\Process Lasso\installHelper.exe
    "C:\Program Files\Process Lasso\installHelper.exe" /install
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:3740
- - C:\Program Files\Process Lasso\ProcessLasso.exe
    "C:\Program Files\Process Lasso\ProcessLasso.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4428

C:\Program Files\Process Lasso\bitsumsessionagent.exe
"C:\Program Files\Process Lasso\bitsumsessionagent.exe" ----------------------------------------------------------------
1⤵
- Executes dropped EXE
PID:3352

C:\Program Files\Process Lasso\srvstub.exe
"C:\Program Files\Process Lasso\srvstub.exe" "C:\Program Files\Process Lasso\processgovernor.exe" "ProcessGovernor" /exitevent:Global\ProcessGovernorExitEvent
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3328
- C:\Program Files\Process Lasso\processgovernor.exe
  "C:\Program Files\Process Lasso\processgovernor.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:376

C:\Program Files\Process Lasso\ProcessLasso.exe
"C:\Program Files\Process Lasso\ProcessLasso.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Process Lasso\InstallHelper.exe

Filesize
765KB

MD5
5e39c1cb5b265ec880da4d0c64454a15

SHA1
f0cb07ce3241210cf8b1ed5c9998ce10d00262b1

SHA256
ed4dfa63d77507d0403f9c749060a510540d116670f00bfa340c5d1e6d1ea9ef

SHA512
e56c13ed401fbaf5c425c7ff1ccc4cf0ccb1ad3a52864bcb1689bb52e610d15438a6936fc7dd4fbd7aee78853711745606bf391cf5f1b4b4b772fdc0fefd52b6

Download Submit
C:\Program Files\Process Lasso\ProcessGovernor.exe

Filesize
1.2MB

MD5
1656969c2c886b797a88a54da90067af

SHA1
3e2663d555f9fa6b98ad0a5045148a8aeaeaa9b8

SHA256
19ac1e6b66feb45b3db2d4a70724f600463206305ca47a63a2c6742301938548

SHA512
e3cf0775cdf05919556c581dbf0001c9a4a2b8bce91920811320327cfe37fc4ff482c8a10eb224b07de2c89cab1ebc4d6d101c8ca4bb8592b4d83945c5266c13

Download Submit
C:\Program Files\Process Lasso\ProcessLasso.exe

Filesize
1.8MB

MD5
2c363d84d7ccfea690465a02853f28e7

SHA1
ed70de6b66b112df2725ab21265eec00b54e479a

SHA256
93d27b7a79708ea7704e3e3184203623572ab7d1ca30efdad7ae5b695f5e54d6

SHA512
76cf03de429cdaf179ed12485eca5fac20013d23a7c7c2eb302180aa3bff8d7b6beaf2a029772303a3d5613c2f6f3e70eb4554f5d5ebba565b9abef806d8315e

Download Submit
C:\Program Files\Process Lasso\bitsumsessionagent.exe

Filesize
177KB

MD5
7f55918ca6706935ebf3000e277ec7f3

SHA1
725b09394b76ccc066ac4fbc00357fbbb2a60f34

SHA256
7592cdd84b1085851f3a6ef03bc386a381117cdb884c720be1bd8dcf62a296ea

SHA512
fe218d72e4e17097143860b57f22de32ecac1b5cbcb93e856404bed7884ce2b389d39f3ed654a1d8bdc5f08847ebfd3fdf9ba0f1f1efd32e55fe6bf250f9afc9

Download Submit
C:\Program Files\Process Lasso\pl_rsrc_english.dll

Filesize
1.9MB

MD5
40d2b640a737039f0ae3bea77470cdfd

SHA1
f22c0a3ed620659ec76b1dc499b9965e4b6b3a2b

SHA256
be8a66f9560f0f3d2dcb12a3608deeae7a64e87340462c0f409c640580c514f8

SHA512
17b8d4c47875b909e4a70373033dd28cde2f2805509845eaf0ac264c85ddeec657d17276b38f37211d4102de87a8b0c91c646d17826b18c2f4f3f9badc4d3b29

Download Submit
C:\Program Files\Process Lasso\srvstub.exe

Filesize
133KB

MD5
0e5a9b9dc9735ae5c4893074ba229212

SHA1
47bbc9707bb66752382eec1f2e1dc58b7726f830

SHA256
d7cb65cb2e9829275453abf3bf2eb9cf085ee64d44decd158d51750bfa9597ef

SHA512
73b853a648391b0a36efac4ef35e1ff5e1c7633cfb1cb554445b7381fe9b6b21083c269d7bcfc15e996107cbada45317da703d3c05b0f81a5854b9d447be061f

Download Submit
C:\ProgramData\ProcessLasso\config\prolasso.ini

Filesize
8KB

MD5
a91fcce51037e12725d092b8467a7f72

SHA1
692bb6fb77ea87a221ce081d3db2e15a24609fc1

SHA256
f2f106fa5e59ea783318e813e45c0881f495d910fbeccb8cab38f20ab2546730

SHA512
156c4e0cae289291ca8f7b223e5246b80613e4338ba8bbba6d4b5400f59d6f4330d678b2c8751c35f72ae95a5275aa87e0cd11213c02f584b79aeeead1ae0446

