8a1bfbc22006c9c49579fb9e101c4a5fb75c071b13b05a743aa28e4541976461

General

Target

3551037b428548213f880ee755ca2390N.exe
Size

422KB
MD5

3551037b428548213f880ee755ca2390
SHA1

559ac9a2afd252e1e42c29d329272ab44cd889e8
SHA256

8a1bfbc22006c9c49579fb9e101c4a5fb75c071b13b05a743aa28e4541976461
SHA512

e310e2d2f969902ae7dd4746dab6c72ae7b86684334c903d70660a45fdfcefb178ceec491f17cb9d7aaf9813b35e71d5c425ef2e3277eb26c31af920c783feee
SSDEEP

3072:AYLf3GqW1ywnfwdiEu6+7UPToMVsPARgW/TCD5uSYzZPXQKlU2k7HoZ7WK7TxqNo:AirW1n4d//PTJOYRgsTxFxU27WGYhRnC

Score

6^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	3551037b428548213f880ee755ca2390N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	pl4sfx.exe

Executes dropped EXE 4 IoCs

pid	Process
2352	pl4sfx.exe
60	PostUpdate.exe
1688	bitsumsessionagent.exe
2852	processlasso.exe

Loads dropped DLL 4 IoCs

pid	Process
60	PostUpdate.exe
60	PostUpdate.exe
2852	processlasso.exe
2852	processlasso.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3551037b428548213f880ee755ca2390N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pl4sfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PostUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bitsumsessionagent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	processlasso.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PostUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PostUpdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	processlasso.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	processlasso.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1688	bitsumsessionagent.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	2852	processlasso.exe
Token: SeDebugPrivilege	2852	processlasso.exe
Token: SeChangeNotifyPrivilege	2852	processlasso.exe
Token: SeIncBasePriorityPrivilege	2852	processlasso.exe
Token: SeIncreaseQuotaPrivilege	2852	processlasso.exe
Token: SeCreateGlobalPrivilege	2852	processlasso.exe
Token: SeProfSingleProcessPrivilege	2852	processlasso.exe
Token: SeBackupPrivilege	2852	processlasso.exe
Token: SeRestorePrivilege	2852	processlasso.exe
Token: SeShutdownPrivilege	2852	processlasso.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4420 wrote to memory of 2352	4420	3551037b428548213f880ee755ca2390N.exe	88
PID 4420 wrote to memory of 2352	4420	3551037b428548213f880ee755ca2390N.exe	88
PID 4420 wrote to memory of 2352	4420	3551037b428548213f880ee755ca2390N.exe	88
PID 2352 wrote to memory of 60	2352	pl4sfx.exe	92
PID 2352 wrote to memory of 60	2352	pl4sfx.exe	92
PID 2352 wrote to memory of 60	2352	pl4sfx.exe	92
PID 60 wrote to memory of 2852	60	PostUpdate.exe	95
PID 60 wrote to memory of 2852	60	PostUpdate.exe	95
PID 60 wrote to memory of 2852	60	PostUpdate.exe	95

C:\Users\Admin\AppData\Local\Temp\3551037b428548213f880ee755ca2390N.exe
"C:\Users\Admin\AppData\Local\Temp\3551037b428548213f880ee755ca2390N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4420
- C:\Users\Admin\AppData\Local\Temp\bitsum\processlasso\pl4sfx.exe
  "C:\Users\Admin\AppData\Local\Temp\bitsum\processlasso\pl4sfx.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Users\Admin\AppData\Local\Temp\PostUpdate.exe
    "C:\Users\Admin\AppData\Local\Temp\PostUpdate.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious use of WriteProcessMemory
    PID:60
  - - C:\Users\Admin\AppData\Local\Temp\processlasso.exe
      /postupdate
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      PID:2852

C:\Users\Admin\AppData\Local\Temp\bitsumsessionagent.exe
C:\Users\Admin\AppData\Local\Temp\bitsumsessionagent.exe ----------------------------------------------------------------
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PostUpdate.exe

Filesize
627KB

MD5
76a0b3c6a81a8b8c454c9a9d26e60b01

SHA1
363985917da4235e1af5c305f8413cdf23d96821

SHA256
7656417fecc53631a163061c9ec14bcdf286d1a5a5364eef34963c3a836722d6

SHA512
6bc4a9f616c847ed92cbbd882c47b8953efea5d97ac023f2525784eaf6e940686f2ddd1bea2a55134ace10e7de72fa58c02912ca6c6e5005d5a2997b6bf5f34e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ProcessLasso.exe

Filesize
1.6MB

MD5
0790562361cf733a7ec381a83b815681

SHA1
7a9364049718b6a26141d717b4c918cc22084d77

SHA256
f44308768b7145b11a9ce52426528c88e221b47fe8d4145f066e734e1c60eaee

SHA512
a6bc71fc5de83228ebb6184e9469165de0bac201d488ac41011acdcdc0c1a6bcedac62b0e10880639027459a1a15422156ae43a05d808901975467b3f5cb2bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\QuickUpgrade.exe.Replacement

Filesize
422KB

MD5
d720f448ea02b3c7e2b7291b40f31ac3

SHA1
2035ce95916c1d95867d0a6bc035cee068f84d30

SHA256
f8d3768681d2de474fc78da649ce02662d1760b8cb139b8158e1438cafd42baa

SHA512
5a021ce5d0b0790efcb560b7089404b744080b1f9f8e5fd05aaf9d557b25b6c9e649ef69a9a83261d0a3f1a368b2898341929477ffa774c8dde6cd97e42efcc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\bitsum\processlasso\pl4sfx.exe

Filesize
2.6MB

MD5
898a1344f19966a14a8c087ffc7226db

SHA1
88882e1f04d793f4d2e1855b6c70174f08fbb8fb

SHA256
ef28f9534b9f44f6010337b7323c9afbf647248bda524216103b797972e5ca49

SHA512
812716ee4e5f379a809ece3b48eb797f448ff52aa250c4bfc5c4111c8c63d19c9dd92eab2d299a7848206d959a577cf3cf1b0120429535c4040a4473732d463f

Download Submit
C:\Users\Admin\AppData\Local\Temp\bitsumsessionagent.exe

Filesize
141KB

MD5
9fea26f0f8751f6c32f9b4e47b5b957e

SHA1
f75de183a1580d8662da086c72eeaa4aab7c21be

SHA256
562937de703f04771ccd4e7bb0c3ffc38c22d2e2bb44d8a7dfd0a7663a6c6e8b

SHA512
e4421b9fb4c0c6b6514715353126eec1e4a61a28e36ba49b77a8842988e40a606ecab1096f7aaf1e5e44c0547732616bf5b0a672974086d0fb673a5033aa4d11

Download Submit
C:\Users\Admin\AppData\Local\Temp\pl_rsrc_english.dll

Filesize
1.9MB

MD5
ff7ffcf822b20dd46a6ff87868e8e3ec

SHA1
2bf83ae40009f2b365eba6a339b93626dde1d8a0

SHA256
0d5e766156f38a7a626e9bd101bb8010cf480b7d0d6c2a2c9391ed1e854493b2

SHA512
474a487e937d461ef3391ccf6a9ab678a3b5218e1768b22272b74a9fafe8144dcf6318258a7b9e8883e61f144c30676eee64af3573bef6ac18f122b1ebaea770

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads