Edit tour

Windows Analysis Report
lsass.exe

Overview

General Information

Sample name:	lsass.exe
Analysis ID:	1451836
MD5:	60e18f7b8d1f43731d0e9169c2d16547
SHA1:	83ebb66f070956225959ee773b468f89ed55479c
SHA256:	efa9e8325232bbd3f9a118d396de04370e56c3c7b6d552fab46b5b39f3ad522d
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Snort IDS alert for network traffic

Sigma detected: System File Execution Location Anomaly

Contains functionality to call native functions

Contains functionality to communicate with device drivers

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

PE file contains sections with non-standard names

Program does not show much activity (idle)

Classification

Process Tree

System is w10x64

lsass.exe (PID: 3040 cmdline: "C:\Users\user\Desktop\lsass.exe" MD5: 60E18F7B8D1F43731D0E9169C2D16547)

cleanup

Sigma Signatures

System Summary

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Users\user\Desktop\lsass.exe", CommandLine: "C:\Users\user\Desktop\lsass.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\lsass.exe, NewProcessName: C:\Users\user\Desktop\lsass.exe, OriginalFileName: C:\Users\user\Desktop\lsass.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Users\user\Desktop\lsass.exe", ProcessId: 3040, ProcessName: lsass.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\lsass.exe", CommandLine: "C:\Users\user\Desktop\lsass.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\lsass.exe, NewProcessName: C:\Users\user\Desktop\lsass.exe, OriginalFileName: C:\Users\user\Desktop\lsass.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Users\user\Desktop\lsass.exe", ProcessId: 3040, ProcessName: lsass.exe

Snort Signatures

ET TROJAN SocGholish Domain in DNS Lookup (africa .thesmalladventureguide .com) - Source IP: 192.168.2.16 - Destination IP: 1.1.1.1

Timestamp:	06/04/24-16:54:47.252299
SID:	2052879
Source Port:	58260
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN SocGholish Domain in DNS Lookup (africa .thesmalladventureguide .com) - Source IP: 192.168.2.16 - Destination IP: 1.1.1.1

Timestamp:	06/04/24-16:54:47.252564
SID:	2052879
Source Port:	63427
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

• Compliance
• Networking
• System Summary
• Data Obfuscation
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

Source: lsass.exe

Static PE information: certificate valid

Source: lsass.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: lsass.pdb source: lsass.exe
Source:	Binary string: lsass.pdbUGP source: lsass.exe

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2052879 ET TROJAN SocGholish Domain in DNS Lookup (africa .thesmalladventureguide .com) 192.168.2.16:58260 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2052879 ET TROJAN SocGholish Domain in DNS Lookup (africa .thesmalladventureguide .com) 192.168.2.16:63427 -> 1.1.1.1:53

Source: C:\Users\user\Desktop\lsass.exe	Code function: 0_2_00007FF670FF21C0 SetErrorMode,SetUnhandledExceptionFilter,RtlSetProcessIsCritical,WerSetFlags,NtSetInformationProcess,NtSetInformationProcess,ExitThread,NtSetInformationProcess,SetLastError,	0_2_00007FF670FF21C0
Source: C:\Users\user\Desktop\lsass.exe	Code function: 0_2_00007FF670FF3550 RtlInitUnicodeString,NtOpenEvent,RtlNtStatusToDosError,SetLastError,	0_2_00007FF670FF3550
Source: C:\Users\user\Desktop\lsass.exe	Code function: 0_2_00007FF670FF2650 TlsAlloc,NtOpenFile,CreateThreadpool,SetThreadpoolThreadMaximum,CreateThreadpoolIo,NtAllocateVirtualMemory,GetLastError,GetLastError,GetLastError,	0_2_00007FF670FF2650
Source: C:\Users\user\Desktop\lsass.exe	Code function: 0_2_00007FF670FF1170 TlsGetValue,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,NtSetInformationThread,	0_2_00007FF670FF1170
Source: C:\Users\user\Desktop\lsass.exe	Code function: 0_2_00007FF670FF1390 NtDeviceIoControlFile,	0_2_00007FF670FF1390
Source: C:\Users\user\Desktop\lsass.exe	Code function: 0_2_00007FF670FF14B0 TlsSetValue,TlsSetValue,NtClose,RtlFreeHeap,RtlEnterCriticalSection,RtlLeaveCriticalSection,	0_2_00007FF670FF14B0
Source: C:\Users\user\Desktop\lsass.exe	Code function: 0_2_00007FF670FF5DC0 NtDeviceIoControlFile,	0_2_00007FF670FF5DC0
Source: C:\Users\user\Desktop\lsass.exe	Code function: 0_2_00007FF670FF20D0 memset,NtReplyWaitReceivePort,	0_2_00007FF670FF20D0
Source: C:\Users\user\Desktop\lsass.exe	Code function: 0_2_00007FF670FF32E0 RtlLengthSid,RtlLengthSid,RtlLengthSid,RtlLengthSid,RtlLengthSid,RtlAllocateHeap,RtlCreateAcl,RtlAddAccessAllowedAce,RtlAddAccessAllowedAce,RtlAddAccessAllowedAce,RtlAddAccessAllowedAce,RtlAddAccessAllowedAce,RtlCreateSecurityDescriptor,RtlSetDaclSecurityDescriptor,NtSetSecurityObject,CloseHandle,RtlFreeHeap,GetLastError,	0_2_00007FF670FF32E0
Source: C:\Users\user\Desktop\lsass.exe	Code function: 0_2_00007FF670FF4500 RtlInitUnicodeString,NtCreatePort,RtlInitUnicodeString,NtConnectPort,NtListenPort,NtAcceptConnectPort,NtCompleteConnectPort,CreateThread,CloseHandle,NtClose,	0_2_00007FF670FF4500
Source: C:\Users\user\Desktop\lsass.exe	Code function: 0_2_00007FF670FF2510 RtlInitUnicodeString,NtOpenFile,NtDeviceIoControlFile,NtSetInformationFile,	0_2_00007FF670FF2510
Source: C:\Users\user\Desktop\lsass.exe	Code function: 0_2_00007FF670FF1010 memcpy,NtRequestWaitReplyPort,memcpy,	0_2_00007FF670FF1010
Source: C:\Users\user\Desktop\lsass.exe	Code function: 0_2_00007FF670FF1E10 RtlAllocateHeap,memcpy,TrySubmitThreadpoolCallback,GetLastError,NtFreeVirtualMemory,StartThreadpoolIo,DeviceIoControl,GetLastError,CancelThreadpoolIo,Sleep,	0_2_00007FF670FF1E10

Source: C:\Users\user\Desktop\lsass.exe

Code function: 0_2_00007FF670FF1390: NtDeviceIoControlFile,

0_2_00007FF670FF1390

Source: C:\Users\user\Desktop\lsass.exe	Code function: 0_2_00007FF670FF15C0	0_2_00007FF670FF15C0
Source: C:\Users\user\Desktop\lsass.exe	Code function: 0_2_00007FF670FF3B00	0_2_00007FF670FF3B00
Source: C:\Users\user\Desktop\lsass.exe	Code function: 0_2_00007FF670FF3F20	0_2_00007FF670FF3F20

Source: C:\Users\user\Desktop\lsass.exe

Code function: String function: 00007FF670FF5C34 appears 57 times

Source: lsass.exe

Binary string: LSALSA_RPC_SERVER_ACTIVEExtensionsExtensionQueryLsaInterfaceInitializeLsaExtensionSystem\CurrentControlSet\Control\LsaExtensionConfig\LsaSrv\SECURITY\LSA_AUTHENTICATION_INITIALIZEDncalrpclsapolicylookupncacn_np\pipe\lsasslpacIdentityServicesSystem\CurrentControlSet\Control\LsaExtensionConfig\InterfacesMaxAsyncWorkerThreadsPerCpuSystem\CurrentControlSet\Control\Lsa\Device\KsecDDPathSystemRoot\SeRmCommandPort\SeLsaCommandPortLSA_SUBSYSTEM_INITIALIZEDSspiSrv.dllIOCTL_KSEC_IPC_GET_QUEUED_FUNCTION_CALLS failed. Error %d

Source: classification engine

Classification label: mal52.winEXE@1/0@0/0

Source: lsass.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\lsass.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: lsass.exe

Static PE information: certificate valid

Source: initial sample

Static PE information: Valid certificate with Microsoft Issuer

Source: lsass.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: lsass.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: lsass.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: lsass.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: lsass.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: lsass.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: lsass.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: lsass.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: lsass.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: lsass.pdb source: lsass.exe
Source:	Binary string: lsass.pdbUGP source: lsass.exe

Source: lsass.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: lsass.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: lsass.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: lsass.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: lsass.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: lsass.exe

Static PE information: section name: .didat

Source: C:\Users\user\Desktop\lsass.exe

API coverage: 2.8 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\lsass.exe

Code function: 0_2_00007FF670FF43F0 GetSystemInfo,RegOpenKeyExW,RegQueryValueExW,

0_2_00007FF670FF43F0

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\lsass.exe	Code function: 0_2_00007FF670FF21C0 SetErrorMode,SetUnhandledExceptionFilter,RtlSetProcessIsCritical,WerSetFlags,NtSetInformationProcess,NtSetInformationProcess,ExitThread,NtSetInformationProcess,SetLastError,		0_2_00007FF670FF21C0
Source: C:\Users\user\Desktop\lsass.exe	Code function: 0_2_00007FF670FF4A28 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_00007FF670FF4A28

Source: C:\Users\user\Desktop\lsass.exe

Code function: 0_2_00007FF670FF3B00 RtlAllocateHeap,RtlCreateSecurityDescriptor,GetCurrentProcess,OpenProcessToken,GetTokenInformation,RtlLengthSid,RtlLengthSid,RtlAllocateHeap,RtlSetOwnerSecurityDescriptor,RtlCreateAcl,RtlAddAccessAllowedAce,RtlAddAccessAllowedAce,RtlAddAccessAllowedAce,RtlSetDaclSecurityDescriptor,RtlAllocateAndInitializeSid,RtlCreateAcl,RtlAddMandatoryAce,RtlSetSaclSecurityDescriptor,RtlMakeSelfRelativeSD,RtlAllocateHeap,RtlMakeSelfRelativeSD,CloseHandle,RtlFreeHeap,RtlFreeHeap,

0_2_00007FF670FF3B00

Source: C:\Users\user\Desktop\lsass.exe

Code function: 0_2_00007FF670FF494C GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,

0_2_00007FF670FF494C

Source: C:\Users\user\Desktop\lsass.exe	Code function: 0_2_00007FF670FF24A0 RpcServerListen,I_RpcMapWin32Status,CreateEventW,SetEvent,GetLastError,OpenEventW,		0_2_00007FF670FF24A0
Source: C:\Users\user\Desktop\lsass.exe	Code function: 0_2_00007FF670FF4500 RtlInitUnicodeString,NtCreatePort,RtlInitUnicodeString,NtConnectPort,NtListenPort,NtAcceptConnectPort,NtCompleteConnectPort,CreateThread,CloseHandle,NtClose,		0_2_00007FF670FF4500

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Deobfuscate/Decode Files or Information	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Obfuscated Files or Information	LSASS Memory	3 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
lsass.exe	0%	ReversingLabs

