fa6828e1cedcc19289d3e030bc756486328d2a7bfc7b53804006e828fc5d36e8

Analysis

max time kernel
150s
max time network
52s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 20:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa6828e1cedcc19289d3e030bc756486328d2a7bfc7b53804006e828fc5d36e8.exe
Size

140KB
MD5

0cb4416aeafb245609fdde53974886ac
SHA1

a665f2feed56c97da9c3db9fd68d0a1e44fc8fa2
SHA256

fa6828e1cedcc19289d3e030bc756486328d2a7bfc7b53804006e828fc5d36e8
SHA512

737d0d42ed872188542b85420f28cba447c05d422d7282b490f03ef390940761569a52f8f96b561aed87478dd7ab435d4ff527b682017c7a081e9e2ecc784cb6
SSDEEP

1536:0JoQjKVQrGkYAcANSU+MNG5ipzqYbCa3458X77UsMJn1ogCnzqLcTJLO01DvqKW:3QrrGkYnAS4R77UsMJn1opVwfG

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	fa6828e1cedcc19289d3e030bc756486328d2a7bfc7b53804006e828fc5d36e8.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lkheog.exe

Executes dropped EXE 1 IoCs

pid	Process
1292	lkheog.exe

Loads dropped DLL 2 IoCs

pid	Process
1416	fa6828e1cedcc19289d3e030bc756486328d2a7bfc7b53804006e828fc5d36e8.exe
1416	fa6828e1cedcc19289d3e030bc756486328d2a7bfc7b53804006e828fc5d36e8.exe

Adds Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\lkheog = "C:\\Users\\Admin\\lkheog.exe /e"	fa6828e1cedcc19289d3e030bc756486328d2a7bfc7b53804006e828fc5d36e8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\lkheog = "C:\\Users\\Admin\\lkheog.exe /j"	lkheog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\lkheog = "C:\\Users\\Admin\\lkheog.exe /a"	lkheog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\lkheog = "C:\\Users\\Admin\\lkheog.exe /p"	lkheog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\lkheog = "C:\\Users\\Admin\\lkheog.exe /m"	lkheog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\lkheog = "C:\\Users\\Admin\\lkheog.exe /u"	lkheog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\lkheog = "C:\\Users\\Admin\\lkheog.exe /g"	lkheog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\lkheog = "C:\\Users\\Admin\\lkheog.exe /b"	lkheog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\lkheog = "C:\\Users\\Admin\\lkheog.exe /w"	lkheog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\lkheog = "C:\\Users\\Admin\\lkheog.exe /l"	lkheog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\lkheog = "C:\\Users\\Admin\\lkheog.exe /d"	lkheog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\lkheog = "C:\\Users\\Admin\\lkheog.exe /o"	lkheog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\lkheog = "C:\\Users\\Admin\\lkheog.exe /h"	lkheog.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\	lkheog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\lkheog = "C:\\Users\\Admin\\lkheog.exe /q"	lkheog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\lkheog = "C:\\Users\\Admin\\lkheog.exe /s"	lkheog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\lkheog = "C:\\Users\\Admin\\lkheog.exe /i"	lkheog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\lkheog = "C:\\Users\\Admin\\lkheog.exe /n"	lkheog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\lkheog = "C:\\Users\\Admin\\lkheog.exe /x"	lkheog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\lkheog = "C:\\Users\\Admin\\lkheog.exe /f"	lkheog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\lkheog = "C:\\Users\\Admin\\lkheog.exe /y"	lkheog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\lkheog = "C:\\Users\\Admin\\lkheog.exe /v"	lkheog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\lkheog = "C:\\Users\\Admin\\lkheog.exe /c"	lkheog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\lkheog = "C:\\Users\\Admin\\lkheog.exe /e"	lkheog.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\	fa6828e1cedcc19289d3e030bc756486328d2a7bfc7b53804006e828fc5d36e8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\lkheog = "C:\\Users\\Admin\\lkheog.exe /r"	lkheog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\lkheog = "C:\\Users\\Admin\\lkheog.exe /z"	lkheog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\lkheog = "C:\\Users\\Admin\\lkheog.exe /t"	lkheog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\lkheog = "C:\\Users\\Admin\\lkheog.exe /k"	lkheog.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1416	fa6828e1cedcc19289d3e030bc756486328d2a7bfc7b53804006e828fc5d36e8.exe
1292	lkheog.exe
1292	lkheog.exe
1292	lkheog.exe
1292	lkheog.exe
1292	lkheog.exe
1292	lkheog.exe
1292	lkheog.exe
1292	lkheog.exe
1292	lkheog.exe
1292	lkheog.exe
1292	lkheog.exe
1292	lkheog.exe
1292	lkheog.exe
1292	lkheog.exe
1292	lkheog.exe
1292	lkheog.exe
1292	lkheog.exe
1292	lkheog.exe
1292	lkheog.exe
1292	lkheog.exe
1292	lkheog.exe
1292	lkheog.exe
1292	lkheog.exe
1292	lkheog.exe
1292	lkheog.exe
1292	lkheog.exe
1292	lkheog.exe
1292	lkheog.exe
1292	lkheog.exe
1292	lkheog.exe
1292	lkheog.exe
1292	lkheog.exe
1292	lkheog.exe
1292	lkheog.exe
1292	lkheog.exe
1292	lkheog.exe
1292	lkheog.exe
1292	lkheog.exe
1292	lkheog.exe
1292	lkheog.exe
1292	lkheog.exe
1292	lkheog.exe
1292	lkheog.exe
1292	lkheog.exe
1292	lkheog.exe
1292	lkheog.exe
1292	lkheog.exe
1292	lkheog.exe
1292	lkheog.exe
1292	lkheog.exe
1292	lkheog.exe
1292	lkheog.exe
1292	lkheog.exe
1292	lkheog.exe
1292	lkheog.exe
1292	lkheog.exe
1292	lkheog.exe
1292	lkheog.exe
1292	lkheog.exe
1292	lkheog.exe
1292	lkheog.exe
1292	lkheog.exe
1292	lkheog.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1416	fa6828e1cedcc19289d3e030bc756486328d2a7bfc7b53804006e828fc5d36e8.exe
1416	fa6828e1cedcc19289d3e030bc756486328d2a7bfc7b53804006e828fc5d36e8.exe
1292	lkheog.exe
1292	lkheog.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1416 wrote to memory of 1292	1416	fa6828e1cedcc19289d3e030bc756486328d2a7bfc7b53804006e828fc5d36e8.exe	27
PID 1416 wrote to memory of 1292	1416	fa6828e1cedcc19289d3e030bc756486328d2a7bfc7b53804006e828fc5d36e8.exe	27
PID 1416 wrote to memory of 1292	1416	fa6828e1cedcc19289d3e030bc756486328d2a7bfc7b53804006e828fc5d36e8.exe	27
PID 1416 wrote to memory of 1292	1416	fa6828e1cedcc19289d3e030bc756486328d2a7bfc7b53804006e828fc5d36e8.exe	27

C:\Users\Admin\AppData\Local\Temp\fa6828e1cedcc19289d3e030bc756486328d2a7bfc7b53804006e828fc5d36e8.exe
"C:\Users\Admin\AppData\Local\Temp\fa6828e1cedcc19289d3e030bc756486328d2a7bfc7b53804006e828fc5d36e8.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Users\Admin\lkheog.exe
  "C:\Users\Admin\lkheog.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\lkheog.exe

Filesize
140KB

MD5
15af32b0e5fd0febb1a645d345499c5b

SHA1
d09b9aca815be2303082d836cac370de242ebe69

SHA256
22a9d142de4605c9dd552247e5f78041d9304f06090914ea2cc3bb2891aa2abe

SHA512
c5481a98a8acff3dcb4118ffc99f3bd3af06a21f8286b70bc3ede21cd671c46171282fd8a467a5b2337e837a72fc2ef1a3035ec85d971c0ba8e28cb0ca025d59

Download Submit
C:\Users\Admin\lkheog.exe

Filesize
140KB

MD5
15af32b0e5fd0febb1a645d345499c5b

SHA1
d09b9aca815be2303082d836cac370de242ebe69

SHA256
22a9d142de4605c9dd552247e5f78041d9304f06090914ea2cc3bb2891aa2abe

SHA512
c5481a98a8acff3dcb4118ffc99f3bd3af06a21f8286b70bc3ede21cd671c46171282fd8a467a5b2337e837a72fc2ef1a3035ec85d971c0ba8e28cb0ca025d59

Download Submit
\Users\Admin\lkheog.exe

Filesize
140KB

MD5
15af32b0e5fd0febb1a645d345499c5b

SHA1
d09b9aca815be2303082d836cac370de242ebe69

SHA256
22a9d142de4605c9dd552247e5f78041d9304f06090914ea2cc3bb2891aa2abe

SHA512
c5481a98a8acff3dcb4118ffc99f3bd3af06a21f8286b70bc3ede21cd671c46171282fd8a467a5b2337e837a72fc2ef1a3035ec85d971c0ba8e28cb0ca025d59

Download Submit
\Users\Admin\lkheog.exe

Filesize
140KB

MD5
15af32b0e5fd0febb1a645d345499c5b

SHA1
d09b9aca815be2303082d836cac370de242ebe69

SHA256
22a9d142de4605c9dd552247e5f78041d9304f06090914ea2cc3bb2891aa2abe

SHA512
c5481a98a8acff3dcb4118ffc99f3bd3af06a21f8286b70bc3ede21cd671c46171282fd8a467a5b2337e837a72fc2ef1a3035ec85d971c0ba8e28cb0ca025d59

Download Submit
memory/1416-54-0x0000000074DC1000-0x0000000074DC3000-memory.dmp

Filesize
8KB

Download