9975147ac3ace54f4422b02e9529d888520e3ae6f5e14abe84123a4e2f36515e

General

Target

9975147ac3ace54f4422b02e9529d888520e3ae6f5e14abe84123a4e2f36515e.exe
Size

2.6MB
MD5

2c97eef01ea5c14ca5c4367b89c371d3
SHA1

d761c5cb4dd2b1c8e4661afb95c4ae352dec0e2f
SHA256

9975147ac3ace54f4422b02e9529d888520e3ae6f5e14abe84123a4e2f36515e
SHA512

41152cf1e9dd32dd072e4a73cbd485091586eecb75aba50a8302ef0150f82c71cbfdcd3e3540fdd403cf73d8570bbc666a8d55e79cfc286fd2b8fee761ec536b
SSDEEP

49152:LILv2mCAlGe+lcR33avKkGPHGDX2g7XQrCHjyeSztpxfIi:Ly2mflGzlS33avCHGz77XdH+ttpxR

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	9975147ac3ace54f4422b02e9529d888520e3ae6f5e14abe84123a4e2f36515e.exe

Executes dropped EXE 3 IoCs

pid	Process
4988	PostUpdate.exe
1784	bitsumsessionagent.exe
4160	processlasso.exe

Loads dropped DLL 4 IoCs

pid	Process
4988	PostUpdate.exe
4988	PostUpdate.exe
4160	processlasso.exe
4160	processlasso.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bitsumsessionagent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	processlasso.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9975147ac3ace54f4422b02e9529d888520e3ae6f5e14abe84123a4e2f36515e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PostUpdate.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PostUpdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	processlasso.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	processlasso.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PostUpdate.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1784	bitsumsessionagent.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	4160	processlasso.exe
Token: SeDebugPrivilege	4160	processlasso.exe
Token: SeChangeNotifyPrivilege	4160	processlasso.exe
Token: SeIncBasePriorityPrivilege	4160	processlasso.exe
Token: SeIncreaseQuotaPrivilege	4160	processlasso.exe
Token: SeCreateGlobalPrivilege	4160	processlasso.exe
Token: SeProfSingleProcessPrivilege	4160	processlasso.exe
Token: SeBackupPrivilege	4160	processlasso.exe
Token: SeRestorePrivilege	4160	processlasso.exe
Token: SeShutdownPrivilege	4160	processlasso.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4248 wrote to memory of 4988	4248	9975147ac3ace54f4422b02e9529d888520e3ae6f5e14abe84123a4e2f36515e.exe	87
PID 4248 wrote to memory of 4988	4248	9975147ac3ace54f4422b02e9529d888520e3ae6f5e14abe84123a4e2f36515e.exe	87
PID 4248 wrote to memory of 4988	4248	9975147ac3ace54f4422b02e9529d888520e3ae6f5e14abe84123a4e2f36515e.exe	87
PID 4988 wrote to memory of 4160	4988	PostUpdate.exe	90
PID 4988 wrote to memory of 4160	4988	PostUpdate.exe	90
PID 4988 wrote to memory of 4160	4988	PostUpdate.exe	90

C:\Users\Admin\AppData\Local\Temp\9975147ac3ace54f4422b02e9529d888520e3ae6f5e14abe84123a4e2f36515e.exe
"C:\Users\Admin\AppData\Local\Temp\9975147ac3ace54f4422b02e9529d888520e3ae6f5e14abe84123a4e2f36515e.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4248
- C:\Users\Admin\AppData\Local\Temp\PostUpdate.exe
  "C:\Users\Admin\AppData\Local\Temp\PostUpdate.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of WriteProcessMemory
  PID:4988
- - C:\Users\Admin\AppData\Local\Temp\processlasso.exe
    /postupdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:4160

C:\Users\Admin\AppData\Local\Temp\bitsumsessionagent.exe
C:\Users\Admin\AppData\Local\Temp\bitsumsessionagent.exe ----------------------------------------------------------------
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:1784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PostUpdate.exe

Filesize
627KB

MD5
8f5a6b1f55b9c5104fe8947a13c76371

SHA1
c7823c9d57b20d24f94c27ef470a88010ea48157

SHA256
2b4dca1adcbee9a02e37597179b62e77dbfe214dd5e1e1bbaa0a55ede86a62b6

SHA512
f11da4cf15e42a2f27a47a85275faf04ae230f9f5ba7fafa91a4637de8966ece0037c797d2c76764a42848975afcc2de534dfca434c44e1b9ab94b3902e69b36

Download Submit
C:\Users\Admin\AppData\Local\Temp\ProcessLasso.exe

Filesize
1.6MB

MD5
f21ffe26e307b4364f176d4637cf70a7

SHA1
122e59001fbd56439fb7c0cafd6229891722a125

SHA256
1e94b5a8a2fcd4d53cdf97f7c5f7d9989c2682003a19321122404d77cef0cc66

SHA512
99cd5bcbf2a8eb2f7acdb1569fdc499a4cd60a4ecba225d008063cbd2e3dce9822784161b2b33c5d62b0a635fd8173952a6e566046baf2d4153d51197999290a

Download Submit
C:\Users\Admin\AppData\Local\Temp\QuickUpgrade.exe.Replacement

Filesize
422KB

MD5
3551037b428548213f880ee755ca2390

SHA1
559ac9a2afd252e1e42c29d329272ab44cd889e8

SHA256
8a1bfbc22006c9c49579fb9e101c4a5fb75c071b13b05a743aa28e4541976461

SHA512
e310e2d2f969902ae7dd4746dab6c72ae7b86684334c903d70660a45fdfcefb178ceec491f17cb9d7aaf9813b35e71d5c425ef2e3277eb26c31af920c783feee

Download Submit
C:\Users\Admin\AppData\Local\Temp\bitsumsessionagent.exe

Filesize
141KB

MD5
131d6447e2eb18559d07bb930a3438b5

SHA1
f0e32e9283a97e703e80539d8c9e849ab892d4be

SHA256
f386f3b6a988edea3b18ef064414c07c371dc924c25d38a2fa6ad2a3cfa9cbc6

SHA512
6597dee4f053a2fb2ff67b4b4df55d535ac5429c4e9434ff79cb7b0431435ee7293cfbeadbc1500c6a2d5f9e5b30b49a0a800c643637e57e0e65b5578f189553

Download Submit
C:\Users\Admin\AppData\Local\Temp\pl_rsrc_english.dll

Filesize
1.9MB

MD5
63617d06773b98d4d020d2d06c0b530c

SHA1
49f8306c4be6610ea940031915acdb89e85e6a6e

SHA256
bd35f9e6f2b7c976975ba634dfeb516451fc4a9c98fa8536b28ed5b6f2bab9ec

SHA512
1066f88e9f40f064bce9c4fb2c7424e80265f14def43c1e74d4f818634e151b5e1d4b4280e876ac591dc3d5280abbe1d649e4c89ec24251a4061f656313ef647

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads