9b68b91380dfa1029eb49a7b3c58251114625611088a90d1e7539068d44b8c7f

Analysis

max time kernel
149s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/10/2024, 00:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b68b91380dfa1029eb49a7b3c58251114625611088a90d1e7539068d44b8c7f.exe
Size

745KB
MD5

4aa4bc45554afc836bb656fd39830e7b
SHA1

52559bcc2f7402be45a9da215e4006bb4c00d3b7
SHA256

9b68b91380dfa1029eb49a7b3c58251114625611088a90d1e7539068d44b8c7f
SHA512

0ad0baef73e4147ced53c856884e8b9feb0a8a3e6ea6226447e82174e922a57bc5e1916f46bc10371a66677266928ad904cf154c1edbe28236094b186c0eb02d
SSDEEP

12288:PolSeeiXN3TsLuKdk6+1Nuu+6v3sHbSRU8rD3F+knRU8rD3F+k6:P6SeeiXNDsLuKdk6+1Nuu+ecHUU8f3Fu

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\lsass.exe	9b68b91380dfa1029eb49a7b3c58251114625611088a90d1e7539068d44b8c7f.exe
File created	C:\Windows\SysWOW64\drivers\lsass.exe	lsass.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif	lsass.exe

Executes dropped EXE 2 IoCs

pid	Process
1940	lsass.exe
3960	9b68b91380dfa1029eb49a7b3c58251114625611088a90d1e7539068d44b8c7f.~tmp

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	lsass.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9b68b91380dfa1029eb49a7b3c58251114625611088a90d1e7539068d44b8c7f.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1084	9b68b91380dfa1029eb49a7b3c58251114625611088a90d1e7539068d44b8c7f.exe
1084	9b68b91380dfa1029eb49a7b3c58251114625611088a90d1e7539068d44b8c7f.exe
1940	lsass.exe
1940	lsass.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1084 wrote to memory of 1940	1084	9b68b91380dfa1029eb49a7b3c58251114625611088a90d1e7539068d44b8c7f.exe	82
PID 1084 wrote to memory of 1940	1084	9b68b91380dfa1029eb49a7b3c58251114625611088a90d1e7539068d44b8c7f.exe	82
PID 1084 wrote to memory of 1940	1084	9b68b91380dfa1029eb49a7b3c58251114625611088a90d1e7539068d44b8c7f.exe	82
PID 1084 wrote to memory of 3960	1084	9b68b91380dfa1029eb49a7b3c58251114625611088a90d1e7539068d44b8c7f.exe	83
PID 1084 wrote to memory of 3960	1084	9b68b91380dfa1029eb49a7b3c58251114625611088a90d1e7539068d44b8c7f.exe	83

C:\Users\Admin\AppData\Local\Temp\9b68b91380dfa1029eb49a7b3c58251114625611088a90d1e7539068d44b8c7f.exe
"C:\Users\Admin\AppData\Local\Temp\9b68b91380dfa1029eb49a7b3c58251114625611088a90d1e7539068d44b8c7f.exe"
1⤵
- Drops file in Drivers directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Windows\SysWOW64\drivers\lsass.exe
  "C:\Windows\system32\drivers\lsass.exe"
  2⤵
  - Drops file in Drivers directory
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1940
- C:\Users\Admin\AppData\Local\Temp\9b68b91380dfa1029eb49a7b3c58251114625611088a90d1e7539068d44b8c7f.~tmp
  "C:\Users\Admin\AppData\Local\Temp\9b68b91380dfa1029eb49a7b3c58251114625611088a90d1e7539068d44b8c7f.~tmp "
  2⤵
  - Executes dropped EXE
  PID:3960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9b68b91380dfa1029eb49a7b3c58251114625611088a90d1e7539068d44b8c7f.~tmp

Filesize
681KB

MD5
d33fc99317d8399260be6172b19e5a6a

SHA1
14df4c1d49e4e540810a45787c8a12ac03333b4a

SHA256
400be9285d424e63fb6fc1da23eae4ceb0f5114848e12c1b03b1a8adc323c59a

SHA512
751242e09d6954fdf98b11fa949a0240ff53ee5f1b13c2a4cbb0e7726cbd6bad5ab5ea4da3eedead40a767d8227a9a37771066ca9e7b49feaa1878e30c212e8d

Download Submit
C:\Windows\SysWOW64\drivers\lsass.exe

Filesize
32KB

MD5
669ffd1dd6fb7a0e4ddbc3ad3b76507b

SHA1
372820d6b9350ad629a489d49876d8bd422b8f31

SHA256
7dc487e762e55ffa601480c4bc7948f85fcd4f025665ff599060ec1f81d7e986

SHA512
cd69694ad3316c768dbe0d1514060870568c67a50785b38d402eb16e94740c5ae351eb6d47284630a2505fac50c9777bedef85608571c85385b1b9c1f12d73f5

Download Submit