8f80684a8bb4903d94ab74bd54e1cdb89cd70a7072fdf51f23200f44510cce0c

Analysis

max time kernel
145s
max time network
16s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
22/07/2024, 15:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

_Silent Install.cmd
Size

1KB
MD5

1586fcb6353ba97337072ffc9a49e046
SHA1

9e29a16a45b4a0a61e0c481ad20f5c278c3504d4
SHA256

6601cbe618dd90ef2daf02fb3fd41b492ea8b2afa2b234d3b7f483c432e4d78d
SHA512

e36ef005c18bb0905d453afa3eb2eabd1c3552e72385fb1ba72992a0db440cedfc3f84ca1237c2479033e2ab1f81d18ec061941d046ff21704da66bd76ed4138

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 12 IoCs

pid	Process
2288	Process Lasso 14.2.0.32.tmp
1512	installHelper.exe
1400	installHelper.exe
1752	installHelper.exe
3004	installHelper.exe
1200	Process not Found
1472	ProcessLasso.exe
2348	bitsumsessionagent.exe
464	Process not Found
2100	srvstub.exe
1544	processgovernor.exe
2748	ProcessLasso.exe

Loads dropped DLL 34 IoCs

pid	Process
2900	Process Lasso 14.2.0.32.exe
2288	Process Lasso 14.2.0.32.tmp
2288	Process Lasso 14.2.0.32.tmp
2288	Process Lasso 14.2.0.32.tmp
2288	Process Lasso 14.2.0.32.tmp
2288	Process Lasso 14.2.0.32.tmp
2288	Process Lasso 14.2.0.32.tmp
2288	Process Lasso 14.2.0.32.tmp
1512	installHelper.exe
2288	Process Lasso 14.2.0.32.tmp
1400	installHelper.exe
2288	Process Lasso 14.2.0.32.tmp
1752	installHelper.exe
2288	Process Lasso 14.2.0.32.tmp
3004	installHelper.exe
1200	Process not Found
1200	Process not Found
1472	ProcessLasso.exe
2324	taskeng.exe
464	Process not Found
2100	srvstub.exe
1544	processgovernor.exe
1472	ProcessLasso.exe
1472	ProcessLasso.exe
1472	ProcessLasso.exe
1472	ProcessLasso.exe
1472	ProcessLasso.exe
1472	ProcessLasso.exe
1472	ProcessLasso.exe
1472	ProcessLasso.exe
1472	ProcessLasso.exe
1472	ProcessLasso.exe
1472	ProcessLasso.exe
2748	ProcessLasso.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Process Lasso\vistammsc.exe	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-4N0NC.tmp	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-TL688.tmp	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-BG96T.tmp	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-6FEOT.tmp	Process Lasso 14.2.0.32.tmp
File opened for modification	C:\Program Files\Process Lasso\pl_rsrc_chinese.dll	Process Lasso 14.2.0.32.tmp
File opened for modification	C:\Program Files\Process Lasso\ProcessGovernor.exe	Process Lasso 14.2.0.32.tmp
File opened for modification	C:\Program Files\Process Lasso\CPUEater.exe	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-RM9C0.tmp	Process Lasso 14.2.0.32.tmp
File opened for modification	C:\Program Files\Process Lasso\bitsumsessionagent.exe	Process Lasso 14.2.0.32.tmp
File opened for modification	C:\Program Files\Process Lasso\pl_rsrc_spanish.dll	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-T8KQO.tmp	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-EN2D7.tmp	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-B97HN.tmp	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-OFVNP.tmp	Process Lasso 14.2.0.32.tmp
File opened for modification	C:\Program Files\Process Lasso\pl_rsrc_bulgarian.dll	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-7A50O.tmp	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-TRI5K.tmp	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-K0G89.tmp	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-HGAK7.tmp	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-82RHH.tmp	Process Lasso 14.2.0.32.tmp
File opened for modification	C:\Program Files\Process Lasso\Insights.exe	Process Lasso 14.2.0.32.tmp
File opened for modification	C:\Program Files\Process Lasso\pl_rsrc_japanese.dll	Process Lasso 14.2.0.32.tmp
File opened for modification	C:\Program Files\Process Lasso\pl_rsrc_english.dll	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\unins000.dat	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-EOR3F.tmp	Process Lasso 14.2.0.32.tmp
File opened for modification	C:\Program Files\Process Lasso\ProcessLassoLauncher.exe	Process Lasso 14.2.0.32.tmp
File opened for modification	C:\Program Files\Process Lasso\pl_rsrc_ptbr.dll	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-623I9.tmp	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-VMT92.tmp	Process Lasso 14.2.0.32.tmp
