4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-10-2024 15:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772N.exe
Size

280KB
MD5

5894805aaa3a51eebd7d94578c056980
SHA1

9febdc5b113083c338bea61af7b1e435d3d4c03f
SHA256

4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772
SHA512

65af87cd534cfa371be5af254c3d2826a5a8d34dcafc92f0d98c4497610064ca0a0e07ae03daaf3f830ffbcca1795bf7c0542b29ebce101d45f96820d5bf7604
SSDEEP

6144:E+sA4cO1nVqHXYM0CCVMZ+sA4cO1nVqHHYM0CCVZ:EJAFRYLVMZJAFRYLVZ

Score

8^/10

defense_evasion discovery evasion persistence trojan

Malware Config

Signatures

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 1 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	LSASS.EXE

Executes dropped EXE 13 IoCs

pid	Process
2656	ntfsus.exe
2832	SMSS.EXE
2676	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe.log
380	SMSS.EXE
1464	LSASS.EXE
1840	LSASS.EXE
1052	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe
812	SMSS.EXE
1720	ntfsus.exe
840	ntfsus.exe
1516	SMSS.EXE
3044	SMSS.EXE
3032	SMSS.EXE

Loads dropped DLL 20 IoCs

pid	Process
2764	cmd.exe
2764	cmd.exe
1404	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772N.exe
1404	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772N.exe
1220	cmd.exe
1220	cmd.exe
2676	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe.log
2676	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe.log
2676	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe.log
2676	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe.log
2676	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe.log
2676	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe.log
1464	LSASS.EXE
1464	LSASS.EXE
304	cmd.exe
304	cmd.exe
980	cmd.exe
980	cmd.exe
3036	cmd.exe
3036	cmd.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772N.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772N.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772N.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772N.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772N.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe.log
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	LSASS.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	LSASS.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772N.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	LSASS.EXE

Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

remove IFEO.

defense_evasion

Clear Persistence

T1070.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	LSASS.EXE

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\AUTORUN.INF	LSASS.EXE
File created	C:\AUTORUN.INF	LSASS.EXE
File opened for modification	D:\AUTORUN.INF	LSASS.EXE
File opened for modification	\??\E:\AUTORUN.INF	LSASS.EXE

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\com\SMSS.EXE	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772N.exe
File created	C:\Windows\SysWOW64\com\SMSS.EXE	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe.log
File opened for modification	C:\Windows\SysWOW64\com\SMSS.EXE	LSASS.EXE
File created	C:\Windows\SysWOW64\com\SMSS.EXE	LSASS.EXE
File opened for modification	C:\Windows\SysWOW64\com\bak	LSASS.EXE
File created	C:\Windows\SysWOW64\com\SMSS.EXE	LSASS.EXE
File opened for modification	C:\Windows\SysWOW64\com\LSASS.EXE	LSASS.EXE
File opened for modification	C:\Windows\SysWOW64\com\SMSS.EXE	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772N.exe
File opened for modification	C:\Windows\SysWOW64\com\SMSS.EXE	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe.log
File opened for modification	C:\Windows\SysWOW64\com\LSASS.EXE	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe.log
File created	C:\Windows\SysWOW64\com\LSASS.EXE	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe.log
File opened for modification	C:\Windows\SysWOW64\com\SMSS.EXE	LSASS.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LSASS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LSASS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe.log
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2484	ping.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	LSASS.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2484	ping.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
1404	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772N.exe
1404	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772N.exe
1404	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772N.exe
1404	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772N.exe
2676	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe.log
2676	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe.log
2676	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe.log
2676	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe.log
1840	LSASS.EXE
1840	LSASS.EXE
1840	LSASS.EXE
1840	LSASS.EXE
1464	LSASS.EXE
1464	LSASS.EXE
1464	LSASS.EXE
1464	LSASS.EXE
1052	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe
1052	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 1156	1404	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772N.exe	31
PID 1404 wrote to memory of 1156	1404	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772N.exe	31
PID 1404 wrote to memory of 1156	1404	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772N.exe	31
PID 1404 wrote to memory of 1156	1404	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772N.exe	31
PID 1404 wrote to memory of 2464	1404	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772N.exe	33
PID 1404 wrote to memory of 2464	1404	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772N.exe	33
PID 1404 wrote to memory of 2464	1404	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772N.exe	33
PID 1404 wrote to memory of 2464	1404	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772N.exe	33
PID 1404 wrote to memory of 2312	1404	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772N.exe	35
PID 1404 wrote to memory of 2312	1404	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772N.exe	35
PID 1404 wrote to memory of 2312	1404	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772N.exe	35
PID 1404 wrote to memory of 2312	1404	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772N.exe	35
PID 1404 wrote to memory of 2656	1404	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772N.exe	37
PID 1404 wrote to memory of 2656	1404	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772N.exe	37
PID 1404 wrote to memory of 2656	1404	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772N.exe	37
PID 1404 wrote to memory of 2656	1404	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772N.exe	37
PID 1404 wrote to memory of 2764	1404	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772N.exe	38
PID 1404 wrote to memory of 2764	1404	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772N.exe	38
PID 1404 wrote to memory of 2764	1404	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772N.exe	38
PID 1404 wrote to memory of 2764	1404	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772N.exe	38
PID 2764 wrote to memory of 2832	2764	cmd.exe	40
PID 2764 wrote to memory of 2832	2764	cmd.exe	40
PID 2764 wrote to memory of 2832	2764	cmd.exe	40
PID 2764 wrote to memory of 2832	2764	cmd.exe	40
PID 1404 wrote to memory of 2676	1404	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772N.exe	41
PID 1404 wrote to memory of 2676	1404	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772N.exe	41
PID 1404 wrote to memory of 2676	1404	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772N.exe	41
PID 1404 wrote to memory of 2676	1404	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772N.exe	41
PID 2676 wrote to memory of 2852	2676	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe.log	42
PID 2676 wrote to memory of 2852	2676	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe.log	42
PID 2676 wrote to memory of 2852	2676	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe.log	42
PID 2676 wrote to memory of 2852	2676	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe.log	42
PID 2676 wrote to memory of 2584	2676	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe.log	43
PID 2676 wrote to memory of 2584	2676	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe.log	43
PID 2676 wrote to memory of 2584	2676	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe.log	43
PID 2676 wrote to memory of 2584	2676	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe.log	43
PID 2676 wrote to memory of 2576	2676	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe.log	44
PID 2676 wrote to memory of 2576	2676	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe.log	44
PID 2676 wrote to memory of 2576	2676	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe.log	44
PID 2676 wrote to memory of 2576	2676	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe.log	44
PID 2676 wrote to memory of 2976	2676	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe.log	45
PID 2676 wrote to memory of 2976	2676	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe.log	45
PID 2676 wrote to memory of 2976	2676	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe.log	45
PID 2676 wrote to memory of 2976	2676	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe.log	45
PID 2676 wrote to memory of 2600	2676	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe.log	50
PID 2676 wrote to memory of 2600	2676	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe.log	50
PID 2676 wrote to memory of 2600	2676	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe.log	50
PID 2676 wrote to memory of 2600	2676	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe.log	50
PID 2676 wrote to memory of 2260	2676	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe.log	52
PID 2676 wrote to memory of 2260	2676	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe.log	52
PID 2676 wrote to memory of 2260	2676	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe.log	52
PID 2676 wrote to memory of 2260	2676	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe.log	52
PID 2676 wrote to memory of 1220	2676	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe.log	54
PID 2676 wrote to memory of 1220	2676	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe.log	54
PID 2676 wrote to memory of 1220	2676	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe.log	54
PID 2676 wrote to memory of 1220	2676	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe.log	54
PID 1220 wrote to memory of 380	1220	cmd.exe	56
PID 1220 wrote to memory of 380	1220	cmd.exe	56
PID 1220 wrote to memory of 380	1220	cmd.exe	56
PID 1220 wrote to memory of 380	1220	cmd.exe	56
PID 2676 wrote to memory of 1464	2676	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe.log	57
PID 2676 wrote to memory of 1464	2676	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe.log	57
PID 2676 wrote to memory of 1464	2676	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe.log	57
PID 2676 wrote to memory of 1464	2676	4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe.log	57

