Keypoints
- Four files were submitted for analysis: a.bat, a.exe, a.dll, and a.py (SHA256 listed in the report).
- a.bat launches a.exe (passing a.dll) and uses reg save to export HKLMSYSTEM and HKLMSAM to disk, then runs makecab to create .cab archives from those exports and a PNG file.
- a.exe calls an RPC endpoint (ncalrpc:[lsasspirpc]) to obtain the LSASS file path and attempts to load a.dll into the running LSASS process; success is indicated by “[*]success”.
- a.dll creates C:UsersPublica.png, loads DbgCore.dll, and invokes MiniDumpWriteDump to write LSASS process memory to that PNG file.
- a.py is a Python script that attempts to establish WinRM sessions using NTLM (if “hashpasswd” is present) or basic authentication, and can execute supplied commands (defaulting to “whoami”).
- Artifacts produced include registry hive exports, LSASS memory dumps, and compressed .cab files intended to collect credentials/data for exfiltration.
- CISA provided YARA rules and hashes for each sample to aid detection and correlation.
MITRE Techniques
- [T1003.001] OS Credential Dumping: LSASS Memory – a.dll uses the MiniDumpWriteDump API to dump LSASS memory to disk (‘MiniDumpWriteDump function to dump LSASS process memory to disk’).
- [T1003.002] OS Credential Dumping: Security Account Manager (SAM) – the batch file executes reg save to export the HKLMSAM hive to disk (‘reg save … saves the HKLMSAM registry hive into the C:WindowsTaskam directory’).
- [T1055] Process Injection – a.exe loads a.dll into the running LSASS process to execute code in LSASS’s context (‘the malware loads the accompanying DLL file called a.dll into the running LSASS process’).
- [T1021.006] Remote Services: Windows Remote Management – a.py attempts to establish WinRM sessions and execute commands remotely (‘attempts to leverage WinRM to establish a session’).
- [T1560] Archive Collected Data – the batch file runs makecab to package saved registry hives and the dumped PNG into .cab archives (‘runs three makecab commands to create three Cabinet (.cab) files’).
- [T1005] Data from Local System – the workflow writes dumped LSASS memory and registry exports to local files (e.g., C:UsersPublica.png and C:Windowstasksem) for collection (‘dumped process memory is written to a.png’).
Indicators of Compromise
- [File Hash – SHA256] submitted samples – 17a27b1759f10d1f6f1f51a11c0efea550e2075c2c394259af4d3f855bbcc994 (a.dll), e557e1440e394537cca71ed3d61372106c3c70eb6ef9f07521768f23a0974068 (a.exe)
- [File Names] dropper/launcher and payloads – a.bat, a.exe, a.dll, a.py
- [File Paths / Artifacts] registry and dump locations – C:WindowsTasksem.cab / C:WindowsTasksem (reg save outputs), C:UsersPublica.png (LSASS dump)
- [Domains/Endpoints] RPC endpoint used to locate LSASS – ncalrpc:[lsasspirpc]
- [IP Address] local activity indicator – 127.0.0[.]1 (ping loopback calls in the batch file)
This technical summary focuses on the malware’s operational procedure: the attacker-supplied batch file (a.bat) acts as the orchestrator, launching a.exe with a.dll as an argument, writing console output to C:WindowsTasksz.txt, and using reg save to export HKLMSYSTEM and HKLMSAM to disk. The batch file then compresses those exported registry hives plus a created PNG file using makecab to produce .cab archives (examples: C:WindowsTasksem.cab, C:WindowsTaskssam.cab), suggesting preparation of collected credential material for staging or exfiltration.
The a.exe component queries an RPC endpoint (ncalrpc:[lsasspirpc]) to obtain the LSASS path and attempts to load a.dll into the running LSASS process; if successful it prints a success message. Once loaded, a.dll uses CreateFileW to create C:UsersPublica.png, loads DbgCore.dll, and calls MiniDumpWriteDump to write LSASS memory to that PNG file. This sequence enables credential extraction by dumping sensitive process memory to disk within a seemingly benign file name and then archiving it.
The a.py Python script facilitates remote command execution via WinRM: it chooses NTLM authentication when the “hashpasswd” keyword is present or falls back to basic auth otherwise, establishes a WinRM session, and runs supplied commands (defaulting to “whoami” if none provided). Combined, these components automate credential harvesting (registry + LSASS dumps), local packaging (.cab), and remote access, illustrating a multi-stage collection and remote-operation capability following exploitation. Read more: https://www.cisa.gov/news-events/analysis-reports/ar23-325a