File opened for modification	C:\Program Files\Process Lasso\pl_rsrc_chinese_traditional.dll	Process Lasso 14.2.0.32.tmp
File opened for modification	C:\Program Files\Process Lasso\srvstub.exe	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-L0M1O.tmp	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-BO2AS.tmp	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-53MRH.tmp	Process Lasso 14.2.0.32.tmp
File opened for modification	C:\Program Files\Process Lasso\QuickUpgrade.exe	Process Lasso 14.2.0.32.tmp
File opened for modification	C:\Program Files\Process Lasso\pl_rsrc_korean.dll	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-6DIG7.tmp	Process Lasso 14.2.0.32.tmp
File opened for modification	C:\Program Files\Process Lasso\pl_rsrc_russian.dll	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-IG581.tmp	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-R3J4C.tmp	Process Lasso 14.2.0.32.tmp
File opened for modification	C:\Program Files\Process Lasso\ProcessLasso.exe	Process Lasso 14.2.0.32.tmp
File opened for modification	C:\Program Files\Process Lasso\LogViewer.exe	Process Lasso 14.2.0.32.tmp
File opened for modification	C:\Program Files\Process Lasso\testlasso.exe	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-MN6AV.tmp	Process Lasso 14.2.0.32.tmp
File opened for modification	C:\Program Files\Process Lasso\pl_rsrc_french.dll	Process Lasso 14.2.0.32.tmp
File opened for modification	C:\Program Files\Process Lasso\InstallHelper.exe	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-QK8B8.tmp	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-SF4G0.tmp	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-4N7LH.tmp	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-F6NK4.tmp	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-6T2C0.tmp	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-R56K1.tmp	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-3U29H.tmp	Process Lasso 14.2.0.32.tmp
File opened for modification	C:\Program Files\Process Lasso\unins000.dat	Process Lasso 14.2.0.32.tmp
File opened for modification	C:\Program Files\Process Lasso\pl_rsrc_polish.dll	Process Lasso 14.2.0.32.tmp
File opened for modification	C:\Program Files\Process Lasso\pl_rsrc_italian.dll	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-B9RIC.tmp	Process Lasso 14.2.0.32.tmp
File opened for modification	C:\Program Files\Process Lasso\ThreadRacer.exe	Process Lasso 14.2.0.32.tmp
File opened for modification	C:\Program Files\Process Lasso\TweakScheduler.exe	Process Lasso 14.2.0.32.tmp
File opened for modification	C:\Program Files\Process Lasso\pl_rsrc_finnish.dll	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-MP7V2.tmp	Process Lasso 14.2.0.32.tmp
File created	C:\Program Files\Process Lasso\is-QVS6S.tmp	Process Lasso 14.2.0.32.tmp
File opened for modification	C:\Program Files\Process Lasso\pl_rsrc_slovenian.dll	Process Lasso 14.2.0.32.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	installHelper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	processgovernor.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	installHelper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	installHelper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	installHelper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	processgovernor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ProcessLasso.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	installHelper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	installHelper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	installHelper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	installHelper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ProcessLasso.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ProcessLasso.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ProcessLasso.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\ProcessLasso\InstallerLanguageDWORD = "1033"	processgovernor.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\ProcessLasso	processgovernor.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\ProcessLasso\ProcessLasso = 09040000	processgovernor.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\ProcessLasso	processgovernor.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\ProcessLasso\Language = "1033"	processgovernor.exe

Runs .reg file with regedit 1 IoCs

pid	Process
812	regedit.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2900	Process Lasso 14.2.0.32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2288	Process Lasso 14.2.0.32.tmp
2288	Process Lasso 14.2.0.32.tmp
2288	Process Lasso 14.2.0.32.tmp
2288	Process Lasso 14.2.0.32.tmp
2288	Process Lasso 14.2.0.32.tmp
2288	Process Lasso 14.2.0.32.tmp
2288	Process Lasso 14.2.0.32.tmp
2288	Process Lasso 14.2.0.32.tmp
2288	Process Lasso 14.2.0.32.tmp
2288	Process Lasso 14.2.0.32.tmp
2288	Process Lasso 14.2.0.32.tmp
2288	Process Lasso 14.2.0.32.tmp
2288	Process Lasso 14.2.0.32.tmp
2288	Process Lasso 14.2.0.32.tmp
2288	Process Lasso 14.2.0.32.tmp
2288	Process Lasso 14.2.0.32.tmp
2288	Process Lasso 14.2.0.32.tmp
2288	Process Lasso 14.2.0.32.tmp
2288	Process Lasso 14.2.0.32.tmp
2288	Process Lasso 14.2.0.32.tmp
2288	Process Lasso 14.2.0.32.tmp
2288	Process Lasso 14.2.0.32.tmp
2288	Process Lasso 14.2.0.32.tmp
2288	Process Lasso 14.2.0.32.tmp
2288	Process Lasso 14.2.0.32.tmp
2288	Process Lasso 14.2.0.32.tmp
2288	Process Lasso 14.2.0.32.tmp
2288	Process Lasso 14.2.0.32.tmp
2288	Process Lasso 14.2.0.32.tmp
2288	Process Lasso 14.2.0.32.tmp
2288	Process Lasso 14.2.0.32.tmp
2288	Process Lasso 14.2.0.32.tmp
2288	Process Lasso 14.2.0.32.tmp
2288	Process Lasso 14.2.0.32.tmp
2288	Process Lasso 14.2.0.32.tmp
2288	Process Lasso 14.2.0.32.tmp
2288	Process Lasso 14.2.0.32.tmp
2288	Process Lasso 14.2.0.32.tmp
2288	Process Lasso 14.2.0.32.tmp
2288	Process Lasso 14.2.0.32.tmp
2288	Process Lasso 14.2.0.32.tmp
1472	ProcessLasso.exe
1472	ProcessLasso.exe
1472	ProcessLasso.exe
1472	ProcessLasso.exe
1472	ProcessLasso.exe
1472	ProcessLasso.exe
1472	ProcessLasso.exe
1472	ProcessLasso.exe
1472	ProcessLasso.exe
1472	ProcessLasso.exe
1472	ProcessLasso.exe
1472	ProcessLasso.exe
1472	ProcessLasso.exe
1472	ProcessLasso.exe
1544	processgovernor.exe
1544	processgovernor.exe
1472	ProcessLasso.exe
1472	ProcessLasso.exe
1472	ProcessLasso.exe
1544	processgovernor.exe
1544	processgovernor.exe
1472	ProcessLasso.exe
1472	ProcessLasso.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	1512	installHelper.exe
Token: SeDebugPrivilege	1512	installHelper.exe
Token: SeChangeNotifyPrivilege	1512	installHelper.exe
Token: SeIncBasePriorityPrivilege	1512	installHelper.exe
Token: SeIncreaseQuotaPrivilege	1512	installHelper.exe
Token: SeProfSingleProcessPrivilege	1512	installHelper.exe
Token: SeAssignPrimaryTokenPrivilege	1400	installHelper.exe
Token: SeDebugPrivilege	1400	installHelper.exe
Token: SeChangeNotifyPrivilege	1400	installHelper.exe
Token: SeIncBasePriorityPrivilege	1400	installHelper.exe
Token: SeIncreaseQuotaPrivilege	1400	installHelper.exe
Token: SeProfSingleProcessPrivilege	1400	installHelper.exe
Token: SeAssignPrimaryTokenPrivilege	1752	installHelper.exe
Token: SeDebugPrivilege	1752	installHelper.exe
Token: SeChangeNotifyPrivilege	1752	installHelper.exe
Token: SeIncBasePriorityPrivilege	1752	installHelper.exe
Token: SeIncreaseQuotaPrivilege	1752	installHelper.exe
Token: SeProfSingleProcessPrivilege	1752	installHelper.exe
Token: SeAssignPrimaryTokenPrivilege	3004	installHelper.exe
Token: SeDebugPrivilege	3004	installHelper.exe
Token: SeChangeNotifyPrivilege	3004	installHelper.exe
Token: SeIncBasePriorityPrivilege	3004	installHelper.exe
Token: SeIncreaseQuotaPrivilege	3004	installHelper.exe
Token: SeProfSingleProcessPrivilege	3004	installHelper.exe
Token: SeAssignPrimaryTokenPrivilege	1472	ProcessLasso.exe
Token: SeDebugPrivilege	1472	ProcessLasso.exe
Token: SeChangeNotifyPrivilege	1472	ProcessLasso.exe
Token: SeIncBasePriorityPrivilege	1472	ProcessLasso.exe
Token: SeIncreaseQuotaPrivilege	1472	ProcessLasso.exe
Token: SeCreateGlobalPrivilege	1472	ProcessLasso.exe
Token: SeProfSingleProcessPrivilege	1472	ProcessLasso.exe
Token: SeBackupPrivilege	1472	ProcessLasso.exe
Token: SeRestorePrivilege	1472	ProcessLasso.exe
Token: SeAssignPrimaryTokenPrivilege	2100	srvstub.exe
Token: SeCreateGlobalPrivilege	2100	srvstub.exe
Token: SeAssignPrimaryTokenPrivilege	1544	processgovernor.exe
Token: SeDebugPrivilege	1544	processgovernor.exe
Token: SeChangeNotifyPrivilege	1544	processgovernor.exe
Token: SeIncBasePriorityPrivilege	1544	processgovernor.exe
Token: SeIncreaseQuotaPrivilege	1544	processgovernor.exe
Token: SeProfSingleProcessPrivilege	1544	processgovernor.exe
Token: SeCreateGlobalPrivilege	1544	processgovernor.exe
Token: SeBackupPrivilege	1544	processgovernor.exe
Token: SeRestorePrivilege	1544	processgovernor.exe
Token: SeAssignPrimaryTokenPrivilege	2748	ProcessLasso.exe
Token: SeDebugPrivilege	2748	ProcessLasso.exe
Token: SeChangeNotifyPrivilege	2748	ProcessLasso.exe
Token: SeIncBasePriorityPrivilege	2748	ProcessLasso.exe
Token: SeIncreaseQuotaPrivilege	2748	ProcessLasso.exe
Token: SeCreateGlobalPrivilege	2748	ProcessLasso.exe
Token: SeProfSingleProcessPrivilege	2748	ProcessLasso.exe
Token: SeBackupPrivilege	2748	ProcessLasso.exe
Token: SeRestorePrivilege	2748	ProcessLasso.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2288	Process Lasso 14.2.0.32.tmp
1472	ProcessLasso.exe
1472	ProcessLasso.exe
1472	ProcessLasso.exe
1472	ProcessLasso.exe
1472	ProcessLasso.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
1472	ProcessLasso.exe
1472	ProcessLasso.exe
1472	ProcessLasso.exe
1472	ProcessLasso.exe
1472	ProcessLasso.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2288	Process Lasso 14.2.0.32.tmp
2288	Process Lasso 14.2.0.32.tmp
2288	Process Lasso 14.2.0.32.tmp