Name	IP	Active	Malicious	Antivirus Detection	Reputation
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1451836
Start date and time:	2024-06-04 16:54:38 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	lsass.exe
Detection:	MAL
Classification:	mal52.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 83% Number of executed functions: 2 Number of non-executed functions: 32
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ocsp.edge.digicert.com
VT rate limit hit for: lsass.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fp2e7a.wpc.phicdn.net	https://www.google.com.br/url?q=//www.google.it/amp/s/sites.google.com/view/park-concepts/home	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	192.229.221.95
	http://U6d.vhi4uv.com	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://buchanancloud.net/cgi/login	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://qsdqsd.bestphon.in	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	https://app.smartdraw.com/share.aspx/?pubDocShare=8B0C16134B8382110652EE19C989D308FF5	Get hash	malicious	Unknown	Browse	192.229.221.95
	file.exe	Get hash	malicious	RedLine	Browse	192.229.221.95
	https://turk.istan.to/hbus/jeep.php?file=sync	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://links.cruiseshipcenters.mkt5224.com/els/v2/9e_0Mw~qLNCK/Y1J3Umo3RU9LbGcxWlZCelk3WStueE5QV1g1dEZBTGZJdEx1ZU5oaHJQenh0OUlNMDlmaUUvOHBHU2tqUUZqenNjdTVWQUthd3A4OGtjT1pLUTd6TFRFUUMwOWJ0Y3RCbFR5QXpCTW9teTA9S0/cjFpdmJMRGNtSG1TYXVLVXBSbW0vdlQ0RUUxaDR1eG5FYVVQRjA0bTdWZUNETDNWaHBzeUpndHFQSG8yR0oyMmdQQTVVODNUSys5UzI3TUNrUFkwZFJJb0lRZTJnblY5Z0pYRWlVKzNmeHlWeFZEQXcrTkdHK1VBY2QvZVRIbDBWajEyRmVEZjR6MD0S1	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://cosjena.pl/ygt/idbdcdthgh	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://www.brownfieldagnews.com	Get hash	malicious	Unknown	Browse	192.229.221.95

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	5.9183212098884335
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	lsass.exe
File size:	60'640 bytes
MD5:	60e18f7b8d1f43731d0e9169c2d16547
SHA1:	83ebb66f070956225959ee773b468f89ed55479c
SHA256:	efa9e8325232bbd3f9a118d396de04370e56c3c7b6d552fab46b5b39f3ad522d
SHA512:	45509ec64f1ee5faad4e759d482b7d8dd6c2dacf9bd71257403ab7d7a060ac9e2e9c99dd670592312fde3807b4bb08c6b65b0ac2dbe8c8c457920d2eeab87d89
SSDEEP:	1536:W+IDW1k2ACCJk3TbA3eeLRE7zouliEUPa3z:hIC1k2An3tLi09y3
TLSH:	8E434A4EA79670C6D4A24670C5A74262BF36F36627024BFF12D4C0385E663CAAF35F94
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........iW:..9i..9i..9i.c8h..9i.c:h..9i.p.i..9i..8i..9i.c4h..9i.c9h..9i.c=h..9i.c.i..9i.c;h..9iRich..9i................PE..d...?..J...

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x1400048e0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x4AAAFE3F [Sat Sep 12 01:49:51 2009 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	10
OS Version Minor:	0
File Version Major:	10
File Version Minor:	0
Subsystem Version Major:	10
Subsystem Version Minor:	0
Import Hash:	3924d1606f44d90586a3ec75785c2730

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	08/02/2024 20:22:46 07/02/2025 20:22:46
Subject Chain	CN=Microsoft Windows Publisher, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:	3
Thumbprint MD5:	366DA07E17C53A2BCBBF949B9318E8A9
Thumbprint SHA-1:	09A1AA05288E952C901821DEAECE78D148D2E4D2
Thumbprint SHA-256:	5FC581A4B101E94BFA06E6548DAA244B91B0A62B90D559820FD49BACB625B90B
Serial:	330000047069F2AC064904EC1C000000000470

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F2CA4B6D9C8h
dec eax
add esp, 28h
jmp 00007F2CA4B6D8C3h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
nop word ptr [eax+eax+00000000h]
dec eax
cmp ecx, dword ptr [00008769h]
jne 00007F2CA4B6D972h
dec eax
rol ecx, 10h
test cx, FFFFh
jne 00007F2CA4B6D963h
ret
dec eax
ror ecx, 10h
jmp 00007F2CA4B6DAA7h
int3
int3
int3
int3
int3
int3
jmp dword ptr [00003BF6h]
int3
int3
int3
int3
int3
int3
jmp dword ptr [00003BFAh]
int3
int3
int3
int3
int3
int3
dec eax
mov dword ptr [esp+20h], ebx
push ebp
dec eax
mov ebp, esp
dec eax
sub esp, 20h
dec eax
and dword ptr [ebp+18h], 00000000h
dec eax
mov ebx, 2DDFA232h
cdq
sub eax, dword ptr [eax]
add byte ptr [eax-75h], cl
add eax, 00008711h
dec eax
cmp eax, ebx
jne 00007F2CA4B6D9F9h
dec eax
lea ecx, dword ptr [ebp+18h]
call dword ptr [00003D56h]
dec eax
mov eax, dword ptr [ebp+18h]
dec eax
mov dword ptr [ebp+10h], eax
call dword ptr [00003CA8h]
mov eax, eax
dec eax
xor dword ptr [ebp+10h], eax
call dword ptr [00003CA4h]
mov eax, eax
dec eax
xor dword ptr [ebp+10h], eax
call dword ptr [00003D38h]

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xb550	0xb0	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb600	0x1b8	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x10000	0x708	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xe000	0x654	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0xc400	0x28e0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x11000	0x200	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x9070	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x7070	0x118	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x84b8	0x420	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0xb41c	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x50f7	0x5200	faab5d44d9331e1acbeff4249f6a71fc	False	0.5247713414634146	data	5.871715930250279	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x5776	0x5800	95f8c6799f532f29d934cfd379b301d1	False	0.33642578125	data	4.515878226815834	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xd000	0x850	0x200	169857542ef95792982897cd9219e12d	False	0.140625	data	0.8232739801820367	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0xe000	0x654	0x800	a4c446c606c9bceb6bce40a4b29f294d	False	0.40478515625	PEX Binary Archive	3.6896573898382914	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.didat	0xf000	0x30	0x200	afdaaa9b04d9f0a3b5c5b43e082745c6	False	0.060546875	data	0.338777230370671	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x10000	0x708	0x800	a659fbccf6956a97642629289f4f322a	False	0.40771484375	data	4.076294532307643	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x11000	0x200	0x200	e179b26055bf037dcfade000ff97bd6d	False	0.775390625	data	5.2829730313258585	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x10360	0x3a8	data	English	United States	0.46153846153846156
RT_MANIFEST	0x100a0	0x2c0	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5142045454545454

Imports

DLL	Import
api-ms-win-core-crt-l1-1-0.dll	wcschr, _wcsicmp, wcstol, _vsnprintf_s, strcpy_s, memcpy, memset
api-ms-win-core-crt-l2-1-0.dll	_initterm_e, exit, _initterm
ntdll.dll	NtSetInformationThread, RtlReleaseResource, NtFreeVirtualMemory, NtConnectPort, NtRequestWaitReplyPort, RtlLeaveCriticalSection, NtAllocateVirtualMemory, NtClose, NtAcceptConnectPort, NtReplyWaitReceivePort, RtlCaptureContext, RtlLookupFunctionEntry, NtCompleteConnectPort, RtlVirtualUnwind, RtlSetDaclSecurityDescriptor, NtCreatePort, RtlSetOwnerSecurityDescriptor, NtDeviceIoControlFile, RtlFreeHeap, RtlSetProcessIsCritical, RtlFreeSid, RtlDeriveCapabilitySidsFromName, RtlAddMandatoryAce, RtlUnhandledExceptionFilter, RtlLengthRequiredSid, RtlCreateAndSetSD, NtSetSecurityObject, NtOpenEvent, RtlSubAuthoritySid, RtlAllocateHeap, NtSetInformationProcess, RtlCreateAcl, RtlInitializeSid, RtlEnterCriticalSection, RtlNtStatusToDosError, RtlAcquireResourceExclusive, RtlCreateSecurityDescriptor, NtOpenFile, RtlAcquireResourceShared, DbgPrintEx, RtlInitializeResource, NtListenPort, RtlSetSaclSecurityDescriptor, RtlAddAccessAllowedAce, RtlLengthSid, RtlAllocateAndInitializeSid, NtSetInformationFile, RtlInitUnicodeString, RtlMakeSelfRelativeSD
RPCRT4.dll	RpcServerUseProtseqEpW, RpcServerRegisterIf3, RpcServerListen, NdrServerCallAll, NdrServerCall2, I_RpcMapWin32Status
api-ms-win-core-errorhandling-l1-1-0.dll	SetUnhandledExceptionFilter, GetLastError, SetErrorMode, SetLastError, UnhandledExceptionFilter
api-ms-win-core-handle-l1-1-0.dll	DuplicateHandle, CloseHandle
api-ms-win-core-io-l1-1-0.dll	DeviceIoControl
api-ms-win-core-libraryloader-l1-2-0.dll	GetProcAddress, LoadLibraryExW
api-ms-win-core-registry-l1-1-0.dll	RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegEnumKeyExW
api-ms-win-core-heap-obsolete-l1-1-0.dll	LocalFree, LocalAlloc
api-ms-win-security-base-l1-1-0.dll	GetTokenInformation
api-ms-win-core-processthreads-l1-1-0.dll	ExitThread, OpenProcessToken, TlsSetValue, TlsAlloc, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, TerminateProcess, CreateThread, TlsGetValue
api-ms-win-core-processenvironment-l1-1-0.dll	SetEnvironmentVariableW, GetEnvironmentVariableW
api-ms-win-core-synch-l1-1-0.dll	SetEvent, CreateEventW, OpenEventW
api-ms-win-core-threadpool-l1-2-0.dll	CreateThreadpoolIo, CreateThreadpool, StartThreadpoolIo, CancelThreadpoolIo, TrySubmitThreadpoolCallback, SetThreadpoolThreadMaximum
api-ms-win-core-synch-l1-2-0.dll	Sleep
api-ms-win-core-sysinfo-l1-1-0.dll	GetSystemInfo, GetSystemTimeAsFileTime, GetTickCount
api-ms-win-core-profile-l1-1-0.dll	QueryPerformanceCounter
api-ms-win-core-windowserrorreporting-l1-1-0.dll	WerSetFlags
api-ms-win-core-delayload-l1-1-0.dll	DelayLoadFailureHook
api-ms-win-core-delayload-l1-1-1.dll	ResolveDelayLoadedAPI

Exports

Name	Ordinal	Address
LsaGetInterface	1	0x140002c00
LsaImpersonateKsecCaller	2	0x140001170
LsaRegisterExtension	3	0x1400047c0
LsaRegisterInterface	4	0x140002860

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jun 4, 2024 16:55:51.310605049 CEST	1.1.1.1	192.168.2.5	0xba38	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jun 4, 2024 16:55:51.310605049 CEST	1.1.1.1	192.168.2.5	0xba38	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false

Statistics

CPU Usage

• lsass.exe

Click to jump to process

Memory Usage

• lsass.exe

Click to jump to process

Target ID:	0
Start time:	10:55:39
Start date:	04/06/2024
Path:	C:\Users\user\Desktop\lsass.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\lsass.exe"
Imagebase:	0x7ff670ff0000
File size:	60'640 bytes
MD5 hash:	60E18F7B8D1F43731D0E9169C2D16547
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	1.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	51.8%
Total number of Nodes:	490
Total number of Limit Nodes:	4

Callgraph

Hide Legend

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00007FF670FF21C0 Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 155
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 00007FF670FF21ED
SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF670FF2200
RtlSetProcessIsCritical.NTDLL ref: 00007FF670FF2215
WerSetFlags.KERNELBASE ref: 00007FF670FF2226
NtSetInformationProcess.NTDLL ref: 00007FF670FF2263
NtSetInformationProcess.NTDLL ref: 00007FF670FF2297
ExitThread.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF670FF2368
NtSetInformationProcess.NTDLL ref: 00007FF670FF50E8

Strings

Failed to init LSA interface list: 0x%x, xrefs: 00007FF670FF514F
Failed to init Lsass global states: 0x%x, xrefs: 00007FF670FF5176
Failed to load extensions: 0x%x, xrefs: 00007FF670FF51EA
Failed to init RM: 0x%x, xrefs: 00007FF670FF518F
Failed to init well known SIDs: 0x%x, xrefs: 00007FF670FF5123
LSA, xrefs: 00007FF670FF21C6
Failed to set Ksec security: 0x%x, xrefs: 00007FF670FF5139
SetKsecEvent failed: 0x%lx, xrefs: 00007FF670FF51A8
Failed to start LPR server: 0x%lx, xrefs: 00007FF670FF51C1

Memory Dump Source

Source File: 00000000.00000002.2141496588.00007FF670FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF670FF0000, based on PE: true

Associated: 00000000.00000002.2141454745.00007FF670FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141519478.00007FF670FF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF670FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF671000000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff670ff0000_lsass.jbxd

Similarity

API ID: Process$Information$CriticalErrorExceptionExitFilterFlagsModeThreadUnhandled
String ID: Failed to init LSA interface list: 0x%x$Failed to init Lsass global states: 0x%x$Failed to init RM: 0x%x$Failed to init well known SIDs: 0x%x$Failed to load extensions: 0x%x$Failed to set Ksec security: 0x%x$Failed to start LPR server: 0x%lx$LSA$SetKsecEvent failed: 0x%lx
API String ID: 2130539193-3182054039
Opcode ID: 11e73e338f1ef857a8f5cffe3151d805c120caa17276c55a1172e4798c70cf25
Instruction ID: da20da3c370141a3a7a6a028b8dc007f70a8f2158b5375736b4d70b7935926a5
Opcode Fuzzy Hash: 11e73e338f1ef857a8f5cffe3151d805c120caa17276c55a1172e4798c70cf25
Instruction Fuzzy Hash: BE712323A2C683A2F750AB24D8443B82AADBF05794F444231CE19C73D2EFADF544CE61

Function 00007FF670FF48E0 Relevance: 1.6, APIs: 1, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF670FF494C: GetSystemTimeAsFileTime.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF670FF497C
Part of subcall function 00007FF670FF494C: GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF670FF498A
Part of subcall function 00007FF670FF494C: GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF670FF4996
Part of subcall function 00007FF670FF494C: GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF670FF49A2
Part of subcall function 00007FF670FF494C: GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF670FF49B2
Part of subcall function 00007FF670FF494C: QueryPerformanceCounter.API-MS-WIN-CORE-PROFILE-L1-1-0 ref: 00007FF670FF49CD

exit.API-MS-WIN-CORE-CRT-L2-1-0 ref: 00007FF670FF48C6

Memory Dump Source

Source File: 00000000.00000002.2141496588.00007FF670FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF670FF0000, based on PE: true

Associated: 00000000.00000002.2141454745.00007FF670FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141519478.00007FF670FF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF670FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF671000000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff670ff0000_lsass.jbxd

Similarity

API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThreadexit
String ID:
API String ID: 2242362623-0
Opcode ID: 00e75031e03ec63cebe82126e99dbed41005b224c4bd70de82f7f75710e44839
Instruction ID: 5ebfe2b30160ebd42559b4dbed9622b109a38a25e7d6997e5d39658519d3a39e
Opcode Fuzzy Hash: 00e75031e03ec63cebe82126e99dbed41005b224c4bd70de82f7f75710e44839
Instruction Fuzzy Hash: 8A014063A3C682A2EA00A710E485BB92368EB50780F900035E90DC73A5DFBCF549CF60

Non-executed Functions

Function 00007FF670FF3F20 Relevance: 63.3, APIs: 34, Strings: 2, Instructions: 261
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlLengthRequiredSid.NTDLL ref: 00007FF670FF3F96
RtlAllocateHeap.NTDLL ref: 00007FF670FF3FB5
RtlInitializeSid.NTDLL ref: 00007FF670FF3FD7
RtlSubAuthoritySid.NTDLL ref: 00007FF670FF3FE8
RtlLengthRequiredSid.NTDLL ref: 00007FF670FF3FFD
RtlAllocateHeap.NTDLL ref: 00007FF670FF401C
RtlInitializeSid.NTDLL ref: 00007FF670FF4042
RtlSubAuthoritySid.NTDLL ref: 00007FF670FF4053
RtlLengthRequiredSid.NTDLL ref: 00007FF670FF4064
RtlAllocateHeap.NTDLL ref: 00007FF670FF4083
RtlInitializeSid.NTDLL ref: 00007FF670FF40A5
RtlSubAuthoritySid.NTDLL ref: 00007FF670FF40B6
RtlLengthRequiredSid.NTDLL ref: 00007FF670FF40CB
RtlAllocateHeap.NTDLL ref: 00007FF670FF40EA
RtlInitializeSid.NTDLL ref: 00007FF670FF410C
RtlSubAuthoritySid.NTDLL ref: 00007FF670FF411D
RtlSubAuthoritySid.NTDLL ref: 00007FF670FF4135
RtlLengthRequiredSid.NTDLL ref: 00007FF670FF414A
RtlAllocateHeap.NTDLL ref: 00007FF670FF4169
RtlInitializeSid.NTDLL ref: 00007FF670FF418B
RtlSubAuthoritySid.NTDLL ref: 00007FF670FF419C
RtlSubAuthoritySid.NTDLL ref: 00007FF670FF41B4
RtlLengthRequiredSid.NTDLL ref: 00007FF670FF41C9
RtlAllocateHeap.NTDLL ref: 00007FF670FF41E8
RtlLengthRequiredSid.NTDLL ref: 00007FF670FF4203
RtlAllocateHeap.NTDLL ref: 00007FF670FF4222
RtlDeriveCapabilitySidsFromName.NTDLL ref: 00007FF670FF4244
RtlFreeHeap.NTDLL ref: 00007FF670FF429F
RtlFreeHeap.NTDLL ref: 00007FF670FF598B
RtlFreeHeap.NTDLL ref: 00007FF670FF59AF
RtlFreeHeap.NTDLL ref: 00007FF670FF59D2
RtlFreeHeap.NTDLL ref: 00007FF670FF59F5
RtlFreeHeap.NTDLL ref: 00007FF670FF5A18
RtlFreeHeap.NTDLL ref: 00007FF670FF5A3F

Strings

lpacIdentityServices, xrefs: 00007FF670FF3F56
(, xrefs: 00007FF670FF3F4F

Memory Dump Source

Source File: 00000000.00000002.2141496588.00007FF670FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF670FF0000, based on PE: true

Associated: 00000000.00000002.2141454745.00007FF670FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141519478.00007FF670FF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF670FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF671000000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff670ff0000_lsass.jbxd

Similarity

API ID: Heap$AllocateAuthorityFreeLengthRequired$Initialize$CapabilityDeriveFromNameSids
String ID: ($lpacIdentityServices
API String ID: 26768282-937675705
Opcode ID: 6d59f63558e9b3ae9250777bdcb14d0b916e38d13a4711c723816a8cddaa7941
Instruction ID: edd15faead74826fa2a732543f0421a839c77e0a422f750fbeb3c3ac6d224502
Opcode Fuzzy Hash: 6d59f63558e9b3ae9250777bdcb14d0b916e38d13a4711c723816a8cddaa7941
Instruction Fuzzy Hash: 94C1F832628A81DAEB04CF12E8541B9BBA5FB8AF95F449135CE0E97314DF3DE446CB50

Function 00007FF670FF3B00 Relevance: 44.0, APIs: 24, Strings: 1, Instructions: 246
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL ref: 00007FF670FF3B81
RtlCreateSecurityDescriptor.NTDLL ref: 00007FF670FF3BA1
GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF670FF3BB7
OpenProcessToken.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF670FF3BD0
GetTokenInformation.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF670FF3C01
RtlLengthSid.NTDLL ref: 00007FF670FF3C24
RtlLengthSid.NTDLL ref: 00007FF670FF3C39
RtlAllocateHeap.NTDLL ref: 00007FF670FF3C5F
RtlSetOwnerSecurityDescriptor.NTDLL ref: 00007FF670FF3C81
RtlCreateAcl.NTDLL ref: 00007FF670FF3CA1
RtlAddAccessAllowedAce.NTDLL ref: 00007FF670FF3CCC
RtlAddAccessAllowedAce.NTDLL ref: 00007FF670FF3CF7
RtlAddAccessAllowedAce.NTDLL ref: 00007FF670FF3D1F
RtlSetDaclSecurityDescriptor.NTDLL ref: 00007FF670FF3D40
RtlAllocateAndInitializeSid.NTDLL ref: 00007FF670FF3D89
RtlCreateAcl.NTDLL ref: 00007FF670FF3DAD
RtlAddMandatoryAce.NTDLL ref: 00007FF670FF3DE1
RtlSetSaclSecurityDescriptor.NTDLL ref: 00007FF670FF3E03
RtlMakeSelfRelativeSD.NTDLL ref: 00007FF670FF3E1F
RtlAllocateHeap.NTDLL ref: 00007FF670FF3E4F
RtlMakeSelfRelativeSD.NTDLL ref: 00007FF670FF3E72
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF670FF3E99
RtlFreeHeap.NTDLL ref: 00007FF670FF3EB7
RtlFreeHeap.NTDLL ref: 00007FF670FF3ED5

Strings

L, xrefs: 00007FF670FF3B30

Memory Dump Source

Source File: 00000000.00000002.2141496588.00007FF670FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF670FF0000, based on PE: true

Associated: 00000000.00000002.2141454745.00007FF670FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141519478.00007FF670FF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF670FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF671000000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff670ff0000_lsass.jbxd

Similarity

API ID: Heap$AllocateDescriptorSecurity$AccessAllowedCreate$FreeLengthMakeProcessRelativeSelfToken$CloseCurrentDaclHandleInformationInitializeMandatoryOpenOwnerSacl
String ID: L
API String ID: 598312902-2909332022
Opcode ID: 506d46e6beef75c7f215ccb76f1581593da3995ec034d3192a43e9cbbe5fd192
Instruction ID: 9c4d0ded73822ca0138102971c2b5d861b5df8e8f672db36f509ec0764eeb8a3
Opcode Fuzzy Hash: 506d46e6beef75c7f215ccb76f1581593da3995ec034d3192a43e9cbbe5fd192
Instruction Fuzzy Hash: 1DB11932B28B92DAE7108B15E4546B97BA8FB89B84F414135CE4DD3714DF3CE509CB50

Function 00007FF670FF32E0 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 155
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF670FF3550: RtlInitUnicodeString.NTDLL ref: 00007FF670FF3565
Part of subcall function 00007FF670FF3550: NtOpenEvent.NTDLL ref: 00007FF670FF35AF

RtlLengthSid.NTDLL ref: 00007FF670FF3308
RtlLengthSid.NTDLL ref: 00007FF670FF331D
RtlLengthSid.NTDLL ref: 00007FF670FF3332
RtlLengthSid.NTDLL ref: 00007FF670FF3347
RtlLengthSid.NTDLL ref: 00007FF670FF335C
RtlAllocateHeap.NTDLL ref: 00007FF670FF3382
RtlCreateAcl.NTDLL ref: 00007FF670FF33AC
RtlAddAccessAllowedAce.NTDLL ref: 00007FF670FF33D8
RtlAddAccessAllowedAce.NTDLL ref: 00007FF670FF3404
RtlAddAccessAllowedAce.NTDLL ref: 00007FF670FF3430
RtlAddAccessAllowedAce.NTDLL ref: 00007FF670FF345C
RtlAddAccessAllowedAce.NTDLL ref: 00007FF670FF3488
RtlCreateSecurityDescriptor.NTDLL ref: 00007FF670FF34A2
RtlSetDaclSecurityDescriptor.NTDLL ref: 00007FF670FF34C0
NtSetSecurityObject.NTDLL ref: 00007FF670FF34DD
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF670FF34FB
RtlFreeHeap.NTDLL ref: 00007FF670FF351E
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF670FF57B5

Strings

Failed to set event SD: 0x%x, xrefs: 00007FF670FF5800
LsapBuildSD: Could not open %ws, %d, xrefs: 00007FF670FF57D0
\SECURITY\LSA_AUTHENTICATION_INITIALIZED, xrefs: 00007FF670FF57C1

Memory Dump Source

Source File: 00000000.00000002.2141496588.00007FF670FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF670FF0000, based on PE: true

Associated: 00000000.00000002.2141454745.00007FF670FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141519478.00007FF670FF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF670FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF671000000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff670ff0000_lsass.jbxd

Similarity

API ID: AccessAllowedLength$Security$CreateDescriptorHeap$AllocateCloseDaclErrorEventFreeHandleInitLastObjectOpenStringUnicode
String ID: Failed to set event SD: 0x%x$LsapBuildSD: Could not open %ws, %d$\SECURITY\LSA_AUTHENTICATION_INITIALIZED
API String ID: 3005728438-4258887979
Opcode ID: 6abc520488d19def496a043c590a70bfebc8871324256bd286a9b73a6291d30c
Instruction ID: f11fd8d6bfa1e3cf1100021744d69497a9c63a56b3d3f53ca29aa0cdda4ad67c
Opcode Fuzzy Hash: 6abc520488d19def496a043c590a70bfebc8871324256bd286a9b73a6291d30c
Instruction Fuzzy Hash: A3612E22B2CB82E7E7109B55A8442756BA8FB8AB85F445131CE0ED7750DF7DF446CB20

Function 00007FF670FF4500 Relevance: 35.2, APIs: 10, Strings: 10, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlInitUnicodeString.NTDLL ref: 00007FF670FF453C
NtCreatePort.NTDLL ref: 00007FF670FF4589
RtlInitUnicodeString.NTDLL ref: 00007FF670FF45B8
NtConnectPort.NTDLL ref: 00007FF670FF45EE
NtListenPort.NTDLL ref: 00007FF670FF462C
NtAcceptConnectPort.NTDLL ref: 00007FF670FF4667
NtCompleteConnectPort.NTDLL ref: 00007FF670FF4684
CreateThread.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF670FF46B6
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF670FF46CE
NtClose.NTDLL ref: 00007FF670FF5B45

Strings

LsapRmInitializeServer: NtListenPort failed: 0x%lx, xrefs: 00007FF670FF5B88
LsapRmInitializeServer: NtCompleteConnectPort failed: 0x%lx, xrefs: 00007FF670FF5BD4
0, xrefs: 00007FF670FF454D
\SeRmCommandPort, xrefs: 00007FF670FF459F
LsapRmInitializeServer: CreateThread failed: 0x%lx, xrefs: 00007FF670FF5BFA
LsapRmInitializeServer: NtCreatePort failed: 0x%lx, xrefs: 00007FF670FF5B03
\SeLsaCommandPort, xrefs: 00007FF670FF4530
LsapRmInitializeServer: Server protocol mismatch, xrefs: 00007FF670FF5B62
LsapRmInitializeServer: NtAcceptConnectPort failed: 0x%lx, xrefs: 00007FF670FF5BAE
LsapRmInitializeServer: NtConnectPort failed: 0x%lx, xrefs: 00007FF670FF5B29

Memory Dump Source

Source File: 00000000.00000002.2141496588.00007FF670FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF670FF0000, based on PE: true

Associated: 00000000.00000002.2141454745.00007FF670FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141519478.00007FF670FF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF670FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF671000000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff670ff0000_lsass.jbxd

Similarity

API ID: Port$Connect$CloseCreateInitStringUnicode$AcceptCompleteHandleListenThread
String ID: 0$LsapRmInitializeServer: CreateThread failed: 0x%lx$LsapRmInitializeServer: NtAcceptConnectPort failed: 0x%lx$LsapRmInitializeServer: NtCompleteConnectPort failed: 0x%lx$LsapRmInitializeServer: NtConnectPort failed: 0x%lx$LsapRmInitializeServer: NtCreatePort failed: 0x%lx$LsapRmInitializeServer: NtListenPort failed: 0x%lx$LsapRmInitializeServer: Server protocol mismatch$\SeLsaCommandPort$\SeRmCommandPort
API String ID: 930521548-1997921343
Opcode ID: 3c840595d18e7e85745ffedd1369cc2e6112a80490d38167f083d6cdedc30972
Instruction ID: 9c5eafd2f5a3906be66ff74d610b7029e9881220bf48144d7540b40a1a6d2270
Opcode Fuzzy Hash: 3c840595d18e7e85745ffedd1369cc2e6112a80490d38167f083d6cdedc30972
Instruction Fuzzy Hash: 41812633A2CB86AAE7109B50E4806A9B7A9FB89744F401136CE4DC7754EFBCF145CB60

Function 00007FF670FF1E10 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 154
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

KsecRpcIncomingBuffer is NULL returning from ksecdd., xrefs: 00007FF670FF1E73
IOCTL_KSEC_IPC_GET_QUEUED_FUNCTION_CALLS failed. Error %d, xrefs: 00007FF670FF206F
Out of memory while processing work from ksecdd, xrefs: 00007FF670FF1F03
Error requesting async ksecdd function call: %d, xrefs: 00007FF670FF1E38
Error processing work on worker thread: %d, xrefs: 00007FF670FF1F59

Memory Dump Source

Source File: 00000000.00000002.2141496588.00007FF670FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF670FF0000, based on PE: true

Associated: 00000000.00000002.2141454745.00007FF670FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141519478.00007FF670FF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF670FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF671000000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff670ff0000_lsass.jbxd

Similarity

API ID: Printstrcpy_s
String ID: Error processing work on worker thread: %d$Error requesting async ksecdd function call: %d$IOCTL_KSEC_IPC_GET_QUEUED_FUNCTION_CALLS failed. Error %d$KsecRpcIncomingBuffer is NULL returning from ksecdd.$Out of memory while processing work from ksecdd
API String ID: 3787927933-2101580765
Opcode ID: bec0eb10cb48b36c8b9a3e34b002e5c4ec85025f2c15571b0c26bb520b549cee
Instruction ID: cccfe88fbbb97929ce85449013dadc2b7f5a7437ae7c20f5ed802673740f8e97
Opcode Fuzzy Hash: bec0eb10cb48b36c8b9a3e34b002e5c4ec85025f2c15571b0c26bb520b549cee
Instruction Fuzzy Hash: A6710533A2CAC6A2E6509B11E84026976A9FB45B90F445535CE4ED77A4CF3DF446CF20

Function 00007FF670FF2650 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 102
threadmemorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TlsAlloc.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF670FF265D
NtOpenFile.NTDLL ref: 00007FF670FF269A
CreateThreadpool.API-MS-WIN-CORE-THREADPOOL-L1-2-0 ref: 00007FF670FF26B8
SetThreadpoolThreadMaximum.API-MS-WIN-CORE-THREADPOOL-L1-2-0 ref: 00007FF670FF26E2
CreateThreadpoolIo.API-MS-WIN-CORE-THREADPOOL-L1-2-0 ref: 00007FF670FF2754
NtAllocateVirtualMemory.NTDLL ref: 00007FF670FF279C
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF670FF533E
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF670FF5386

Part of subcall function 00007FF670FF43F0: GetSystemInfo.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF670FF4414
Part of subcall function 00007FF670FF43F0: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF670FF4444
Part of subcall function 00007FF670FF43F0: RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF670FF44BB

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF670FF53A3

Strings

FAILED to open %ws, status %x, xrefs: 00007FF670FF536E
FAILED to allocate TLS slot for impersonation token: %d, xrefs: 00007FF670FF5353
Failed to create worker pool: %d, xrefs: 00007FF670FF539A
\Device\KsecDD, xrefs: 00007FF670FF5367
Unable to setup IO completion thread pool object: %d, xrefs: 00007FF670FF53B7

Memory Dump Source

Source File: 00000000.00000002.2141496588.00007FF670FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF670FF0000, based on PE: true

Associated: 00000000.00000002.2141454745.00007FF670FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141519478.00007FF670FF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF670FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF671000000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff670ff0000_lsass.jbxd

Similarity

API ID: ErrorLastThreadpool$CreateOpen$AllocAllocateFileInfoMaximumMemoryQuerySystemThreadValueVirtual
String ID: FAILED to allocate TLS slot for impersonation token: %d$FAILED to open %ws, status %x$Failed to create worker pool: %d$Unable to setup IO completion thread pool object: %d$\Device\KsecDD
API String ID: 4269934032-29491320
Opcode ID: 0171794512f477fe5252ade48e0c5e10f03ce1b324161197bf42ae480ddce56a
Instruction ID: a97ed32d6fafea27c37cf92de4e01812e24e38b0f06a8fd13cc677e4c1deb674
Opcode Fuzzy Hash: 0171794512f477fe5252ade48e0c5e10f03ce1b324161197bf42ae480ddce56a
Instruction Fuzzy Hash: 4051297392CBC2A6E750AB14A8442787AAAFB49790F445236DD1DC73A4DFBCB145CF20

Function 00007FF670FF14B0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 128
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TlsSetValue.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF670FF14CC
TlsSetValue.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF670FF1502
NtClose.NTDLL ref: 00007FF670FF1512
RtlEnterCriticalSection.NTDLL ref: 00007FF670FF4F77
RtlLeaveCriticalSection.NTDLL ref: 00007FF670FF4FEC

Strings

Failed to init connection handle. Status: 0x%x, xrefs: 00007FF670FF4FD4
AsyncKsecDD, xrefs: 00007FF670FF4FB2
The registered SSPI extenstion does not support ACH, xrefs: 00007FF670FF5074
Invalid async ksecdd function call: %d, xrefs: 00007FF670FF5024
P, xrefs: 00007FF670FF1580

Memory Dump Source

Source File: 00000000.00000002.2141496588.00007FF670FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF670FF0000, based on PE: true

Associated: 00000000.00000002.2141454745.00007FF670FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141519478.00007FF670FF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF670FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF671000000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff670ff0000_lsass.jbxd

Similarity

API ID: CriticalSectionValue$CloseEnterLeave
String ID: AsyncKsecDD$Failed to init connection handle. Status: 0x%x$Invalid async ksecdd function call: %d$P$The registered SSPI extenstion does not support ACH
API String ID: 761430418-3069603324
Opcode ID: d039fbce875294b45697b531774b534c02e19a775d8752ed146dc0fc0b77d779
Instruction ID: 742ce0d5196c060428ddada359471cde143c67490f867c3b8b82123cf27b77ea
Opcode Fuzzy Hash: d039fbce875294b45697b531774b534c02e19a775d8752ed146dc0fc0b77d779
Instruction Fuzzy Hash: 0D513823A2CA82A6FB149B11E444778676AFF8AB44F545031CD0EC73A5CF7CF546CA60

Function 00007FF670FF2510 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 76
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlInitUnicodeString.NTDLL ref: 00007FF670FF2525
NtOpenFile.NTDLL ref: 00007FF670FF2582
NtDeviceIoControlFile.NTDLL ref: 00007FF670FF25D4
NtSetInformationFile.NTDLL ref: 00007FF670FF2613

Strings

FAILED to open %ws, status %x, xrefs: 00007FF670FF52E9
FAILED to send ioctl, status %x, xrefs: 00007FF670FF530F
0, xrefs: 00007FF670FF2533
Failed to set IOCTL completion modes: 0x%lx, xrefs: 00007FF670FF5324
\Device\KsecDD, xrefs: 00007FF670FF2519
), xrefs: 00007FF670FF260B

Memory Dump Source

Source File: 00000000.00000002.2141496588.00007FF670FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF670FF0000, based on PE: true

Associated: 00000000.00000002.2141454745.00007FF670FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141519478.00007FF670FF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF670FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF671000000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff670ff0000_lsass.jbxd

Similarity

API ID: File$ControlDeviceInformationInitOpenStringUnicode
String ID: )$0$FAILED to open %ws, status %x$FAILED to send ioctl, status %x$Failed to set IOCTL completion modes: 0x%lx$\Device\KsecDD
API String ID: 418738462-3470522629
Opcode ID: 4e328e762357967a101232e4f3e82f125420dcd6220893dbf7a07ceb950ddc9c
Instruction ID: fce4be67929bdb5c1f5bbb90f2526777fa79d85b9bb07864a26c8fe7b64eb4b2
Opcode Fuzzy Hash: 4e328e762357967a101232e4f3e82f125420dcd6220893dbf7a07ceb950ddc9c
Instruction Fuzzy Hash: 0741E433A2CB82A6E7209B10E4407AAB7A9FB85744F905136DA8DC3754DF7CE149CF20

Function 00007FF670FF15C0 Relevance: 16.3, APIs: 5, Strings: 4, Instructions: 551memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 00007FF670FF1A1F
memset.API-MS-WIN-CORE-CRT-L1-1-0 ref: 00007FF670FF1A3F
memcpy.API-MS-WIN-CORE-CRT-L1-1-0 ref: 00007FF670FF1B20
memcpy.API-MS-WIN-CORE-CRT-L1-1-0 ref: 00007FF670FF1C78
RtlFreeHeap.NTDLL ref: 00007FF670FF1CA7

Strings

AsyncProcessSecurityContext, xrefs: 00007FF670FF1868
The registered SSPI extenstion does not support PSC, xrefs: 00007FF670FF1DE0
%hs - Ignoring API status as marshaling failed, xrefs: 00007FF670FF1871
Unable to marshal result to caller - sending status only. Status: 0x%x , xrefs: 00007FF670FF1CD0

Memory Dump Source

Source File: 00000000.00000002.2141496588.00007FF670FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF670FF0000, based on PE: true

Associated: 00000000.00000002.2141454745.00007FF670FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141519478.00007FF670FF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF670FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF671000000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff670ff0000_lsass.jbxd

Similarity

API ID: Heapmemcpy$AllocateFreememset
String ID: %hs - Ignoring API status as marshaling failed$AsyncProcessSecurityContext$The registered SSPI extenstion does not support PSC$Unable to marshal result to caller - sending status only. Status: 0x%x
API String ID: 1198260955-2715783643
Opcode ID: d3e7c02a1baa2e3ec3beeb51cd41bae28a40bdded41a7396fdfd41674998f21d
Instruction ID: 6ced27a2fb5aa7f4baf3f8203ec297e65fa0315d8424f10392825ed0ba14bf96
Opcode Fuzzy Hash: d3e7c02a1baa2e3ec3beeb51cd41bae28a40bdded41a7396fdfd41674998f21d
Instruction Fuzzy Hash: 85429A37A29B8196EB14CB25D4846AD73A9FB88B84F548635CE4D93754DF3CF481CB10

Function 00007FF670FF43F0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 83registryCOMMON

Download Yara Rule

APIs

GetSystemInfo.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF670FF4414
RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF670FF4444
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF670FF44BB

Strings

%S reg value is missing or invalid, setting %d max async worker threads., xrefs: 00007FF670FF5AD2
RegOpenKeyEx(%S) failed: %d, xrefs: 00007FF670FF5ABB
System\CurrentControlSet\Control\Lsa, xrefs: 00007FF670FF4436, 00007FF670FF5AB4
%S reg value is valid, setting %d max async worker threads., xrefs: 00007FF670FF5A9B
MaxAsyncWorkerThreadsPerCpu, xrefs: 00007FF670FF44A9, 00007FF670FF5ADC

Memory Dump Source

Source File: 00000000.00000002.2141496588.00007FF670FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF670FF0000, based on PE: true

Associated: 00000000.00000002.2141454745.00007FF670FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141519478.00007FF670FF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF670FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF671000000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff670ff0000_lsass.jbxd

Similarity

API ID: InfoOpenQuerySystemValue
String ID: %S reg value is missing or invalid, setting %d max async worker threads.$%S reg value is valid, setting %d max async worker threads.$MaxAsyncWorkerThreadsPerCpu$RegOpenKeyEx(%S) failed: %d$System\CurrentControlSet\Control\Lsa
API String ID: 1723273871-1864339747
Opcode ID: 3262d8f56931d4e025d329bc8ab3e7d016a9381a27b2e5142c0d4870a4f0f3e6
Instruction ID: eacb96dafa24183b54ca8cd2c0d18ede48893c7893acb515169ce3f2a4338184
Opcode Fuzzy Hash: 3262d8f56931d4e025d329bc8ab3e7d016a9381a27b2e5142c0d4870a4f0f3e6
Instruction Fuzzy Hash: 42416A23A2DAC2A6EA20DB10E4847A97368FB84754F445235DE4DD3790EF7CF589CB20

Function 00007FF670FF24A0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

RpcServerListen.RPCRT4 ref: 00007FF670FF24B2
I_RpcMapWin32Status.RPCRT4 ref: 00007FF670FF24C0
CreateEventW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF670FF24DC
SetEvent.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF670FF24F4
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF670FF5298
OpenEventW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF670FF52BD

Strings

LSA_RPC_SERVER_ACTIVE, xrefs: 00007FF670FF24CF, 00007FF670FF52AF

Memory Dump Source

Source File: 00000000.00000002.2141496588.00007FF670FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF670FF0000, based on PE: true

Associated: 00000000.00000002.2141454745.00007FF670FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141519478.00007FF670FF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF670FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF671000000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff670ff0000_lsass.jbxd

Similarity

API ID: Event$CreateErrorLastListenOpenServerStatusWin32
String ID: LSA_RPC_SERVER_ACTIVE
API String ID: 2333346198-676222292
Opcode ID: 107d00f422c140182653bcef98be9c980e0dcc3dff63146eb792c6eccc540188
Instruction ID: b1ade91fe8188e23fdaf964e4a74878b106eae51175a8b97c4c622fb263a5ac6
Opcode Fuzzy Hash: 107d00f422c140182653bcef98be9c980e0dcc3dff63146eb792c6eccc540188
Instruction Fuzzy Hash: F2011232A2D682E7E7545B10E8042786A95FF8EB11F898575CD0ED7350DF7CB549CE20

Function 00007FF670FF3550 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 31nativeCOMMON

Download Yara Rule

APIs

RtlInitUnicodeString.NTDLL ref: 00007FF670FF3565
NtOpenEvent.NTDLL ref: 00007FF670FF35AF
RtlNtStatusToDosError.NTDLL ref: 00007FF670FF581A
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF670FF5828

Strings

@, xrefs: 00007FF670FF3599
0, xrefs: 00007FF670FF3576
\SECURITY\LSA_AUTHENTICATION_INITIALIZED, xrefs: 00007FF670FF3559

Memory Dump Source

Source File: 00000000.00000002.2141496588.00007FF670FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF670FF0000, based on PE: true

Associated: 00000000.00000002.2141454745.00007FF670FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141519478.00007FF670FF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF670FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF671000000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff670ff0000_lsass.jbxd

Similarity

API ID: Error$EventInitLastOpenStatusStringUnicode
String ID: 0$@$\SECURITY\LSA_AUTHENTICATION_INITIALIZED
API String ID: 1829697641-1309367779
Opcode ID: 3ee69b9f7fe7d5b51228079679dfe1ea3bd5f1c4b2418dcc8a699adcbd9e0786
Instruction ID: dd72684d60f687b30d04eab6f804a4657bbb308384c8c2cd9be6b4567d9cd468
Opcode Fuzzy Hash: 3ee69b9f7fe7d5b51228079679dfe1ea3bd5f1c4b2418dcc8a699adcbd9e0786
Instruction Fuzzy Hash: 2701DB32A2CAC196DB108B20E4443AABBA4FB89744F945125DA8E97754DF7CD149CF50

Function 00007FF670FF494C Relevance: 9.0, APIs: 6, Instructions: 49timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF670FF497C
GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF670FF498A
GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF670FF4996
GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF670FF49A2
GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF670FF49B2
QueryPerformanceCounter.API-MS-WIN-CORE-PROFILE-L1-1-0 ref: 00007FF670FF49CD

Memory Dump Source

Source File: 00000000.00000002.2141496588.00007FF670FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF670FF0000, based on PE: true

Associated: 00000000.00000002.2141454745.00007FF670FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141519478.00007FF670FF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF670FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF671000000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff670ff0000_lsass.jbxd

Similarity

API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 4104442557-0
Opcode ID: f9034db8db06b15acdfbb2eb8ca8321a74d8e79f887fee5fa6c3e4f60b8b5fb4
Instruction ID: 7f353438915e3baa1b767aade9a8616b498e1a8117744cfbf94eb9a7c980edc2
Opcode Fuzzy Hash: f9034db8db06b15acdfbb2eb8ca8321a74d8e79f887fee5fa6c3e4f60b8b5fb4
Instruction Fuzzy Hash: 83111D22B19B819AEB00DF60E8442A833A8FB09758F400A35EE5DC7794DF7CE5A5C754

Function 00007FF670FF1170 Relevance: 7.5, APIs: 5, Instructions: 42nativethreadCOMMON

Download Yara Rule

APIs

TlsGetValue.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF670FF118A
GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF670FF4EC5
GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF670FF4ED4
DuplicateHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF670FF4F04
NtSetInformationThread.NTDLL ref: 00007FF670FF4F31

Memory Dump Source

Source File: 00000000.00000002.2141496588.00007FF670FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF670FF0000, based on PE: true

Associated: 00000000.00000002.2141454745.00007FF670FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141519478.00007FF670FF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF670FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF671000000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff670ff0000_lsass.jbxd

Similarity

API ID: CurrentProcess$DuplicateHandleInformationThreadValue
String ID:
API String ID: 2014987598-0
Opcode ID: 1b5136a208f2c25444dd4bc9e9ddf789073cec38cf328338cc10ecee92c6dbe7
Instruction ID: 2bd6459306b11aca6457552f2b9b4bd4e01550f31f5b2099b2cf641e23e0358f
Opcode Fuzzy Hash: 1b5136a208f2c25444dd4bc9e9ddf789073cec38cf328338cc10ecee92c6dbe7
Instruction Fuzzy Hash: 31110A32618B81CAE6008F51E804379BBA4FB8ABA5F488234DE5D97794CF7CE409CB10

Function 00007FF670FF1010 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57nativeCOMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CORE-CRT-L1-1-0 ref: 00007FF670FF107F
NtRequestWaitReplyPort.NTDLL ref: 00007FF670FF1095

Strings

LsapCallRm: Command sent from LSA to RM failed: 0x%lx, xrefs: 00007FF670FF4E8D

Memory Dump Source

Source File: 00000000.00000002.2141496588.00007FF670FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF670FF0000, based on PE: true

Associated: 00000000.00000002.2141454745.00007FF670FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141519478.00007FF670FF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF670FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF671000000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff670ff0000_lsass.jbxd

Similarity

API ID: PortReplyRequestWaitmemcpy
String ID: LsapCallRm: Command sent from LSA to RM failed: 0x%lx
API String ID: 588455312-852739191
Opcode ID: 9ebe98563c8e98c9322fbeb7af6b4d54fac5ee88f59f0f088cf753b353241b78
Instruction ID: 49648f7be7e52304d24bbbbb348d87ac67dd9d2f690532b66c51476264347c07
Opcode Fuzzy Hash: 9ebe98563c8e98c9322fbeb7af6b4d54fac5ee88f59f0f088cf753b353241b78
Instruction Fuzzy Hash: 65212A23A2C6C2A6EB30AB15E444BA96268FB89744F401136DE4DC7BA5CF7DF585CF10

Function 00007FF670FF5DC0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38filenativeCOMMON

Download Yara Rule

APIs

NtDeviceIoControlFile.NTDLL ref: 00007FF670FF5E44

Strings

0, xrefs: 00007FF670FF5E0F
<, xrefs: 00007FF670FF5E33

Memory Dump Source

Source File: 00000000.00000002.2141496588.00007FF670FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF670FF0000, based on PE: true

Associated: 00000000.00000002.2141454745.00007FF670FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141519478.00007FF670FF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF670FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF671000000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff670ff0000_lsass.jbxd

Similarity

API ID: ControlDeviceFile
String ID: 0$<
API String ID: 3512290074-95265187
Opcode ID: 53398734940d5b0fcf1b4b49582678c8f88c8c3b73eddad79cc3e865c087a130
Instruction ID: 453c499bdbbc26aa81eafc4d3b3a7ba4d594011800c426acf0b02671082a833d
Opcode Fuzzy Hash: 53398734940d5b0fcf1b4b49582678c8f88c8c3b73eddad79cc3e865c087a130
Instruction Fuzzy Hash: 47114633A1CB84C5E3208B14E48836E77A4F789790F515239DB9D83764DF39D598CB00

Function 00007FF670FF20D0 Relevance: 3.0, APIs: 2, Instructions: 50nativeCOMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CORE-CRT-L1-1-0 ref: 00007FF670FF2116
NtReplyWaitReceivePort.NTDLL ref: 00007FF670FF212F

Memory Dump Source

Source File: 00000000.00000002.2141496588.00007FF670FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF670FF0000, based on PE: true

Associated: 00000000.00000002.2141454745.00007FF670FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141519478.00007FF670FF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF670FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF671000000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff670ff0000_lsass.jbxd

Similarity

API ID: PortReceiveReplyWaitmemset
String ID:
API String ID: 1999590558-0
Opcode ID: cc708829147770dee30ca4b05b4ca2cb57c529d1e532347d68d010b765aef9c0
Instruction ID: f0bce06d686ad3349dd074b95f876a28412cfd5e24d4806533983700417d352a
Opcode Fuzzy Hash: cc708829147770dee30ca4b05b4ca2cb57c529d1e532347d68d010b765aef9c0
Instruction Fuzzy Hash: 96212C23A2CAC6A1E6219F54E8842BAA3A5FF88744F444135DB8DC3754DF3CE146DF10

Function 00007FF670FF1390 Relevance: 1.5, APIs: 1, Instructions: 17filenativeCOMMON

Download Yara Rule

APIs

NtDeviceIoControlFile.NTDLL ref: 00007FF670FF13CB

Memory Dump Source

Source File: 00000000.00000002.2141496588.00007FF670FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF670FF0000, based on PE: true

Associated: 00000000.00000002.2141454745.00007FF670FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141519478.00007FF670FF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF670FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF671000000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff670ff0000_lsass.jbxd

Similarity

API ID: ControlDeviceFile
String ID:
API String ID: 3512290074-0
Opcode ID: 668f92e07f5a9bf0d30e045b9d269a06976b1fe05938d5a44826a5ccc55c35d0
Instruction ID: 324598b2f91acc9d9e6a0ca3c02dd244bdefcc7a20c7b83723c3b4659e24939e
Opcode Fuzzy Hash: 668f92e07f5a9bf0d30e045b9d269a06976b1fe05938d5a44826a5ccc55c35d0
Instruction Fuzzy Hash: 26E0C977928B8087D720DB54B44165ABBA4F7C9744F906125EB8A83B18DF3CD015CF04

Function 00007FF670FF35E0 Relevance: 29.9, APIs: 8, Strings: 9, Instructions: 118
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF670FF3B00: RtlAllocateHeap.NTDLL ref: 00007FF670FF3B81
Part of subcall function 00007FF670FF3B00: RtlCreateSecurityDescriptor.NTDLL ref: 00007FF670FF3BA1
Part of subcall function 00007FF670FF3B00: GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF670FF3BB7
Part of subcall function 00007FF670FF3B00: OpenProcessToken.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF670FF3BD0
Part of subcall function 00007FF670FF3B00: GetTokenInformation.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF670FF3C01
Part of subcall function 00007FF670FF3B00: RtlLengthSid.NTDLL ref: 00007FF670FF3C24
Part of subcall function 00007FF670FF3B00: RtlLengthSid.NTDLL ref: 00007FF670FF3C39
Part of subcall function 00007FF670FF3B00: RtlAllocateHeap.NTDLL ref: 00007FF670FF3C5F
Part of subcall function 00007FF670FF3B00: RtlSetOwnerSecurityDescriptor.NTDLL ref: 00007FF670FF3C81
Part of subcall function 00007FF670FF3B00: RtlCreateAcl.NTDLL ref: 00007FF670FF3CA1
Part of subcall function 00007FF670FF3B00: RtlAddAccessAllowedAce.NTDLL ref: 00007FF670FF3CCC

RpcServerUseProtseqEpW.RPCRT4 ref: 00007FF670FF3620
RtlFreeHeap.NTDLL ref: 00007FF670FF364B
RpcServerUseProtseqEpW.RPCRT4 ref: 00007FF670FF368E
RpcServerRegisterIf3.RPCRT4 ref: 00007FF670FF36D5
RtlFreeHeap.NTDLL ref: 00007FF670FF36F7

Strings

LsapRPCInit: RpcServerUseProtseqEpW failed: 0x%lx, xrefs: 00007FF670FF5867
LsapRPCInit: RpcServerUseProtseqEp failed for ncalrpc: 0x%lx, xrefs: 00007FF670FF58C7
ncalrpc, xrefs: 00007FF670FF3682
LsapLookupRpcInit: LsapMakeLowBoxRpcSD failed %#x, xrefs: 00007FF670FF58A3
\pipe\lsass, xrefs: 00007FF670FF360F
lsapolicylookup, xrefs: 00007FF670FF3678
LsapRPCInit: RpcServerRegisterIf2 failed: 0x%lx, xrefs: 00007FF670FF5870
ncacn_np, xrefs: 00007FF670FF3619
LsapRPCInit: failed to build pipe SD: 0x%lx, xrefs: 00007FF670FF5847

Memory Dump Source

Source File: 00000000.00000002.2141496588.00007FF670FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF670FF0000, based on PE: true

Associated: 00000000.00000002.2141454745.00007FF670FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141519478.00007FF670FF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF670FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF671000000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff670ff0000_lsass.jbxd

Similarity

API ID: Heap$Server$AllocateCreateDescriptorFreeLengthProcessProtseqSecurityToken$AccessAllowedCurrentInformationOpenOwnerRegister
String ID: LsapLookupRpcInit: LsapMakeLowBoxRpcSD failed %#x$LsapRPCInit: RpcServerRegisterIf2 failed: 0x%lx$LsapRPCInit: RpcServerUseProtseqEp failed for ncalrpc: 0x%lx$LsapRPCInit: RpcServerUseProtseqEpW failed: 0x%lx$LsapRPCInit: failed to build pipe SD: 0x%lx$\pipe\lsass$lsapolicylookup$ncacn_np$ncalrpc
API String ID: 101309030-2159772780
Opcode ID: a2e6ec28e67b9fd7d386a7b343d8576f82a6352846eb08262d4de88d22a529e1
Instruction ID: f4d6121cfd32d9817b1a20b3a9c750bcb755f502abef6f003fdad878788a9f0c
Opcode Fuzzy Hash: a2e6ec28e67b9fd7d386a7b343d8576f82a6352846eb08262d4de88d22a529e1
Instruction Fuzzy Hash: 3B515E63A2CA82A6E7109B14E4402B9B7A9FB89B84F405136CE0ED7764DF7CF545CF20

Function 00007FF670FF3720 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 231
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateAndInitializeSid.NTDLL ref: 00007FF670FF3884
RtlAllocateAndInitializeSid.NTDLL ref: 00007FF670FF38C9
RtlAllocateAndInitializeSid.NTDLL ref: 00007FF670FF390E
RtlAllocateAndInitializeSid.NTDLL ref: 00007FF670FF3956
RtlAllocateAndInitializeSid.NTDLL ref: 00007FF670FF399A
RtlAllocateAndInitializeSid.NTDLL ref: 00007FF670FF39E3
RtlDeriveCapabilitySidsFromName.NTDLL ref: 00007FF670FF3A01
RtlCreateAndSetSD.NTDLL ref: 00007FF670FF3A31
RtlFreeSid.NTDLL ref: 00007FF670FF3A54
RtlFreeSid.NTDLL ref: 00007FF670FF3A6A
RtlFreeSid.NTDLL ref: 00007FF670FF3A80
RtlFreeSid.NTDLL ref: 00007FF670FF3A96
RtlFreeSid.NTDLL ref: 00007FF670FF3AAB
RtlFreeSid.NTDLL ref: 00007FF670FF3AC0

Strings

lpacIdentityServices, xrefs: 00007FF670FF3758

Memory Dump Source

Source File: 00000000.00000002.2141496588.00007FF670FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF670FF0000, based on PE: true

Associated: 00000000.00000002.2141454745.00007FF670FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141519478.00007FF670FF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF670FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF671000000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff670ff0000_lsass.jbxd

Similarity

API ID: AllocateFreeInitialize$CapabilityCreateDeriveFromNameSids
String ID: lpacIdentityServices
API String ID: 270063187-619869300
Opcode ID: 850bed3ad35a0aaa1f5b7561a737a667b97a8a1c29c1443ad4c0e44c6ac77ec9
Instruction ID: 9b980b8ea634e618c5e176c5b769c26aa8fe2ed969abc30c0780a3af072cb6d3
Opcode Fuzzy Hash: 850bed3ad35a0aaa1f5b7561a737a667b97a8a1c29c1443ad4c0e44c6ac77ec9
Instruction Fuzzy Hash: CFC1E937A28B919AE7108F64E48019EBBB8FB88748F505126EF8993B18DF7DD144CF50

Function 00007FF670FF2CD0 Relevance: 26.4, APIs: 6, Strings: 9, Instructions: 170
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF670FF2D13
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF670FF2D4C
RtlAllocateHeap.NTDLL ref: 00007FF670FF2D9F
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF670FF2DD6

Part of subcall function 00007FF670FF2FD0: wcschr.API-MS-WIN-CORE-CRT-L1-1-0(?,00000000,00000000,00007FF670FF2E19), ref: 00007FF670FF2FED
Part of subcall function 00007FF670FF2FD0: LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,00000000,00000000,00007FF670FF2E19), ref: 00007FF670FF3067
Part of subcall function 00007FF670FF2FD0: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,00000000,00000000,00007FF670FF2E19), ref: 00007FF670FF308D
Part of subcall function 00007FF670FF2FD0: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,00000000,00000000,00007FF670FF2E19), ref: 00007FF670FF30B3

RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF670FF2E46

Strings

LsapLoadRequiredExtensions: Bad REG_MULTI_SZ size for LSA extensions value, xrefs: 00007FF670FF5561
LsapLoadRequiredExtensions: RegQueryValueEx for LSA key failed with Size %lu: %lu, xrefs: 00007FF670FF558D
LsapLoadRequiredExtensions: Bad reg type %lu for LSA extensions value, xrefs: 00007FF670FF55AF
LsapLoadRequiredExtensions: RegQueryValueEx for LSA key failed: %lu, xrefs: 00007FF670FF550A
LsapLoadRequiredExtensions: RegOpenKeyEx for LSA key failed: %lu, xrefs: 00007FF670FF54D9
System\CurrentControlSet\Control\LsaExtensionConfig\LsaSrv, xrefs: 00007FF670FF2CE5
Extensions, xrefs: 00007FF670FF2D45, 00007FF670FF2DCF
LsapLoadRequiredExtensions: Bad REG_SZ size for LSA extensions value, xrefs: 00007FF670FF5532
LsapLoadRequiredExtensions failed: 0x%x, xrefs: 00007FF670FF55FE

