c95e8749e27bebda69f7878f74af7ef776ce39cbb18a6bbdadbf62ca6fe80251

General

Target

c95e8749e27bebda69f7878f74af7ef776ce39cbb18a6bbdadbf62ca6fe80251.exe
Size

2.6MB
MD5

4c7ab8728ef0853463015cb322e1ac50
SHA1

5b3beb687e63f2328bdd772d33981d24d93199d5
SHA256

c95e8749e27bebda69f7878f74af7ef776ce39cbb18a6bbdadbf62ca6fe80251
SHA512

1aec56fe5200cda2cc46ec298b16df53a0f162c84f04eb2e66d810ae9fc49ecc5de534cd9ff23b8f7d52d006bff9621d6e0b92b9f9708a74338c1a6a999a4546
SSDEEP

49152:1ILB+OFUpkmLS9QQBgrTQkCmczQ++2Fe6Gr2I5VP+ubFWVH5:1Y+O+mN+g55ms9Cr2S+ubMV

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2812	PostUpdate.exe
2152	processlasso.exe
2408	bitsumsessionagent.exe

Loads dropped DLL 7 IoCs

pid	Process
1820	c95e8749e27bebda69f7878f74af7ef776ce39cbb18a6bbdadbf62ca6fe80251.exe
1820	c95e8749e27bebda69f7878f74af7ef776ce39cbb18a6bbdadbf62ca6fe80251.exe
1820	c95e8749e27bebda69f7878f74af7ef776ce39cbb18a6bbdadbf62ca6fe80251.exe
1820	c95e8749e27bebda69f7878f74af7ef776ce39cbb18a6bbdadbf62ca6fe80251.exe
2812	PostUpdate.exe
2812	PostUpdate.exe
2152	processlasso.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c95e8749e27bebda69f7878f74af7ef776ce39cbb18a6bbdadbf62ca6fe80251.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PostUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	processlasso.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bitsumsessionagent.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PostUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PostUpdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	processlasso.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	processlasso.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2152	processlasso.exe
2408	bitsumsessionagent.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	2152	processlasso.exe
Token: SeDebugPrivilege	2152	processlasso.exe
Token: SeChangeNotifyPrivilege	2152	processlasso.exe
Token: SeIncBasePriorityPrivilege	2152	processlasso.exe
Token: SeIncreaseQuotaPrivilege	2152	processlasso.exe
Token: SeCreateGlobalPrivilege	2152	processlasso.exe
Token: SeProfSingleProcessPrivilege	2152	processlasso.exe
Token: SeBackupPrivilege	2152	processlasso.exe
Token: SeRestorePrivilege	2152	processlasso.exe
Token: SeShutdownPrivilege	2152	processlasso.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 2812	1820	c95e8749e27bebda69f7878f74af7ef776ce39cbb18a6bbdadbf62ca6fe80251.exe	29
PID 1820 wrote to memory of 2812	1820	c95e8749e27bebda69f7878f74af7ef776ce39cbb18a6bbdadbf62ca6fe80251.exe	29
PID 1820 wrote to memory of 2812	1820	c95e8749e27bebda69f7878f74af7ef776ce39cbb18a6bbdadbf62ca6fe80251.exe	29
PID 1820 wrote to memory of 2812	1820	c95e8749e27bebda69f7878f74af7ef776ce39cbb18a6bbdadbf62ca6fe80251.exe	29
PID 1820 wrote to memory of 2812	1820	c95e8749e27bebda69f7878f74af7ef776ce39cbb18a6bbdadbf62ca6fe80251.exe	29
PID 1820 wrote to memory of 2812	1820	c95e8749e27bebda69f7878f74af7ef776ce39cbb18a6bbdadbf62ca6fe80251.exe	29
PID 1820 wrote to memory of 2812	1820	c95e8749e27bebda69f7878f74af7ef776ce39cbb18a6bbdadbf62ca6fe80251.exe	29
PID 2812 wrote to memory of 2152	2812	PostUpdate.exe	32
PID 2812 wrote to memory of 2152	2812	PostUpdate.exe	32
PID 2812 wrote to memory of 2152	2812	PostUpdate.exe	32
PID 2812 wrote to memory of 2152	2812	PostUpdate.exe	32
PID 2484 wrote to memory of 2408	2484	taskeng.exe	33
PID 2484 wrote to memory of 2408	2484	taskeng.exe	33
PID 2484 wrote to memory of 2408	2484	taskeng.exe	33
PID 2484 wrote to memory of 2408	2484	taskeng.exe	33

C:\Users\Admin\AppData\Local\Temp\c95e8749e27bebda69f7878f74af7ef776ce39cbb18a6bbdadbf62ca6fe80251.exe
"C:\Users\Admin\AppData\Local\Temp\c95e8749e27bebda69f7878f74af7ef776ce39cbb18a6bbdadbf62ca6fe80251.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Users\Admin\AppData\Local\Temp\PostUpdate.exe
  "C:\Users\Admin\AppData\Local\Temp\PostUpdate.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Users\Admin\AppData\Local\Temp\processlasso.exe
    /postupdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2152

C:\Windows\system32\taskeng.exe
taskeng.exe {5DDFF5D8-B868-4650-8146-E16A2727B869} S-1-5-21-2172136094-3310281978-782691160-1000:EXCFTDUU\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Users\Admin\AppData\Local\Temp\bitsumsessionagent.exe
  C:\Users\Admin\AppData\Local\Temp\bitsumsessionagent.exe ----------------------------------------------------------------
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\QuickUpgrade.exe.Replacement

Filesize
422KB

MD5
0e89b2011fdabfe70cf9b29c08a6af7a

SHA1
98c1d8d7afbe0394c0edfd8cc7c394414ecaa7f7

SHA256
b3f8fe6a50977dc2add66b229ce1fef278f7360b0136b552b040b4ffccc87c3f

SHA512
40ba8f3661439389f9049cc7e47a82371ae34a3bdac23310336cc06f471ee7735ac263a5195bc4172f5ec72f03a5f88071df834f5fa612b8124a03759bec13e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\bitsumsessionagent.exe

Filesize
141KB

MD5
5eb29c253d53f83f0f5793c0bc6186c8

SHA1
38227c5f2f077ab9f96e343fd7ddbca631d9277e

SHA256
0c240bcfd2c92c198cffbe48cae81b2e52f212937b798060617fc6b832965049

SHA512
4b2b6e481ab7fd166fede8dd229ef754826cc7379ad486321378519a9d984922bef235ed91e87bbdff11669266b2df9ccf79c9ce31bfcd4173cdf980b7f96bc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\pl_rsrc_english.dll

Filesize
1.9MB

MD5
b74543a5f80fdc35214861711809fc5f

SHA1
102d43b48bce4c1160a7910870129a51607b6461

SHA256
ad484061cbe0dde31e1b8b8a061d4a114325a5cc5ea6795719eb3b6fb7d543eb

SHA512
0d9b4ecd544e05f4b6be313c628ce80e673c28c082cb2ee878245c26577af562841e6abe0b4ec403e05116ab576b464dcb784a36c0a8e00458f04adbbb48ce15

Download Submit
\Users\Admin\AppData\Local\Temp\PostUpdate.exe

Filesize
617KB

MD5
dccc1f5c561ec80e9f03f4e86772970c

SHA1
718b8e61c8c162f69f5d382830e53ef08273e506

SHA256
d89cb054b21f8390772fe28ded33a3a4a99c07fae4ff8daa30c25d98e63d8e0c

SHA512
4b8216d113beb2a1ecf31f1727d0c28286cbf8ca2eea442bee4488b3863226eac966bb129fb98ad08e6db2a4ccb39de719351ef15c83d689c9e3835afc07a720

Download Submit
\Users\Admin\AppData\Local\Temp\ProcessLasso.exe

Filesize
1.6MB

MD5
21ca650c6cf40881c9ccb7ec666b7682

SHA1
e31fc9900dfc8e28b6f1296f02144cb26e9c4d18

SHA256
a9aa256a2c20ca629bfe49c8bbea6e9a16df0156af86afc160f3a0ffe4dcdcf3

SHA512
19cc1264d8998208d38214d09a5da37b78faf165d72f9f244141877bd3008d65eeed7e35478d1e304cf16a6093aed77c4585574161c2d9ac631ba16a46d23272

Download Submit

Analysis

Sharing