Download Submit
C:\ProgramData\ProcessLasso\logs\processlasso.log

Filesize
783B

MD5
30429feb4ac9f0d25c9946ce84a0292d

SHA1
78ede7b272bba93521ab997104ace11876671fae

SHA256
35860c81726032d67bde6c46b52f75f2051de3535b5c0e62bdec2c82e36fb359

SHA512
3791ca84672ae3a8531492ed33c5d1f3a210794d1241e9c9a5751a2788c2bdfbb5e093b667f71aedf9cca31635fd93e96c92c3e2dd54bc54a1991f63665da598

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2G3G3.tmp\ISTask.dll

Filesize
66KB

MD5
86a1311d51c00b278cb7f27796ea442e

SHA1
ac08ac9d08f8f5380e2a9a65f4117862aa861a19

SHA256
e916bdf232744e00cbd8d608168a019c9f41a68a7e8390aa48cfb525276c483d

SHA512
129e4b8dd2665bcfc5e72b4585343c51127b5d027dbb0234291e7a197baeca1bab5ed074e65e5e8c969ee01f9f65cc52c9993037416de9bfff2f872e5aeba7ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2G3G3.tmp\VclStylesInno.dll

Filesize
3.0MB

MD5
b0ca93ceb050a2feff0b19e65072bbb5

SHA1
7ebbbbe2d2acd8fd516f824338d254a33b69f08d

SHA256
0e93313f42084d804b9ac4be53d844e549cfcaf19e6f276a3b0f82f01b9b2246

SHA512
37242423e62af30179906660c6dbbadca3dc2ba9e562f84315a69f3114765bc08e88321632843dbd78ba1728f8d1ce54a4edfa3b96a9d13e540aee895ae2d8e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MGQT2.tmp\Process Lasso 14.2.0.32.tmp

Filesize
907KB

MD5
3754a5eb2b26e9b6a89bd0690718351a

SHA1
5356815f88cbcc512c74b401c5b1c89f8e950944

SHA256
2006b2b4d5eb64722f0bba35380057c9556a7e8bd4bf95b92cd68d84ba255be6

SHA512
9ad991d58a60924650523f3e59a02389a7e729fbf73a0b20479c590375f40f041e0a7101604d7305ef8d7a8d57ba53e8823a75aa27441757881c604236ab0bec