C:\Users\Admin\AppData\Local\Temp\4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772N.exe
"C:\Users\Admin\AppData\Local\Temp\4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1156
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\LSASS.EXE /e /t /g Admin:F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2464
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\SMSS.EXE /e /t /g Admin:F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2312
- C:\ntfsus.exe
  C:\ntfsus.exe
  2⤵
  - Executes dropped EXE
  PID:2656
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "C:\Windows\system32\com\SMSS.EXE c:\users\admin\appdata\local\temp\4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe^|c:\users\admin\appdata\local\temp\4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe.log"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\SysWOW64\com\SMSS.EXE
    C:\Windows\system32\com\SMSS.EXE c:\users\admin\appdata\local\temp\4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe|c:\users\admin\appdata\local\temp\4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe.log
    3⤵
    - Executes dropped EXE
    PID:2832
- \??\c:\users\admin\appdata\local\temp\4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe.log
  "c:\users\admin\appdata\local\temp\4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe.log"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\SysWOW64\cacls.exe
    "C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2852
- - C:\Windows\SysWOW64\cacls.exe
    "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\LSASS.EXE /e /t /g Admin:F
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2584
- - C:\Windows\SysWOW64\cacls.exe
    "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\SMSS.EXE /e /t /g Admin:F
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2576
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c rd /s /q "C:\Windows\system32\com\SMSS.EXE"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2976
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c rd /s /q "C:\ntfsus.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2600
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c del /F /Q "C:\Windows\system32\com\LSASS.EXE"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2260
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c "C:\Windows\system32\com\SMSS.EXE c:\users\admin\appdata\local\temp\4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.~^|c:\users\admin\appdata\local\temp\4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1220
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Windows\system32\com\SMSS.EXE c:\users\admin\appdata\local\temp\4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.~|c:\users\admin\appdata\local\temp\4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe
      4⤵
      Executes dropped EXE
      PID:380
- - C:\Windows\SysWOW64\com\LSASS.EXE
    "C:\Windows\system32\com\LSASS.EXE"
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Enumerates connected drives
    - Indicator Removal: Clear Persistence
    - Drops autorun.inf file
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1464
  - - C:\Windows\SysWOW64\cacls.exe
      "C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
      4⤵
      System Location Discovery: System Language Discovery
      PID:1256
  - - C:\Windows\SysWOW64\cacls.exe
      "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\LSASS.EXE /e /t /g Admin:F
      4⤵
      System Location Discovery: System Language Discovery
      PID:2840
  - - C:\Windows\SysWOW64\cacls.exe
      "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\SMSS.EXE /e /t /g Admin:F
      4⤵
      System Location Discovery: System Language Discovery
      PID:2776
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c rd /s /q "C:\Windows\system32\com\SMSS.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2436
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c rd /s /q "C:\ntfsus.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2964
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      Executes dropped EXE
      PID:812
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c rd /s /q "C:\ntfsus.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2588
  - - C:\ntfsus.exe
      "C:\ntfsus.exe"
      4⤵
      Executes dropped EXE
      PID:840
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c rd /s /q "C:\Windows\system32\com\bak"
      4⤵
      System Location Discovery: System Language Discovery
      PID:604
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "C:\Windows\system32\com\SMSS.EXE C:\Windows\system32\com\LSASS.EXE^|C:\pagefile.pif"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:304
    - - C:\Windows\SysWOW64\com\SMSS.EXE
        
        C:\Windows\system32\com\SMSS.EXE C:\Windows\system32\com\LSASS.EXE|C:\pagefile.pif
        5⤵
        Executes dropped EXE
        
        PID:1516
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "C:\Windows\system32\com\SMSS.EXE C:\Windows\system32\com\LSASS.EXE^|D:\pagefile.pif"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:980
    - - C:\Windows\SysWOW64\com\SMSS.EXE
        
        C:\Windows\system32\com\SMSS.EXE C:\Windows\system32\com\LSASS.EXE|D:\pagefile.pif
        5⤵
        Executes dropped EXE
        
        PID:3044
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "C:\Windows\system32\com\SMSS.EXE C:\Windows\system32\com\LSASS.EXE^|E:\pagefile.pif"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:3036
    - - C:\Windows\SysWOW64\com\SMSS.EXE
        
        C:\Windows\system32\com\SMSS.EXE C:\Windows\system32\com\LSASS.EXE|E:\pagefile.pif
        5⤵
        Executes dropped EXE
        