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 2900	2556	cmd.exe	30
PID 2556 wrote to memory of 2900	2556	cmd.exe	30
PID 2556 wrote to memory of 2900	2556	cmd.exe	30
PID 2556 wrote to memory of 2900	2556	cmd.exe	30
PID 2556 wrote to memory of 2900	2556	cmd.exe	30
PID 2556 wrote to memory of 2900	2556	cmd.exe	30
PID 2556 wrote to memory of 2900	2556	cmd.exe	30
PID 2900 wrote to memory of 2288	2900	Process Lasso 14.2.0.32.exe	31
PID 2900 wrote to memory of 2288	2900	Process Lasso 14.2.0.32.exe	31
PID 2900 wrote to memory of 2288	2900	Process Lasso 14.2.0.32.exe	31
PID 2900 wrote to memory of 2288	2900	Process Lasso 14.2.0.32.exe	31
PID 2900 wrote to memory of 2288	2900	Process Lasso 14.2.0.32.exe	31
PID 2900 wrote to memory of 2288	2900	Process Lasso 14.2.0.32.exe	31
PID 2900 wrote to memory of 2288	2900	Process Lasso 14.2.0.32.exe	31
PID 2288 wrote to memory of 812	2288	Process Lasso 14.2.0.32.tmp	32
PID 2288 wrote to memory of 812	2288	Process Lasso 14.2.0.32.tmp	32
PID 2288 wrote to memory of 812	2288	Process Lasso 14.2.0.32.tmp	32
PID 2288 wrote to memory of 812	2288	Process Lasso 14.2.0.32.tmp	32
PID 2288 wrote to memory of 1512	2288	Process Lasso 14.2.0.32.tmp	33
PID 2288 wrote to memory of 1512	2288	Process Lasso 14.2.0.32.tmp	33
PID 2288 wrote to memory of 1512	2288	Process Lasso 14.2.0.32.tmp	33
PID 2288 wrote to memory of 1512	2288	Process Lasso 14.2.0.32.tmp	33
PID 2288 wrote to memory of 1400	2288	Process Lasso 14.2.0.32.tmp	34
PID 2288 wrote to memory of 1400	2288	Process Lasso 14.2.0.32.tmp	34
PID 2288 wrote to memory of 1400	2288	Process Lasso 14.2.0.32.tmp	34
PID 2288 wrote to memory of 1400	2288	Process Lasso 14.2.0.32.tmp	34
PID 2288 wrote to memory of 1752	2288	Process Lasso 14.2.0.32.tmp	35
PID 2288 wrote to memory of 1752	2288	Process Lasso 14.2.0.32.tmp	35
PID 2288 wrote to memory of 1752	2288	Process Lasso 14.2.0.32.tmp	35
PID 2288 wrote to memory of 1752	2288	Process Lasso 14.2.0.32.tmp	35
PID 2288 wrote to memory of 3004	2288	Process Lasso 14.2.0.32.tmp	36
PID 2288 wrote to memory of 3004	2288	Process Lasso 14.2.0.32.tmp	36
PID 2288 wrote to memory of 3004	2288	Process Lasso 14.2.0.32.tmp	36
PID 2288 wrote to memory of 3004	2288	Process Lasso 14.2.0.32.tmp	36
PID 2324 wrote to memory of 2348	2324	taskeng.exe	39
PID 2324 wrote to memory of 2348	2324	taskeng.exe	39
PID 2324 wrote to memory of 2348	2324	taskeng.exe	39
PID 2100 wrote to memory of 1544	2100	srvstub.exe	41
PID 2100 wrote to memory of 1544	2100	srvstub.exe	41
PID 2100 wrote to memory of 1544	2100	srvstub.exe	41

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\_Silent Install.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Users\Admin\AppData\Local\Temp\Process Lasso 14.2.0.32.exe
  "Process Lasso 14.2.0.32.exe" /SILENT
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Users\Admin\AppData\Local\Temp\is-RA9T1.tmp\Process Lasso 14.2.0.32.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-RA9T1.tmp\Process Lasso 14.2.0.32.tmp" /SL5="$C0156,4754140,60928,C:\Users\Admin\AppData\Local\Temp\Process Lasso 14.2.0.32.exe" /SILENT
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2288
  - - C:\Windows\regedit.exe
      "C:\Windows\regedit.exe" /S "C:\Users\Admin\AppData\Local\Temp\settings.reg"
      4⤵
      Runs .reg file with regedit
      PID:812
  - - C:\Program Files\Process Lasso\installHelper.exe
      "C:\Program Files\Process Lasso\installHelper.exe" /firstinstall
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      PID:1512
  - - C:\Program Files\Process Lasso\installHelper.exe
      "C:\Program Files\Process Lasso\installHelper.exe" /migrate
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      PID:1400
  - - C:\Program Files\Process Lasso\installHelper.exe
      "C:\Program Files\Process Lasso\installHelper.exe" /powerinstall
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      PID:1752
  - - C:\Program Files\Process Lasso\installHelper.exe
      "C:\Program Files\Process Lasso\installHelper.exe" /install
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      PID:3004

C:\Program Files\Process Lasso\ProcessLasso.exe
"C:\Program Files\Process Lasso\ProcessLasso.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1472

C:\Windows\system32\taskeng.exe
taskeng.exe {FFE9F56D-A85C-49DA-B892-7D7BDD19738E} S-1-5-21-2212144002-1172735686-1556890956-1000:MVFYZPLM\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Program Files\Process Lasso\bitsumsessionagent.exe
  "C:\Program Files\Process Lasso\bitsumsessionagent.exe" ----------------------------------------------------------------
  2⤵
  - Executes dropped EXE
  PID:2348

C:\Program Files\Process Lasso\srvstub.exe
"C:\Program Files\Process Lasso\srvstub.exe" "C:\Program Files\Process Lasso\processgovernor.exe" "ProcessGovernor" /exitevent:Global\ProcessGovernorExitEvent
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Program Files\Process Lasso\processgovernor.exe
  "C:\Program Files\Process Lasso\processgovernor.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1544

C:\Program Files\Process Lasso\ProcessLasso.exe
"C:\Program Files\Process Lasso\ProcessLasso.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Process Lasso\InstallHelper.exe

Filesize
765KB

MD5
5e39c1cb5b265ec880da4d0c64454a15

SHA1
f0cb07ce3241210cf8b1ed5c9998ce10d00262b1

SHA256
ed4dfa63d77507d0403f9c749060a510540d116670f00bfa340c5d1e6d1ea9ef

SHA512
e56c13ed401fbaf5c425c7ff1ccc4cf0ccb1ad3a52864bcb1689bb52e610d15438a6936fc7dd4fbd7aee78853711745606bf391cf5f1b4b4b772fdc0fefd52b6