Download Submit
memory/1620-49-0x0000000007990000-0x0000000007991000-memory.dmp

Filesize
4KB

Download
memory/1620-42-0x00000000077C0000-0x0000000007900000-memory.dmp

Filesize
1.2MB

Download
memory/1620-82-0x0000000007A40000-0x0000000007A41000-memory.dmp

Filesize
4KB

Download
memory/1620-80-0x00000000077C0000-0x0000000007900000-memory.dmp

Filesize
1.2MB

Download
memory/1620-79-0x0000000007A30000-0x0000000007A31000-memory.dmp

Filesize
4KB

Download
memory/1620-78-0x00000000077C0000-0x0000000007900000-memory.dmp

Filesize
1.2MB

Download
memory/1620-77-0x00000000077C0000-0x0000000007900000-memory.dmp

Filesize
1.2MB

Download
memory/1620-76-0x0000000007A20000-0x0000000007A21000-memory.dmp

Filesize
4KB

Download
memory/1620-75-0x00000000077C0000-0x0000000007900000-memory.dmp

Filesize
1.2MB

Download
memory/1620-74-0x00000000077C0000-0x0000000007900000-memory.dmp

Filesize
1.2MB

Download
memory/1620-73-0x0000000007A10000-0x0000000007A11000-memory.dmp

Filesize
4KB

Download
memory/1620-71-0x00000000077C0000-0x0000000007900000-memory.dmp

Filesize
1.2MB

Download
memory/1620-70-0x0000000007A00000-0x0000000007A01000-memory.dmp

Filesize
4KB

Download
memory/1620-69-0x00000000077C0000-0x0000000007900000-memory.dmp

Filesize
1.2MB

Download
memory/1620-68-0x00000000077C0000-0x0000000007900000-memory.dmp

Filesize
1.2MB

Download
memory/1620-67-0x00000000079F0000-0x00000000079F1000-memory.dmp

Filesize
4KB

Download
memory/1620-66-0x00000000077C0000-0x0000000007900000-memory.dmp

Filesize
1.2MB

Download
memory/1620-64-0x00000000079E0000-0x00000000079E1000-memory.dmp

Filesize
4KB

Download
memory/1620-63-0x00000000077C0000-0x0000000007900000-memory.dmp

Filesize
1.2MB

Download
memory/1620-62-0x00000000077C0000-0x0000000007900000-memory.dmp

Filesize
1.2MB

Download
memory/1620-61-0x00000000079D0000-0x00000000079D1000-memory.dmp

Filesize
4KB

Download
memory/1620-60-0x00000000077C0000-0x0000000007900000-memory.dmp

Filesize
1.2MB

Download
memory/1620-59-0x00000000077C0000-0x0000000007900000-memory.dmp

Filesize
1.2MB

Download
memory/1620-58-0x00000000079C0000-0x00000000079C1000-memory.dmp

Filesize
4KB

Download
memory/1620-57-0x00000000077C0000-0x0000000007900000-memory.dmp

Filesize
1.2MB

Download
memory/1620-56-0x00000000077C0000-0x0000000007900000-memory.dmp

Filesize
1.2MB

Download
memory/1620-55-0x00000000079B0000-0x00000000079B1000-memory.dmp

Filesize
4KB

Download
memory/1620-54-0x00000000077C0000-0x0000000007900000-memory.dmp

Filesize
1.2MB

Download
memory/1620-53-0x00000000077C0000-0x0000000007900000-memory.dmp

Filesize
1.2MB

Download
memory/1620-52-0x00000000079A0000-0x00000000079A1000-memory.dmp

Filesize
4KB

Download
memory/1620-50-0x00000000077C0000-0x0000000007900000-memory.dmp

Filesize
1.2MB

Download
memory/1620-84-0x00000000077C0000-0x0000000007900000-memory.dmp

Filesize
1.2MB

Download
memory/1620-47-0x00000000077C0000-0x0000000007900000-memory.dmp

Filesize
1.2MB

Download
memory/1620-45-0x00000000077C0000-0x0000000007900000-memory.dmp

Filesize
1.2MB

Download
memory/1620-44-0x00000000077C0000-0x0000000007900000-memory.dmp

Filesize
1.2MB

Download
memory/1620-72-0x00000000077C0000-0x0000000007900000-memory.dmp

Filesize
1.2MB

Download
memory/1620-43-0x0000000007970000-0x0000000007971000-memory.dmp

Filesize
4KB

Download
memory/1620-83-0x00000000077C0000-0x0000000007900000-memory.dmp

Filesize
1.2MB

Download
memory/1620-65-0x00000000077C0000-0x0000000007900000-memory.dmp

Filesize
1.2MB

Download
memory/1620-41-0x00000000077C0000-0x0000000007900000-memory.dmp

Filesize
1.2MB

Download
memory/1620-40-0x0000000007960000-0x0000000007961000-memory.dmp

Filesize
4KB

Download
memory/1620-39-0x00000000077C0000-0x0000000007900000-memory.dmp

Filesize
1.2MB

Download
memory/1620-38-0x00000000077C0000-0x0000000007900000-memory.dmp

Filesize
1.2MB

Download
memory/1620-37-0x0000000007950000-0x0000000007951000-memory.dmp

Filesize
4KB

Download
memory/1620-36-0x00000000077C0000-0x0000000007900000-memory.dmp

Filesize
1.2MB

Download
memory/1620-35-0x00000000077C0000-0x0000000007900000-memory.dmp

Filesize
1.2MB

Download
memory/1620-34-0x0000000007940000-0x0000000007941000-memory.dmp

Filesize
4KB

Download
memory/1620-33-0x00000000077C0000-0x0000000007900000-memory.dmp

Filesize
1.2MB

Download
memory/1620-32-0x00000000077C0000-0x0000000007900000-memory.dmp

Filesize
1.2MB

Download
memory/1620-31-0x0000000007930000-0x0000000007931000-memory.dmp

Filesize
4KB

Download
memory/1620-46-0x0000000007980000-0x0000000007981000-memory.dmp

Filesize
4KB

Download
memory/1620-29-0x00000000077C0000-0x0000000007900000-memory.dmp

Filesize
1.2MB

Download
memory/1620-27-0x00000000077C0000-0x0000000007900000-memory.dmp

Filesize
1.2MB

Download
memory/1620-30-0x00000000077C0000-0x0000000007900000-memory.dmp

Filesize
1.2MB

Download
memory/1620-26-0x00000000077C0000-0x0000000007900000-memory.dmp

Filesize
1.2MB

Download
memory/1620-25-0x0000000007910000-0x0000000007911000-memory.dmp

Filesize
4KB

Download
memory/1620-87-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/1620-88-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/1620-89-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/1620-90-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/1620-91-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/1620-98-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/1620-99-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/1620-104-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/1620-105-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/1620-81-0x00000000077C0000-0x0000000007900000-memory.dmp

Filesize
1.2MB

Download
memory/1620-51-0x00000000077C0000-0x0000000007900000-memory.dmp

Filesize
1.2MB

Download
memory/1620-48-0x00000000077C0000-0x0000000007900000-memory.dmp

Filesize
1.2MB

Download
memory/1620-106-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/1620-234-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/1620-28-0x0000000007920000-0x0000000007921000-memory.dmp

Filesize
4KB

Download
memory/1620-23-0x00000000074A0000-0x00000000077BA000-memory.dmp

Filesize
3.1MB

Download
memory/1620-17-0x0000000007270000-0x0000000007286000-memory.dmp

Filesize
88KB

Download
memory/1620-11-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/3788-0-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3788-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download