        PID:3032
  - - C:\Windows\SysWOW64\ping.exe
      ping.exe -f -n 1 www.baidu.com
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2484
- - \??\c:\users\admin\appdata\local\temp\4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1052
- - C:\Windows\SysWOW64\com\LSASS.EXE
    ^c:\users\admin\appdata\local\temp\4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe.log
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1840
  - - C:\Windows\SysWOW64\cacls.exe
      "C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
      4⤵
      System Location Discovery: System Language Discovery
      PID:2892
  - - C:\Windows\SysWOW64\cacls.exe
      "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\LSASS.EXE /e /t /g Admin:F
      4⤵
      System Location Discovery: System Language Discovery
      PID:2920
  - - C:\Windows\SysWOW64\cacls.exe
      "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\SMSS.EXE /e /t /g Admin:F
      4⤵
      System Location Discovery: System Language Discovery
      PID:2904
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c rd /s /q "C:\Windows\system32\com\SMSS.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2960
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c rd /s /q "C:\ntfsus.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1592
  - - C:\ntfsus.exe
      C:\ntfsus.exe
      4⤵
      Executes dropped EXE
      PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Indicator Removal

T1070

Clear Persistence

T1070.009

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ntfsus.exe

Filesize
46KB

MD5
2530e171448c1d3805aa494d95967517

SHA1
d79870e9b2121af8a50e787bf3f89fc507bbe9a2

SHA256
b1d177fbbc1fc7fc19138d7c1216cc1071809ec0f60ef550dc7f200710e46050

SHA512
af08b275ed78d5326c287e98014497b693455680e637c11a6704e762075ac2da711c7c79033e9ab297e9bcf39fec38fd462c65e1036a657918ab9ff52a45117f

Download Submit
\??\c:\users\admin\appdata\local\temp\4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.~

Filesize
64KB

MD5
fe8097b3303045217a3c2c0a32e57e0e

SHA1
3bb3c40fb36acfd0a3f190d514ffe2b44ee4bdb2

SHA256
1beaf2d81fbae084648997a393955fe63c0dc3549638e3be3178cc6fb4084362

SHA512
f80fb19ed71b9a8d0a8640865fe4d4d75da786ebf6d863788a5672e08c784b885e1ebaf20f67d726bb454d87ac35cb7048d4ede953cd91a9ed323d81fd2eda49

Download Submit
\Users\Admin\AppData\Local\Temp\4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772n.exe.log

Filesize
280KB

MD5
5894805aaa3a51eebd7d94578c056980

SHA1
9febdc5b113083c338bea61af7b1e435d3d4c03f

SHA256
4de2ceaf51eb42d520acf8e08c9750789db257afb6be05e24c4a3b2fbc4f0772

SHA512
65af87cd534cfa371be5af254c3d2826a5a8d34dcafc92f0d98c4497610064ca0a0e07ae03daaf3f830ffbcca1795bf7c0542b29ebce101d45f96820d5bf7604

Download Submit
\Windows\SysWOW64\com\LSASS.EXE

Filesize
108KB

MD5
864e18520ed8c626c87ac363176782b1

SHA1
3a04acf78d5d41f13e8e2d1c44d78947931a9077

SHA256
6f6517728b966740c687de592a9f812f12572b148e14e3de9919d748cfd95c54

SHA512
db88dcfa4a48050e53fb61f748c062a041c42a8f95b4be3b1b432e6bc026299dcb528b2f94d7ecb2a7098ba277e708dab0644ac5277585949ae6322af5b06c64

Download Submit
\Windows\SysWOW64\com\SMSS.EXE

Filesize
9KB

MD5
b2d5b77c463a4b6f7711333c2b4b8be2

SHA1
c53e3ac0256236e871f7516c9bb0d82d302a0514

SHA256
d684183769ac6939f8bd02d633f6a10d6c68130f52814196afe3ce8519cdfd7a

SHA512
55d89e89e25bbb8f40406f0e6cf4bf10c6e0f62649897b352a791e833cd0ad8b485a7b4508e0a4585d77befc5c30f0003b35adfeb4ee19e01508970e5bb9106b

Download Submit
memory/380-27-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/812-76-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1052-89-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1516-66-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2676-37-0x0000000001F30000-0x0000000001F40000-memory.dmp

Filesize
64KB

Download
memory/2832-14-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3032-75-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3044-71-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads