a6c11f5d401f1faf325b98e7dc5c870bff24422f049d535901a041ec84041ec7

Analysis

max time kernel
151s
max time network
155s
platform
windows11-21h2_x64
resource
win11-20241023-en
resource tags

arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
submitted
21/11/2024, 04:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lop.exe
Size

13.0MB
MD5

ed2c92c83839cdf6c54173e7a0013fff
SHA1

ac2f611770d94b4fb0579ae43c054c6d17069f7b
SHA256

a6c11f5d401f1faf325b98e7dc5c870bff24422f049d535901a041ec84041ec7
SHA512

09e1a7423ba876c47d446706a8187e82444c62ee615626feff434a45e7b3c418435c40b68ef59db49bf5a7abb98b8646c7f6f6e9721dfb25848eb917111e361f
SSDEEP

393216:8tYTO3/rek1/IUM/vUmRH8KSQQoDBsdLo8N3ESS:WQOzek1/lcUy8cSdLo8NV

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3844	lop.exe

Loads dropped DLL 4 IoCs

pid	Process
3844	lop.exe
3844	lop.exe
3844	lop.exe
3844	lop.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 3844	2072	lop.exe	80
PID 2072 wrote to memory of 3844	2072	lop.exe	80

C:\Users\Admin\AppData\Local\Temp\lop.exe
"C:\Users\Admin\AppData\Local\Temp\lop.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Users\Admin\AppData\Local\Temp\onefile_2072_133766352275384666\lop.exe
  C:\Users\Admin\AppData\Local\Temp\lop.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3844

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:1092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\772b6f57-9ea5-4fad-9be6-23060ea085e1.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pyd

Filesize
122KB

MD5
302ddf5f83b5887ab9c4b8cc4e40b7a6

SHA1
0aa06af65d072eb835c8d714d0f0733dc2f47e20

SHA256
8250b4c102abd1dba49fc5b52030caa93ca34e00b86cee6547cc0a7f22326807

SHA512
5ddc2488fa192d8b662771c698a63faaf109862c8a4dd0df10fb113aef839d012df58346a87178aff9a1b369f82d8ae7819cef4aad542d8bd3f91327feace596

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2072_133766352275384666\VCRUNTIME140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2072_133766352275384666\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2072_133766352275384666\lop.exe

Filesize
5.2MB

MD5
2284b2a2e4fd4569b87078b421537066

SHA1
07e213a67d67694547532442ca863206f5a4b4da

SHA256
ed648303435daf885ab36b4b70559067ad5d725858e06997325be2255b895961

SHA512
24e2f16a33432c6b6e7c712ab464c1151c643caede6c0d4db6d4d1d62d77a285853769b32ea5b09f651ad68dcf016fafab54b75d37467c43e4604f6fc6dcbd15

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2072_133766352275384666\python312.dll

Filesize
6.6MB

MD5
b243d61f4248909bc721674d70a633de

SHA1
1d2fb44b29c4ac3cfd5a7437038a0c541fce82fc

SHA256
93488fa7e631cc0a2bd808b9eee8617280ee9b6ff499ab424a1a1cbf24d77dc7

SHA512
10460c443c7b9a6d7e39ad6e2421b8ca4d8329f1c4a0ff5b71ce73352d2e9438d45f7d59edb13ce30fad3b4f260bd843f4d9b48522d448310d43e0988e075fcb

Download Submit