Download Submit
C:\Program Files\Process Lasso\pl_rsrc_english.dll

Filesize
1.9MB

MD5
40d2b640a737039f0ae3bea77470cdfd

SHA1
f22c0a3ed620659ec76b1dc499b9965e4b6b3a2b

SHA256
be8a66f9560f0f3d2dcb12a3608deeae7a64e87340462c0f409c640580c514f8

SHA512
17b8d4c47875b909e4a70373033dd28cde2f2805509845eaf0ac264c85ddeec657d17276b38f37211d4102de87a8b0c91c646d17826b18c2f4f3f9badc4d3b29

Download Submit
C:\ProgramData\ProcessLasso\config\prolasso.ini

Filesize
8KB

MD5
a91fcce51037e12725d092b8467a7f72

SHA1
692bb6fb77ea87a221ce081d3db2e15a24609fc1

SHA256
f2f106fa5e59ea783318e813e45c0881f495d910fbeccb8cab38f20ab2546730

SHA512
156c4e0cae289291ca8f7b223e5246b80613e4338ba8bbba6d4b5400f59d6f4330d678b2c8751c35f72ae95a5275aa87e0cd11213c02f584b79aeeead1ae0446

Download Submit
C:\ProgramData\ProcessLasso\logs\processlasso.log

Filesize
786B

MD5
683c216348845c8c2f71233d7a6d37ac

SHA1
057b3a274cf47085448ec3cbc0ef2497867f8995

SHA256
26e600e505a7dbb90646c6ad33e98ef5243968e4df0e98777633ee73986c77e3

SHA512
155e1bd3c39fddef7e0069da04331df21201995cbc8ca571d395a4eb293a21d36c2b6b61e889563935223b77d7a61d3e9f237ba7dc0aae78b155af3aeb7a061c

Download Submit
\Program Files\Process Lasso\ProcessGovernor.exe

Filesize
1.2MB

MD5
1656969c2c886b797a88a54da90067af

SHA1
3e2663d555f9fa6b98ad0a5045148a8aeaeaa9b8

SHA256
19ac1e6b66feb45b3db2d4a70724f600463206305ca47a63a2c6742301938548

SHA512
e3cf0775cdf05919556c581dbf0001c9a4a2b8bce91920811320327cfe37fc4ff482c8a10eb224b07de2c89cab1ebc4d6d101c8ca4bb8592b4d83945c5266c13

Download Submit
\Program Files\Process Lasso\ProcessLasso.exe

Filesize
1.8MB

MD5
2c363d84d7ccfea690465a02853f28e7

SHA1
ed70de6b66b112df2725ab21265eec00b54e479a

SHA256
93d27b7a79708ea7704e3e3184203623572ab7d1ca30efdad7ae5b695f5e54d6

SHA512
76cf03de429cdaf179ed12485eca5fac20013d23a7c7c2eb302180aa3bff8d7b6beaf2a029772303a3d5613c2f6f3e70eb4554f5d5ebba565b9abef806d8315e

Download Submit
\Program Files\Process Lasso\bitsumsessionagent.exe

Filesize
177KB

MD5
7f55918ca6706935ebf3000e277ec7f3

SHA1
725b09394b76ccc066ac4fbc00357fbbb2a60f34

SHA256
7592cdd84b1085851f3a6ef03bc386a381117cdb884c720be1bd8dcf62a296ea

SHA512
fe218d72e4e17097143860b57f22de32ecac1b5cbcb93e856404bed7884ce2b389d39f3ed654a1d8bdc5f08847ebfd3fdf9ba0f1f1efd32e55fe6bf250f9afc9

Download Submit
\Program Files\Process Lasso\srvstub.exe

Filesize
133KB

MD5
0e5a9b9dc9735ae5c4893074ba229212

SHA1
47bbc9707bb66752382eec1f2e1dc58b7726f830

SHA256
d7cb65cb2e9829275453abf3bf2eb9cf085ee64d44decd158d51750bfa9597ef

SHA512
73b853a648391b0a36efac4ef35e1ff5e1c7633cfb1cb554445b7381fe9b6b21083c269d7bcfc15e996107cbada45317da703d3c05b0f81a5854b9d447be061f

Download Submit
\Program Files\Process Lasso\unins000.exe

Filesize
918KB

MD5
b7aeb9c7198525a33627fb37bb27e697

SHA1
7dfe2e758a018325cc537536f66490b0e029b975

SHA256
423178479b5763d412b2aa93643768782ca19d7b7a1c6d20e453b07c1a07967c

SHA512
d3310c1883f6eb44c4260e532065de139c881663b37fc45bb12c611777dc1b6355d2ea0b6341374578b8e39b8799c5e46504f87c73c631c97cbe6cc8e3ea8ca8

Download Submit
\Users\Admin\AppData\Local\Temp\is-JNUB6.tmp\ISTask.dll

Filesize
66KB

MD5
86a1311d51c00b278cb7f27796ea442e

SHA1
ac08ac9d08f8f5380e2a9a65f4117862aa861a19

SHA256
e916bdf232744e00cbd8d608168a019c9f41a68a7e8390aa48cfb525276c483d

SHA512
129e4b8dd2665bcfc5e72b4585343c51127b5d027dbb0234291e7a197baeca1bab5ed074e65e5e8c969ee01f9f65cc52c9993037416de9bfff2f872e5aeba7ec

Download Submit
\Users\Admin\AppData\Local\Temp\is-JNUB6.tmp\VclStylesInno.dll

Filesize
3.0MB

MD5
b0ca93ceb050a2feff0b19e65072bbb5

SHA1
7ebbbbe2d2acd8fd516f824338d254a33b69f08d

SHA256
0e93313f42084d804b9ac4be53d844e549cfcaf19e6f276a3b0f82f01b9b2246

SHA512
37242423e62af30179906660c6dbbadca3dc2ba9e562f84315a69f3114765bc08e88321632843dbd78ba1728f8d1ce54a4edfa3b96a9d13e540aee895ae2d8e2

Download Submit
\Users\Admin\AppData\Local\Temp\is-JNUB6.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-RA9T1.tmp\Process Lasso 14.2.0.32.tmp

Filesize
907KB

MD5
3754a5eb2b26e9b6a89bd0690718351a

SHA1
5356815f88cbcc512c74b401c5b1c89f8e950944

SHA256
2006b2b4d5eb64722f0bba35380057c9556a7e8bd4bf95b92cd68d84ba255be6

SHA512
9ad991d58a60924650523f3e59a02389a7e729fbf73a0b20479c590375f40f041e0a7101604d7305ef8d7a8d57ba53e8823a75aa27441757881c604236ab0bec

Download Submit
memory/2288-52-0x00000000020E0000-0x00000000020E1000-memory.dmp

Filesize
4KB

Download
memory/2288-44-0x00000000071C0000-0x0000000007300000-memory.dmp

Filesize
1.2MB

Download
memory/2288-79-0x0000000007310000-0x0000000007311000-memory.dmp

Filesize
4KB

Download
memory/2288-78-0x00000000071C0000-0x0000000007300000-memory.dmp

Filesize
1.2MB

Download
memory/2288-77-0x00000000071C0000-0x0000000007300000-memory.dmp

Filesize
1.2MB

Download
memory/2288-76-0x0000000007300000-0x0000000007301000-memory.dmp

Filesize
4KB

Download
memory/2288-75-0x00000000071C0000-0x0000000007300000-memory.dmp

Filesize
1.2MB

Download
memory/2288-74-0x00000000071C0000-0x0000000007300000-memory.dmp

Filesize
1.2MB

Download
memory/2288-73-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/2288-72-0x00000000071C0000-0x0000000007300000-memory.dmp

Filesize
1.2MB

Download
memory/2288-70-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/2288-68-0x00000000071C0000-0x0000000007300000-memory.dmp

Filesize
1.2MB

Download
memory/2288-67-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/2288-66-0x00000000071C0000-0x0000000007300000-memory.dmp

Filesize
1.2MB

Download
memory/2288-65-0x00000000071C0000-0x0000000007300000-memory.dmp

Filesize
1.2MB

Download
memory/2288-64-0x0000000002120000-0x0000000002121000-memory.dmp

Filesize
4KB

Download
memory/2288-63-0x00000000071C0000-0x0000000007300000-memory.dmp

Filesize
1.2MB

Download
memory/2288-62-0x00000000071C0000-0x0000000007300000-memory.dmp

Filesize
1.2MB

Download
memory/2288-61-0x0000000002110000-0x0000000002111000-memory.dmp

Filesize
4KB

Download
memory/2288-60-0x00000000071C0000-0x0000000007300000-memory.dmp

Filesize
1.2MB

Download
memory/2288-59-0x00000000071C0000-0x0000000007300000-memory.dmp

Filesize
1.2MB

Download
memory/2288-58-0x0000000002100000-0x0000000002101000-memory.dmp

Filesize
4KB

Download
memory/2288-57-0x00000000071C0000-0x0000000007300000-memory.dmp

Filesize
1.2MB

Download
memory/2288-55-0x00000000020F0000-0x00000000020F1000-memory.dmp

Filesize
4KB

Download
memory/2288-71-0x00000000071C0000-0x0000000007300000-memory.dmp

Filesize
1.2MB

Download
memory/2288-56-0x00000000071C0000-0x0000000007300000-memory.dmp

Filesize
1.2MB

Download
memory/2288-53-0x00000000071C0000-0x0000000007300000-memory.dmp

Filesize
1.2MB

Download
memory/2288-82-0x0000000007320000-0x0000000007321000-memory.dmp

Filesize
4KB

Download
memory/2288-51-0x00000000071C0000-0x0000000007300000-memory.dmp

Filesize
1.2MB

Download
memory/2288-50-0x00000000071C0000-0x0000000007300000-memory.dmp

Filesize
1.2MB

Download
memory/2288-49-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/2288-48-0x00000000071C0000-0x0000000007300000-memory.dmp

Filesize
1.2MB

Download
memory/2288-47-0x00000000071C0000-0x0000000007300000-memory.dmp

Filesize
1.2MB

Download
memory/2288-46-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

Filesize
4KB

Download
memory/2288-45-0x00000000071C0000-0x0000000007300000-memory.dmp

Filesize
1.2MB

Download
memory/2288-80-0x00000000071C0000-0x0000000007300000-memory.dmp

Filesize
1.2MB

Download
memory/2288-43-0x0000000001F90000-0x0000000001F91000-memory.dmp

Filesize
4KB

Download
memory/2288-42-0x00000000071C0000-0x0000000007300000-memory.dmp

Filesize
1.2MB

Download
memory/2288-39-0x00000000071C0000-0x0000000007300000-memory.dmp

Filesize
1.2MB

Download
memory/2288-38-0x00000000071C0000-0x0000000007300000-memory.dmp

Filesize
1.2MB

Download
memory/2288-37-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/2288-36-0x00000000071C0000-0x0000000007300000-memory.dmp

Filesize
1.2MB

Download
memory/2288-35-0x00000000071C0000-0x0000000007300000-memory.dmp

Filesize
1.2MB

Download
memory/2288-34-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2288-33-0x00000000071C0000-0x0000000007300000-memory.dmp

Filesize
1.2MB

Download
memory/2288-32-0x00000000071C0000-0x0000000007300000-memory.dmp

Filesize
1.2MB

Download
memory/2288-31-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2288-30-0x00000000071C0000-0x0000000007300000-memory.dmp

Filesize
1.2MB

Download
memory/2288-29-0x00000000071C0000-0x0000000007300000-memory.dmp

Filesize
1.2MB

Download
memory/2288-28-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2288-54-0x00000000071C0000-0x0000000007300000-memory.dmp

Filesize
1.2MB

Download
memory/2288-41-0x00000000071C0000-0x0000000007300000-memory.dmp

Filesize
1.2MB

Download
memory/2288-40-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/2288-25-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2288-91-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2288-92-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2288-93-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2288-83-0x00000000071C0000-0x0000000007300000-memory.dmp

Filesize
1.2MB

Download
memory/2288-84-0x00000000071C0000-0x0000000007300000-memory.dmp

Filesize
1.2MB

Download
memory/2288-81-0x00000000071C0000-0x0000000007300000-memory.dmp

Filesize
1.2MB

Download
memory/2288-69-0x00000000071C0000-0x0000000007300000-memory.dmp

Filesize
1.2MB

Download
memory/2288-217-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2288-27-0x00000000071C0000-0x0000000007300000-memory.dmp

Filesize
1.2MB

Download
memory/2288-26-0x00000000071C0000-0x0000000007300000-memory.dmp

Filesize
1.2MB

Download
memory/2288-23-0x0000000006EA0000-0x00000000071BA000-memory.dmp

Filesize
3.1MB

Download
memory/2288-19-0x0000000000370000-0x0000000000386000-memory.dmp

Filesize
88KB

Download
memory/2288-11-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2900-0-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2900-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download