Memory Dump Source

Source File: 00000000.00000002.2141496588.00007FF670FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF670FF0000, based on PE: true

Associated: 00000000.00000002.2141454745.00007FF670FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141519478.00007FF670FF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF670FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF671000000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff670ff0000_lsass.jbxd

Similarity

API ID: AddressProcQueryValue$AllocateCloseHeapLibraryLoadOpenwcschr
String ID: Extensions$LsapLoadRequiredExtensions failed: 0x%x$LsapLoadRequiredExtensions: Bad REG_MULTI_SZ size for LSA extensions value$LsapLoadRequiredExtensions: Bad REG_SZ size for LSA extensions value$LsapLoadRequiredExtensions: Bad reg type %lu for LSA extensions value$LsapLoadRequiredExtensions: RegOpenKeyEx for LSA key failed: %lu$LsapLoadRequiredExtensions: RegQueryValueEx for LSA key failed with Size %lu: %lu$LsapLoadRequiredExtensions: RegQueryValueEx for LSA key failed: %lu$System\CurrentControlSet\Control\LsaExtensionConfig\LsaSrv
API String ID: 2560936009-2540380729
Opcode ID: 15e62ca1fbdbf18b6326764320d2013e54f81fa27f34b70837d0380722beba09
Instruction ID: 4eb1561803c90deceaa8e0d8a8252bb2fe507b243024ed78f793e626bb1125ae
Opcode Fuzzy Hash: 15e62ca1fbdbf18b6326764320d2013e54f81fa27f34b70837d0380722beba09
Instruction Fuzzy Hash: 65716B23A2C682A6EB608B14E850279B7A9FB84B40F585131DE4ED7794DF7CF941CF20

Function 00007FF670FF2880 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 158
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF670FF28D7
RegEnumKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF670FF2929
wcstol.API-MS-WIN-CORE-CRT-L1-1-0 ref: 00007FF670FF2954
RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF670FF298A

Part of subcall function 00007FF670FF2E80: RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,00007FF670FF29AB), ref: 00007FF670FF2EBA
Part of subcall function 00007FF670FF2E80: RtlAllocateHeap.NTDLL ref: 00007FF670FF2F05
Part of subcall function 00007FF670FF2E80: RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,00007FF670FF29AB), ref: 00007FF670FF2F3E
Part of subcall function 00007FF670FF2E80: RtlFreeHeap.NTDLL(?,?,?,?,?,00007FF670FF29AB), ref: 00007FF670FF2F8F

RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF670FF29D2
RegEnumKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF670FF2A0D
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF670FF2A42

Strings

Ignore failure to load LSA extension from %ws: 0x%X, xrefs: 00007FF670FF5415
System\CurrentControlSet\Control\LsaExtensionConfig\Interfaces, xrefs: 00007FF670FF28C5
Ignore failure to load interface %ul from extension %ws: 0x%X, xrefs: 00007FF670FF543D
RegEnumKeyEx failed at index %u: 0x%X, xrefs: 00007FF670FF546B
Ignore failure to open interface reg key %ws: 0x%X, xrefs: 00007FF670FF53EA
LsapLoadLsaInterfaces failed: 0x%X, xrefs: 00007FF670FF5495

Memory Dump Source

Source File: 00000000.00000002.2141496588.00007FF670FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF670FF0000, based on PE: true

Associated: 00000000.00000002.2141454745.00007FF670FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141519478.00007FF670FF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF670FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF671000000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff670ff0000_lsass.jbxd

Similarity

API ID: CloseEnumHeapOpenQueryValue$AllocateFreewcstol
String ID: Ignore failure to load LSA extension from %ws: 0x%X$Ignore failure to load interface %ul from extension %ws: 0x%X$Ignore failure to open interface reg key %ws: 0x%X$LsapLoadLsaInterfaces failed: 0x%X$RegEnumKeyEx failed at index %u: 0x%X$System\CurrentControlSet\Control\LsaExtensionConfig\Interfaces
API String ID: 1856249899-1759407294
Opcode ID: cf9f0174076546a2b90615f0cbfd6a0d667aae48a3f512f7ca916d96d10072d5
Instruction ID: 55147c5c1dbf8f9036d72f749a6b81533be014fecec75ed352ddc1d7f2eac530
Opcode Fuzzy Hash: cf9f0174076546a2b90615f0cbfd6a0d667aae48a3f512f7ca916d96d10072d5
Instruction Fuzzy Hash: BF713D32B2CA82AAE7608F61E8502B87769FB48748F005135CE4DE7B54DF7CE505DB60

Function 00007FF670FF2FD0 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcschr.API-MS-WIN-CORE-CRT-L1-1-0(?,00000000,00000000,00007FF670FF2E19), ref: 00007FF670FF2FED

Part of subcall function 00007FF670FF3120: _wcsicmp.API-MS-WIN-CORE-CRT-L1-1-0(?,?,00000000,00007FF670FF300A,?,00000000,00000000,00007FF670FF2E19), ref: 00007FF670FF314C

Part of subcall function 00007FF670FF31A0: RtlAllocateHeap.NTDLL ref: 00007FF670FF31D0
Part of subcall function 00007FF670FF31A0: RtlAllocateHeap.NTDLL ref: 00007FF670FF322F

LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,00000000,00000000,00007FF670FF2E19), ref: 00007FF670FF3067
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,00000000,00000000,00007FF670FF2E19), ref: 00007FF670FF308D
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,00000000,00000000,00007FF670FF2E19), ref: 00007FF670FF30B3
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,00000000,00007FF670FF2E19), ref: 00007FF670FF5645
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,00000000,00007FF670FF2E19), ref: 00007FF670FF5675
RtlNtStatusToDosError.NTDLL ref: 00007FF670FF56C7

Strings

LsaInitializeExtension: Can't get init routine for %ws: %lu, xrefs: 00007FF670FF568F
QueryLsaInterface, xrefs: 00007FF670FF30A5
LsapLoadLsaExtension: Can't load library for %ws: %lu, xrefs: 00007FF670FF565F
InitializeLsaExtension, xrefs: 00007FF670FF307F
LsaInitializeExtension: Init routine for %ws failed: 0x%lx, xrefs: 00007FF670FF56B1

Memory Dump Source

Source File: 00000000.00000002.2141496588.00007FF670FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF670FF0000, based on PE: true

Associated: 00000000.00000002.2141454745.00007FF670FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141519478.00007FF670FF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF670FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF671000000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff670ff0000_lsass.jbxd

Similarity

API ID: Error$AddressAllocateHeapLastProc$LibraryLoadStatus_wcsicmpwcschr
String ID: InitializeLsaExtension$LsaInitializeExtension: Can't get init routine for %ws: %lu$LsaInitializeExtension: Init routine for %ws failed: 0x%lx$LsapLoadLsaExtension: Can't load library for %ws: %lu$QueryLsaInterface
API String ID: 3760715416-925660137
Opcode ID: 83c2e5219bb234051b898bfcea99360255b6155258536f4c90e73e430355c187
Instruction ID: 9345961c67e27aeb5a49cfb6265815d7b79a835416f7e7241b7207d0e1296f18
Opcode Fuzzy Hash: 83c2e5219bb234051b898bfcea99360255b6155258536f4c90e73e430355c187
Instruction Fuzzy Hash: FF514C33A2DB82A7EB148B11A40027876A8FB44B94F894136CE0ED7790EF7CB551CF60

Function 00007FF670FF5C34 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 80stringCOMMON

Download Yara Rule

APIs

strcpy_s.API-MS-WIN-CORE-CRT-L1-1-0 ref: 00007FF670FF5CAC
DbgPrintEx.NTDLL ref: 00007FF670FF5CCB
_vsnprintf_s.API-MS-WIN-CORE-CRT-L1-1-0 ref: 00007FF670FF5D31
DbgPrintEx.NTDLL ref: 00007FF670FF5D50
DbgPrintEx.NTDLL ref: 00007FF670FF5D65

Strings

Error printing message, xrefs: 00007FF670FF5D47
, xrefs: 00007FF670FF5D1E
Error printing message: Bad ComponentName, xrefs: 00007FF670FF5CC2

Memory Dump Source

Source File: 00000000.00000002.2141496588.00007FF670FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF670FF0000, based on PE: true

Associated: 00000000.00000002.2141454745.00007FF670FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141519478.00007FF670FF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF670FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF671000000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff670ff0000_lsass.jbxd

Similarity

API ID: Print$_vsnprintf_sstrcpy_s
String ID: $Error printing message$Error printing message: Bad ComponentName
API String ID: 3553409722-1160014140
Opcode ID: 4b3a8ac37d490b3f6776a85756809935cd66aaa570da6ba9245325964ddfffd7
Instruction ID: e6f80326568bedd4152cfd859ff06008a8e770878c7402ddb2693b5eb7da8500
Opcode Fuzzy Hash: 4b3a8ac37d490b3f6776a85756809935cd66aaa570da6ba9245325964ddfffd7
Instruction Fuzzy Hash: 62414C32A2CBC296E7108B20A4543A977A9FB89B40F545235CE5ED7794CF3CF106CB10

Function 00007FF670FF3290 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF670FF3550: RtlInitUnicodeString.NTDLL ref: 00007FF670FF3565
Part of subcall function 00007FF670FF3550: NtOpenEvent.NTDLL ref: 00007FF670FF35AF

SetEvent.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF670FF32AA
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF670FF32C1
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF670FF5739
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF670FF5773
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF670FF5796

Strings

SetKsecEvent: Could not open event %ws: %lu, xrefs: 00007FF670FF5754
SetKsecEvent: Failed to set ksec event: %lu, xrefs: 00007FF670FF577F
\SECURITY\LSA_AUTHENTICATION_INITIALIZED, xrefs: 00007FF670FF5745

Memory Dump Source

Source File: 00000000.00000002.2141496588.00007FF670FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF670FF0000, based on PE: true

Associated: 00000000.00000002.2141454745.00007FF670FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141519478.00007FF670FF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF670FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF671000000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff670ff0000_lsass.jbxd

Similarity

API ID: CloseErrorEventHandleLast$InitOpenStringUnicode
String ID: SetKsecEvent: Could not open event %ws: %lu$SetKsecEvent: Failed to set ksec event: %lu$\SECURITY\LSA_AUTHENTICATION_INITIALIZED
API String ID: 809771776-2870219596
Opcode ID: 208c6abdec9711598f65e0158595158e30e9393eff1efcbc29aa4e5ef41a8334
Instruction ID: abbd9c5ac1277d608e44f44cab7f157acbbb32c87a16027577b3770b190a6952
Opcode Fuzzy Hash: 208c6abdec9711598f65e0158595158e30e9393eff1efcbc29aa4e5ef41a8334
Instruction Fuzzy Hash: 7211F123A2C687E6FB145B21A8442B86A98EF49B55F485135CD0EDB390DF3CB585CF60

Function 00007FF670FF42E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53threadsleepCOMMON

Download Yara Rule

APIs

StartThreadpoolIo.API-MS-WIN-CORE-THREADPOOL-L1-2-0 ref: 00007FF670FF4317
DeviceIoControl.API-MS-WIN-CORE-IO-L1-1-0 ref: 00007FF670FF4360
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF670FF4370
CancelThreadpoolIo.API-MS-WIN-CORE-THREADPOOL-L1-2-0 ref: 00007FF670FF43A6
Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF670FF43B7

Strings

IOCTL_KSEC_IPC_GET_QUEUED_FUNCTION_CALLS failed. Error %d, xrefs: 00007FF670FF438E

Memory Dump Source

Source File: 00000000.00000002.2141496588.00007FF670FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF670FF0000, based on PE: true

Associated: 00000000.00000002.2141454745.00007FF670FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141519478.00007FF670FF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF670FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF671000000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff670ff0000_lsass.jbxd

Similarity

API ID: Threadpool$CancelControlDeviceErrorLastSleepStart
String ID: IOCTL_KSEC_IPC_GET_QUEUED_FUNCTION_CALLS failed. Error %d
API String ID: 2717079082-2034248344
Opcode ID: efe3dbda4c9d22f01a96fb8478ecec70392ddb40b96ba97110f809a42686819d
Instruction ID: 8b5dd685b50c7e6057325ef14117651303b292ae383e75a7b7955a122af78bc5
Opcode Fuzzy Hash: efe3dbda4c9d22f01a96fb8478ecec70392ddb40b96ba97110f809a42686819d
Instruction Fuzzy Hash: 7D210A3392CAC1A6E710AB01A840579BAA9FB89B81F445135DE4ED7764CF7CF546CB10

Function 00007FF670FF2E80 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,00007FF670FF29AB), ref: 00007FF670FF2EBA
RtlAllocateHeap.NTDLL ref: 00007FF670FF2F05
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,00007FF670FF29AB), ref: 00007FF670FF2F3E
RtlFreeHeap.NTDLL(?,?,?,?,?,00007FF670FF29AB), ref: 00007FF670FF2F8F

Part of subcall function 00007FF670FF2FD0: wcschr.API-MS-WIN-CORE-CRT-L1-1-0(?,00000000,00000000,00007FF670FF2E19), ref: 00007FF670FF2FED
Part of subcall function 00007FF670FF2FD0: LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,00000000,00000000,00007FF670FF2E19), ref: 00007FF670FF3067
Part of subcall function 00007FF670FF2FD0: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,00000000,00000000,00007FF670FF2E19), ref: 00007FF670FF308D
Part of subcall function 00007FF670FF2FD0: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,00000000,00000000,00007FF670FF2E19), ref: 00007FF670FF30B3

Strings

Extension, xrefs: 00007FF670FF2EAD, 00007FF670FF2F2F

Memory Dump Source

Source File: 00000000.00000002.2141496588.00007FF670FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF670FF0000, based on PE: true

Associated: 00000000.00000002.2141454745.00007FF670FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141519478.00007FF670FF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF670FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF671000000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff670ff0000_lsass.jbxd

Similarity

API ID: AddressHeapProcQueryValue$AllocateFreeLibraryLoadwcschr
String ID: Extension
API String ID: 61847128-491175892
Opcode ID: 4421651393d5d5b515d2dc0557c9540934e69e32595b0117bc92461119de655b
Instruction ID: aecd180ad7ee3020a524a73119d520a72b0d3723985e0f09d9d229c23050c4ea
Opcode Fuzzy Hash: 4421651393d5d5b515d2dc0557c9540934e69e32595b0117bc92461119de655b
Instruction Fuzzy Hash: 9F311D3272CA8192EB508B15E80016AA7A5FB89B90F944235EE9DC7B94DF3CE445CF10

Function 00007FF670FF4710 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 41COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF670FF474F
SetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF670FF4794

Strings

SystemRoot, xrefs: 00007FF670FF4743
FixupEnvironment: Setting PATH to %ws, xrefs: 00007FF670FF5C1C
Path, xrefs: 00007FF670FF478D

Memory Dump Source

Source File: 00000000.00000002.2141496588.00007FF670FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF670FF0000, based on PE: true

Associated: 00000000.00000002.2141454745.00007FF670FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141519478.00007FF670FF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF670FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF671000000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff670ff0000_lsass.jbxd

Similarity

API ID: EnvironmentVariable
String ID: FixupEnvironment: Setting PATH to %ws$Path$SystemRoot
API String ID: 1431749950-63685687
Opcode ID: 429548a632e4cda0035b4c7d1bf668710c36a0dbdf565ae9989af7319a8b2c6b
Instruction ID: 53de3e57e273948545449af6900805b8995b4670c3f75662be85b34d0bbeaf7a
Opcode Fuzzy Hash: 429548a632e4cda0035b4c7d1bf668710c36a0dbdf565ae9989af7319a8b2c6b
Instruction Fuzzy Hash: D7114F23A2CAC2A2EB109B20E8547B96368FB99704F405135DE4ED3765EF7CF185CE24

Function 00007FF670FF2AF0 Relevance: 7.6, APIs: 5, Instructions: 124memoryCOMMON

Download Yara Rule

APIs

RtlAcquireResourceExclusive.NTDLL ref: 00007FF670FF2B25
RtlAllocateHeap.NTDLL ref: 00007FF670FF2B55
RtlReleaseResource.NTDLL ref: 00007FF670FF2BA5
RtlAcquireResourceShared.NTDLL ref: 00007FF670FF2C31
RtlReleaseResource.NTDLL ref: 00007FF670FF2C5C

Memory Dump Source

Source File: 00000000.00000002.2141496588.00007FF670FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF670FF0000, based on PE: true

Associated: 00000000.00000002.2141454745.00007FF670FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141519478.00007FF670FF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF670FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF671000000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff670ff0000_lsass.jbxd

Similarity

API ID: Resource$AcquireRelease$AllocateExclusiveHeapShared
String ID:
API String ID: 1184658403-0
Opcode ID: 3c72bee56e70b81a63db3848d96423109738bd3ef05a0838ff556a580b943940
Instruction ID: dc64fe76d697adafa73f25fb7f88ebe2c926ae25aafe69919842d3b47437b2e3
Opcode Fuzzy Hash: 3c72bee56e70b81a63db3848d96423109738bd3ef05a0838ff556a580b943940
Instruction Fuzzy Hash: 6D412732A2CA82A6EB508F15E85016877A9FB88B94F598432DE4DC7354DF3CF851CB60

Function 00007FF670FF4CE0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

DeviceIoControl.API-MS-WIN-CORE-IO-L1-1-0(?,?,?,?,?,?,?,00007FF670FF600A), ref: 00007FF670FF4D14
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,?,00007FF670FF600A), ref: 00007FF670FF4D24

Strings

AsyncKsecSendResponse parameter check failed. Response: 0x%p ResponseSize: 0x%x, xrefs: 00007FF670FF4D71
AsyncKsecSendResponse DeviceIoControl failed. Error: 0x%x, xrefs: 00007FF670FF4D4D

Memory Dump Source

Source File: 00000000.00000002.2141496588.00007FF670FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF670FF0000, based on PE: true

Associated: 00000000.00000002.2141454745.00007FF670FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141519478.00007FF670FF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF670FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF671000000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff670ff0000_lsass.jbxd

Similarity

API ID: ControlDeviceErrorLast
String ID: AsyncKsecSendResponse DeviceIoControl failed. Error: 0x%x$AsyncKsecSendResponse parameter check failed. Response: 0x%p ResponseSize: 0x%x
API String ID: 2645620995-2917768095
Opcode ID: 26e6bc6893c822819c25de5b9ec054255117805be13f6a5d23426108b26867b3
Instruction ID: 44d301070e4c00ec9c6e397f81432657d9f3e9d5b4e65c4a95708a5baf6ba859
Opcode Fuzzy Hash: 26e6bc6893c822819c25de5b9ec054255117805be13f6a5d23426108b26867b3
Instruction Fuzzy Hash: C3119123B2C782A6FB106B55944477C3598AF89B40F444235CE0ECB390DFACB841CA60

Function 00007FF670FF2380 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

CreateEventW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF670FF2394
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF670FF5204
OpenEventW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF670FF5229

Strings

LSA_SUBSYSTEM_INITIALIZED, xrefs: 00007FF670FF2387, 00007FF670FF521B

Memory Dump Source

Source File: 00000000.00000002.2141496588.00007FF670FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF670FF0000, based on PE: true

Associated: 00000000.00000002.2141454745.00007FF670FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141519478.00007FF670FF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF670FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF671000000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff670ff0000_lsass.jbxd

Similarity

API ID: Event$CreateErrorLastOpen
String ID: LSA_SUBSYSTEM_INITIALIZED
API String ID: 287663209-443175204
Opcode ID: b4573ca23f7e1bc54eca2cbff7b8823785a1b4424b67c20f2c7439f019d9b5c2
Instruction ID: 8d62ca062c26ea6b597f4f10dbfabbce7309e821f9fe4ba12349801e11c00bb3
Opcode Fuzzy Hash: b4573ca23f7e1bc54eca2cbff7b8823785a1b4424b67c20f2c7439f019d9b5c2
Instruction Fuzzy Hash: 0CF03063E2EAC2EAFA545F5098002786694EF89711F848475CD0ED3390CF3C7545CE21

Function 00007FF670FF4910 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 00007FF670FF4A83
RtlLookupFunctionEntry.NTDLL ref: 00007FF670FF4AA2
RtlVirtualUnwind.NTDLL ref: 00007FF670FF4AEF
__raise_securityfailure.LIBCMT ref: 00007FF670FF4BD4

Memory Dump Source

Source File: 00000000.00000002.2141496588.00007FF670FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF670FF0000, based on PE: true

Associated: 00000000.00000002.2141454745.00007FF670FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141519478.00007FF670FF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF670FFE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2141537040.00007FF671000000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff670ff0000_lsass.jbxd

Similarity

API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
String ID:
API String ID: 140117192-0
Opcode ID: cbb0e41fbf2ff064e311a48bc028aa05b758296750af8ad691d823895dd5b11e
Instruction ID: bda961fe80bff53b6b139de84d2e755acc25f7fde764130a3b27e1048eeef1f0
Opcode Fuzzy Hash: cbb0e41fbf2ff064e311a48bc028aa05b758296750af8ad691d823895dd5b11e
Instruction Fuzzy Hash: 8A41C636A2CB81A1EA109B08F8903657369FB88784F904136DD8DC37A4DF7DF546CB24

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report lsass.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

DNS Answers

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: lsass.exePID: 3040, Parent PID: 1028

General

File Activities

File Opened

Volume Information Queried

Section Activities

Sections loaded by Windows

Windows Analysis Report
lsass.exe

Function 00007FF670FF21C0 Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 155
nativethreadCOMMON

Function 00007FF670FF48E0 Relevance: 1.6, APIs: 1, Instructions: 51
COMMON

Function 00007FF670FF3F20 Relevance: 63.3, APIs: 34, Strings: 2, Instructions: 261
memoryCOMMON

Function 00007FF670FF3B00 Relevance: 44.0, APIs: 24, Strings: 1, Instructions: 246
memoryCOMMON

Function 00007FF670FF32E0 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 155
memorynativeCOMMON

Function 00007FF670FF4500 Relevance: 35.2, APIs: 10, Strings: 10, Instructions: 168
nativethreadCOMMON

Function 00007FF670FF1E10 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 154
COMMON

Function 00007FF670FF2650 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 102
threadmemorynativeCOMMON

Function 00007FF670FF14B0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 128
nativeCOMMON

Function 00007FF670FF2510 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 76
filenativeCOMMON

Function 00007FF670FF35E0 Relevance: 29.9, APIs: 8, Strings: 9, Instructions: 118
memoryCOMMON

Function 00007FF670FF3720 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 231
memoryCOMMON

Function 00007FF670FF2CD0 Relevance: 26.4, APIs: 6, Strings: 9, Instructions: 170
registrymemoryCOMMON

Function 00007FF670FF2880 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 158
registryCOMMON

Function 00007FF670FF2FD0 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131
libraryloaderCOMMON