5aaa587413804ed99aea2468316ccdad53587728953f9c983dcf56d061ba04a0

General

Target

5aaa587413804ed99aea2468316ccdad53587728953f9c983dcf56d061ba04a0.exe
Size

2.8MB
MD5

6b2267b9f4c66d603cc5acc082885101
SHA1

8d491e53b1b8e6ea33796f414b45990ead605fe9
SHA256

5aaa587413804ed99aea2468316ccdad53587728953f9c983dcf56d061ba04a0
SHA512

6892073c1406de20a5845c5c8c7dccea8f507a67b11d7ad39bc610ed9981ce7a59a2d969891d561f7177f9fed3b877236167474d9a9e81bfd2def0eb88301bbb
SSDEEP

49152:1ILPyH0RhohKKNZarfmNVgzzzk43kdn9ZBsnx9z3jglT:1ynvslNZBUzzz30VynxNTg

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	5aaa587413804ed99aea2468316ccdad53587728953f9c983dcf56d061ba04a0.exe

Executes dropped EXE 3 IoCs

pid	Process
1904	PostUpdate.exe
5092	bitsumsessionagent.exe
2184	processlasso.exe

Loads dropped DLL 4 IoCs

pid	Process
1904	PostUpdate.exe
1904	PostUpdate.exe
2184	processlasso.exe
2184	processlasso.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5aaa587413804ed99aea2468316ccdad53587728953f9c983dcf56d061ba04a0.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PostUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PostUpdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	processlasso.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	processlasso.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5092	bitsumsessionagent.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	2184	processlasso.exe
Token: SeDebugPrivilege	2184	processlasso.exe
Token: SeChangeNotifyPrivilege	2184	processlasso.exe
Token: SeIncBasePriorityPrivilege	2184	processlasso.exe
Token: SeIncreaseQuotaPrivilege	2184	processlasso.exe
Token: SeCreateGlobalPrivilege	2184	processlasso.exe
Token: SeProfSingleProcessPrivilege	2184	processlasso.exe
Token: SeBackupPrivilege	2184	processlasso.exe
Token: SeRestorePrivilege	2184	processlasso.exe
Token: SeShutdownPrivilege	2184	processlasso.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4868 wrote to memory of 1904	4868	5aaa587413804ed99aea2468316ccdad53587728953f9c983dcf56d061ba04a0.exe	87
PID 4868 wrote to memory of 1904	4868	5aaa587413804ed99aea2468316ccdad53587728953f9c983dcf56d061ba04a0.exe	87
PID 1904 wrote to memory of 2184	1904	PostUpdate.exe	90
PID 1904 wrote to memory of 2184	1904	PostUpdate.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5aaa587413804ed99aea2468316ccdad53587728953f9c983dcf56d061ba04a0.exe
"C:\Users\Admin\AppData\Local\Temp\5aaa587413804ed99aea2468316ccdad53587728953f9c983dcf56d061ba04a0.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Users\Admin\AppData\Local\Temp\PostUpdate.exe
  "C:\Users\Admin\AppData\Local\Temp\PostUpdate.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Users\Admin\AppData\Local\Temp\processlasso.exe
    /postupdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:2184

C:\Users\Admin\AppData\Local\Temp\bitsumsessionagent.exe
C:\Users\Admin\AppData\Local\Temp\bitsumsessionagent.exe ----------------------------------------------------------------
1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:5092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PostUpdate.exe

Filesize
671KB

MD5
872fa39795ce83c7ba2017490fc1df53

SHA1
cb6ab126ee845908953fc320999f5a90dd8df80d

SHA256
3ebfaaa7fde24b2641a61a124c71d4208c9fc56816ef7878496ffbb372d2e791

SHA512
5485dbc789777d6fea201cc295127060699bcbd671176e6f4a8e832a515f8ba78f1f883ffb70a5e5dd95c64767516e9e699a4dc2d1452ab76a0ba4ed3da89f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\QuickUpgrade.exe.Replacement

Filesize
471KB

MD5
5803266c30119e9a971dd1c4494702df

SHA1
c27517cc3108ba6c4854eb7ab41758c92851143c

SHA256
628a65dc11c4b55b43eea2c4681eb60f949c13cfdf2d449e963884405d78caa4

SHA512
612e9b16bd0ab611450e27d174699fdfc6dfece67f51ce9ba7cbe565424950acf54d5108bd11f8c91397657b0a85681b056a504585b963b87225f77af49ec26f

Download Submit
C:\Users\Admin\AppData\Local\Temp\bitsumsessionagent.exe

Filesize
177KB

MD5
2afabffcbaa641c40f431fdc296201b6

SHA1
67e62a3c83bcf5d52a6fe85aeeaa5637c07da090

SHA256
24aaf69bf5a25380f8c76267119f91e8e70c1b14192826eaebb56d999b06ce92

SHA512
a55340d035ed5a4ecf888a3c3a9de8ebb6759fbf62fc91c4a84aeb4d47da9063e9d8e53f4d32b1e35841cff4a1cdb45eb1d7ff8a668e85b18a22541156b7be88

Download Submit
C:\Users\Admin\AppData\Local\Temp\pl_rsrc_english.dll

Filesize
1.9MB

MD5
24dfa3d9b685b41d88f11ece73522546

SHA1
398a18644e23e228837601d01ed3ded2f4b00400

SHA256
619b5756154763fa227f51bcd686f8827c0ee4dcc325e182681f5244df78ca11

SHA512
fdf5399d8af185190e93bb1c098006e39bf83b9a57a582f8e87ba9611c541acbd46c3f4060e19c837cac0ce2cd3de248a63acfe55f192941b2b478490cd99b8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\processlasso.exe

Filesize
1.8MB

MD5
2a16f331a6c1c5d4ed95325ce6726174

SHA1
47059814aa82669246dd0b7d3b8d3ab86d28f950

SHA256
8a9a1d7a2a984d020fb2313acf87d5954c9f4fc803fc6e04a516c29b005e9410

SHA512
faf558fb72704547cbbbd68de4d2ddb956a93fde2735531d4c226e67224835fd13b1720dad1b5bdb6a3e0d144c6a80cf0aa0ae6766487ea6d31b8c9aa5d8ddae

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads