c124b47b5d05c68ed68756bfaa2cb2d16b79def83aeb5ec7e2ee98383ce8c588

General

Target

c124b47b5d05c68ed68756bfaa2cb2d16b79def83aeb5ec7e2ee98383ce8c588N.exe
Size

93KB
MD5

5cc3d2a90fe18118db199fd045246390
SHA1

79782f30e93dd1b0dca3737771bf78adb495f38c
SHA256

c124b47b5d05c68ed68756bfaa2cb2d16b79def83aeb5ec7e2ee98383ce8c588
SHA512

2bb352a428723c6cc80cb9307a45c1c7dc1b367c8fa1a43ab04d90735f0376ab8839e6f93d78d330672705b4e49da20fb745371810b87bc2f7a77d7277091c16
SSDEEP

1536:+HxCaqYLXJOfEbvdTvqGORq0H/waHXxoqNFcMeYxoPRR:+Hx8YL02HamwFDoPv

Score

7^/10

discovery

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe	c124b47b5d05c68ed68756bfaa2cb2d16b79def83aeb5ec7e2ee98383ce8c588N.exe

Executes dropped EXE 1 IoCs

pid	Process
2968	lsass.exe

Loads dropped DLL 2 IoCs

pid	Process
2464	c124b47b5d05c68ed68756bfaa2cb2d16b79def83aeb5ec7e2ee98383ce8c588N.exe
2464	c124b47b5d05c68ed68756bfaa2cb2d16b79def83aeb5ec7e2ee98383ce8c588N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c124b47b5d05c68ed68756bfaa2cb2d16b79def83aeb5ec7e2ee98383ce8c588N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1360	Process not Found
1360	Process not Found

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2968	lsass.exe
2172	explorer.exe
1360	Process not Found
1360	Process not Found
1360	Process not Found

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2464	c124b47b5d05c68ed68756bfaa2cb2d16b79def83aeb5ec7e2ee98383ce8c588N.exe
Token: SeDebugPrivilege	2968	lsass.exe
Token: SeDebugPrivilege	1360	Process not Found

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 2968	2464	c124b47b5d05c68ed68756bfaa2cb2d16b79def83aeb5ec7e2ee98383ce8c588N.exe	30
PID 2464 wrote to memory of 2968	2464	c124b47b5d05c68ed68756bfaa2cb2d16b79def83aeb5ec7e2ee98383ce8c588N.exe	30
PID 2464 wrote to memory of 2968	2464	c124b47b5d05c68ed68756bfaa2cb2d16b79def83aeb5ec7e2ee98383ce8c588N.exe	30
PID 2464 wrote to memory of 2968	2464	c124b47b5d05c68ed68756bfaa2cb2d16b79def83aeb5ec7e2ee98383ce8c588N.exe	30
PID 2968 wrote to memory of 2172	2968	lsass.exe	31
PID 2968 wrote to memory of 2172	2968	lsass.exe	31
PID 2968 wrote to memory of 2172	2968	lsass.exe	31
PID 2968 wrote to memory of 2172	2968	lsass.exe	31

C:\Users\Admin\AppData\Local\Temp\c124b47b5d05c68ed68756bfaa2cb2d16b79def83aeb5ec7e2ee98383ce8c588N.exe
"C:\Users\Admin\AppData\Local\Temp\c124b47b5d05c68ed68756bfaa2cb2d16b79def83aeb5ec7e2ee98383ce8c588N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\explorer.exe
    C:\Windows\explorer.exe
    3⤵
    - Suspicious behavior: MapViewOfSection
    PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe

Filesize
93KB

MD5
5cc3d2a90fe18118db199fd045246390

SHA1
79782f30e93dd1b0dca3737771bf78adb495f38c

SHA256
c124b47b5d05c68ed68756bfaa2cb2d16b79def83aeb5ec7e2ee98383ce8c588

SHA512
2bb352a428723c6cc80cb9307a45c1c7dc1b367c8fa1a43ab04d90735f0376ab8839e6f93d78d330672705b4e49da20fb745371810b87bc2f7a77d7277091c16

Download Submit
memory/1140-19-0x0000000002020000-0x0000000002047000-memory.dmp

Filesize
156KB

Download
memory/1140-27-0x0000000077251000-0x0000000077252000-memory.dmp

Filesize
4KB

Download
memory/1268-25-0x0000000000340000-0x0000000000367000-memory.dmp

Filesize
156KB

Download
memory/1268-26-0x0000000077251000-0x0000000077252000-memory.dmp

Filesize
4KB

Download
memory/1360-12-0x0000000002470000-0x0000000002497000-memory.dmp

Filesize
156KB

Download
memory/1360-21-0x0000000077251000-0x0000000077252000-memory.dmp

Filesize
4KB

Download
memory/1360-22-0x00000000024A0000-0x00000000024B2000-memory.dmp

Filesize
72KB

Download
memory/1360-13-0x0000000002470000-0x0000000002497000-memory.dmp

Filesize
156KB

Download
memory/1360-23-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/1360-24-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/2036-28-0x0000000077251000-0x0000000077252000-memory.dmp

Filesize
4KB

Download
memory/2036-29-0x0000000001B60000-0x0000000001B61000-memory.dmp

Filesize
4KB

Download
memory/2036-20-0x0000000001B90000-0x0000000001BB7000-memory.dmp

Filesize
156KB

Download
memory/2464-0-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2464-8-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2968-10-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2968-11-0x00000000002A0000-0x00000000002C7000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing