5aaa587413804ed99aea2468316ccdad53587728953f9c983dcf56d061ba04a0

General

Target

5aaa587413804ed99aea2468316ccdad53587728953f9c983dcf56d061ba04a0.exe
Size

2.8MB
MD5

6b2267b9f4c66d603cc5acc082885101
SHA1

8d491e53b1b8e6ea33796f414b45990ead605fe9
SHA256

5aaa587413804ed99aea2468316ccdad53587728953f9c983dcf56d061ba04a0
SHA512

6892073c1406de20a5845c5c8c7dccea8f507a67b11d7ad39bc610ed9981ce7a59a2d969891d561f7177f9fed3b877236167474d9a9e81bfd2def0eb88301bbb
SSDEEP

49152:1ILPyH0RhohKKNZarfmNVgzzzk43kdn9ZBsnx9z3jglT:1ynvslNZBUzzz30VynxNTg

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2468	PostUpdate.exe
672	processlasso.exe
2916	bitsumsessionagent.exe

Loads dropped DLL 6 IoCs

pid	Process
2504	5aaa587413804ed99aea2468316ccdad53587728953f9c983dcf56d061ba04a0.exe
2468	PostUpdate.exe
2468	PostUpdate.exe
672	processlasso.exe
1276	Process not Found
1996	taskeng.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5aaa587413804ed99aea2468316ccdad53587728953f9c983dcf56d061ba04a0.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	processlasso.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	processlasso.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PostUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PostUpdate.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
672	processlasso.exe
2916	bitsumsessionagent.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	672	processlasso.exe
Token: SeDebugPrivilege	672	processlasso.exe
Token: SeChangeNotifyPrivilege	672	processlasso.exe
Token: SeIncBasePriorityPrivilege	672	processlasso.exe
Token: SeIncreaseQuotaPrivilege	672	processlasso.exe
Token: SeCreateGlobalPrivilege	672	processlasso.exe
Token: SeProfSingleProcessPrivilege	672	processlasso.exe
Token: SeBackupPrivilege	672	processlasso.exe
Token: SeRestorePrivilege	672	processlasso.exe
Token: SeShutdownPrivilege	672	processlasso.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2468	2504	5aaa587413804ed99aea2468316ccdad53587728953f9c983dcf56d061ba04a0.exe	30
PID 2504 wrote to memory of 2468	2504	5aaa587413804ed99aea2468316ccdad53587728953f9c983dcf56d061ba04a0.exe	30
PID 2504 wrote to memory of 2468	2504	5aaa587413804ed99aea2468316ccdad53587728953f9c983dcf56d061ba04a0.exe	30
PID 2504 wrote to memory of 2468	2504	5aaa587413804ed99aea2468316ccdad53587728953f9c983dcf56d061ba04a0.exe	30
PID 2468 wrote to memory of 672	2468	PostUpdate.exe	33
PID 2468 wrote to memory of 672	2468	PostUpdate.exe	33
PID 2468 wrote to memory of 672	2468	PostUpdate.exe	33
PID 1996 wrote to memory of 2916	1996	taskeng.exe	34
PID 1996 wrote to memory of 2916	1996	taskeng.exe	34
PID 1996 wrote to memory of 2916	1996	taskeng.exe	34

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5aaa587413804ed99aea2468316ccdad53587728953f9c983dcf56d061ba04a0.exe
"C:\Users\Admin\AppData\Local\Temp\5aaa587413804ed99aea2468316ccdad53587728953f9c983dcf56d061ba04a0.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Users\Admin\AppData\Local\Temp\PostUpdate.exe
  "C:\Users\Admin\AppData\Local\Temp\PostUpdate.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Users\Admin\AppData\Local\Temp\processlasso.exe
    /postupdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:672

C:\Windows\system32\taskeng.exe
taskeng.exe {E6FD79BD-D5B0-469E-AA06-73B10B82725C} S-1-5-21-3294248377-1418901787-4083263181-1000:FMEDFXFE\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Users\Admin\AppData\Local\Temp\bitsumsessionagent.exe
  C:\Users\Admin\AppData\Local\Temp\bitsumsessionagent.exe ----------------------------------------------------------------
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\QuickUpgrade.exe.Replacement

Filesize
471KB

MD5
5803266c30119e9a971dd1c4494702df

SHA1
c27517cc3108ba6c4854eb7ab41758c92851143c

SHA256
628a65dc11c4b55b43eea2c4681eb60f949c13cfdf2d449e963884405d78caa4

SHA512
612e9b16bd0ab611450e27d174699fdfc6dfece67f51ce9ba7cbe565424950acf54d5108bd11f8c91397657b0a85681b056a504585b963b87225f77af49ec26f

Download Submit
C:\Users\Admin\AppData\Local\Temp\bitsumsessionagent.exe

Filesize
177KB

MD5
2afabffcbaa641c40f431fdc296201b6

SHA1
67e62a3c83bcf5d52a6fe85aeeaa5637c07da090

SHA256
24aaf69bf5a25380f8c76267119f91e8e70c1b14192826eaebb56d999b06ce92

SHA512
a55340d035ed5a4ecf888a3c3a9de8ebb6759fbf62fc91c4a84aeb4d47da9063e9d8e53f4d32b1e35841cff4a1cdb45eb1d7ff8a668e85b18a22541156b7be88

Download Submit
\Users\Admin\AppData\Local\Temp\PostUpdate.exe

Filesize
671KB

MD5
872fa39795ce83c7ba2017490fc1df53

SHA1
cb6ab126ee845908953fc320999f5a90dd8df80d

SHA256
3ebfaaa7fde24b2641a61a124c71d4208c9fc56816ef7878496ffbb372d2e791

SHA512
5485dbc789777d6fea201cc295127060699bcbd671176e6f4a8e832a515f8ba78f1f883ffb70a5e5dd95c64767516e9e699a4dc2d1452ab76a0ba4ed3da89f7b

Download Submit
\Users\Admin\AppData\Local\Temp\ProcessLasso.exe

Filesize
1.8MB

MD5
2a16f331a6c1c5d4ed95325ce6726174

SHA1
47059814aa82669246dd0b7d3b8d3ab86d28f950

SHA256
8a9a1d7a2a984d020fb2313acf87d5954c9f4fc803fc6e04a516c29b005e9410

SHA512
faf558fb72704547cbbbd68de4d2ddb956a93fde2735531d4c226e67224835fd13b1720dad1b5bdb6a3e0d144c6a80cf0aa0ae6766487ea6d31b8c9aa5d8ddae

Download Submit
\Users\Admin\AppData\Local\Temp\pl_rsrc_english.dll

Filesize
1.9MB

MD5
24dfa3d9b685b41d88f11ece73522546

SHA1
398a18644e23e228837601d01ed3ded2f4b00400

SHA256
619b5756154763fa227f51bcd686f8827c0ee4dcc325e182681f5244df78ca11

SHA512
fdf5399d8af185190e93bb1c098006e39bf83b9a57a582f8e87ba9611c541acbd46c3f4060e19c837cac0ce2cd3de248a63acfe55f192941b2b478490cd99b8f

Download Submit

Analysis

Sharing