Analysis
-
max time kernel
151s -
max time network
59s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 17:18
Static task
static1
Behavioral task
behavioral1
Sample
f54e0dd1613d77636ade9475ec2f00e44b5b4d66e031544efa6efa062fb7c15c.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
f54e0dd1613d77636ade9475ec2f00e44b5b4d66e031544efa6efa062fb7c15c.exe
Resource
win10v2004-20221111-en
General
-
Target
f54e0dd1613d77636ade9475ec2f00e44b5b4d66e031544efa6efa062fb7c15c.exe
-
Size
332KB
-
MD5
2bdca1ba567d23802a49a567146cd14a
-
SHA1
0f1517c2b0c988043903a85f4e18042a80f12afb
-
SHA256
f54e0dd1613d77636ade9475ec2f00e44b5b4d66e031544efa6efa062fb7c15c
-
SHA512
216d73ff3f25be539e19520ed96db5584f3d72130458f9dd30653e61c464ed389de3f1045ede438301dc77ed5cf19323f2b07028536df052910cd4ecabe904b6
-
SSDEEP
3072:XnkRfAlgkBfrvAk1jrLXvYNJOLlDrDxUfSGIf9b6L6VlMixFGI5FpqMBszsUiztl:gfCZr3rLXeaHDxUadt382FxYI7Uutl
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
f54e0dd1613d77636ade9475ec2f00e44b5b4d66e031544efa6efa062fb7c15c.exeltyaof.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" f54e0dd1613d77636ade9475ec2f00e44b5b4d66e031544efa6efa062fb7c15c.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ltyaof.exe -
Executes dropped EXE 1 IoCs
Processes:
ltyaof.exepid process 1272 ltyaof.exe -
Loads dropped DLL 2 IoCs
Processes:
f54e0dd1613d77636ade9475ec2f00e44b5b4d66e031544efa6efa062fb7c15c.exepid process 1352 f54e0dd1613d77636ade9475ec2f00e44b5b4d66e031544efa6efa062fb7c15c.exe 1352 f54e0dd1613d77636ade9475ec2f00e44b5b4d66e031544efa6efa062fb7c15c.exe -
Adds Run key to start application 2 TTPs 51 IoCs
Processes:
ltyaof.exef54e0dd1613d77636ade9475ec2f00e44b5b4d66e031544efa6efa062fb7c15c.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ltyaof = "C:\\Users\\Admin\\ltyaof.exe /Y" ltyaof.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ltyaof = "C:\\Users\\Admin\\ltyaof.exe /t" ltyaof.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ltyaof = "C:\\Users\\Admin\\ltyaof.exe /O" ltyaof.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ltyaof = "C:\\Users\\Admin\\ltyaof.exe /L" ltyaof.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ltyaof = "C:\\Users\\Admin\\ltyaof.exe /c" ltyaof.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ltyaof = "C:\\Users\\Admin\\ltyaof.exe /z" ltyaof.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ltyaof = "C:\\Users\\Admin\\ltyaof.exe /g" ltyaof.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ltyaof = "C:\\Users\\Admin\\ltyaof.exe /M" ltyaof.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ f54e0dd1613d77636ade9475ec2f00e44b5b4d66e031544efa6efa062fb7c15c.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ltyaof = "C:\\Users\\Admin\\ltyaof.exe /F" ltyaof.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ltyaof = "C:\\Users\\Admin\\ltyaof.exe /r" ltyaof.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ltyaof = "C:\\Users\\Admin\\ltyaof.exe /S" ltyaof.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ltyaof = "C:\\Users\\Admin\\ltyaof.exe /b" ltyaof.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ltyaof = "C:\\Users\\Admin\\ltyaof.exe /B" ltyaof.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ltyaof = "C:\\Users\\Admin\\ltyaof.exe /V" ltyaof.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ltyaof = "C:\\Users\\Admin\\ltyaof.exe /w" ltyaof.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ltyaof = "C:\\Users\\Admin\\ltyaof.exe /e" ltyaof.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ltyaof = "C:\\Users\\Admin\\ltyaof.exe /m" ltyaof.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ltyaof = "C:\\Users\\Admin\\ltyaof.exe /k" f54e0dd1613d77636ade9475ec2f00e44b5b4d66e031544efa6efa062fb7c15c.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ltyaof = "C:\\Users\\Admin\\ltyaof.exe /E" ltyaof.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ltyaof = "C:\\Users\\Admin\\ltyaof.exe /G" ltyaof.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ltyaof = "C:\\Users\\Admin\\ltyaof.exe /R" ltyaof.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ltyaof = "C:\\Users\\Admin\\ltyaof.exe /q" ltyaof.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ltyaof = "C:\\Users\\Admin\\ltyaof.exe /l" ltyaof.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ltyaof = "C:\\Users\\Admin\\ltyaof.exe /o" ltyaof.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ltyaof = "C:\\Users\\Admin\\ltyaof.exe /k" ltyaof.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ltyaof = "C:\\Users\\Admin\\ltyaof.exe /X" ltyaof.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ltyaof = "C:\\Users\\Admin\\ltyaof.exe /s" ltyaof.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ltyaof = "C:\\Users\\Admin\\ltyaof.exe /d" ltyaof.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ltyaof = "C:\\Users\\Admin\\ltyaof.exe /J" ltyaof.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ltyaof = "C:\\Users\\Admin\\ltyaof.exe /v" ltyaof.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ltyaof = "C:\\Users\\Admin\\ltyaof.exe /p" ltyaof.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ltyaof = "C:\\Users\\Admin\\ltyaof.exe /P" ltyaof.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ltyaof = "C:\\Users\\Admin\\ltyaof.exe /f" ltyaof.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ltyaof = "C:\\Users\\Admin\\ltyaof.exe /y" ltyaof.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ltyaof = "C:\\Users\\Admin\\ltyaof.exe /x" ltyaof.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ ltyaof.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ltyaof = "C:\\Users\\Admin\\ltyaof.exe /u" ltyaof.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ltyaof = "C:\\Users\\Admin\\ltyaof.exe /I" ltyaof.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ltyaof = "C:\\Users\\Admin\\ltyaof.exe /T" ltyaof.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ltyaof = "C:\\Users\\Admin\\ltyaof.exe /h" ltyaof.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ltyaof = "C:\\Users\\Admin\\ltyaof.exe /A" ltyaof.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ltyaof = "C:\\Users\\Admin\\ltyaof.exe /U" ltyaof.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ltyaof = "C:\\Users\\Admin\\ltyaof.exe /n" ltyaof.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ltyaof = "C:\\Users\\Admin\\ltyaof.exe /C" ltyaof.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ltyaof = "C:\\Users\\Admin\\ltyaof.exe /Q" ltyaof.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ltyaof = "C:\\Users\\Admin\\ltyaof.exe /W" ltyaof.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ltyaof = "C:\\Users\\Admin\\ltyaof.exe /H" ltyaof.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ltyaof = "C:\\Users\\Admin\\ltyaof.exe /Z" ltyaof.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ltyaof = "C:\\Users\\Admin\\ltyaof.exe /D" ltyaof.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ltyaof = "C:\\Users\\Admin\\ltyaof.exe /j" ltyaof.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
f54e0dd1613d77636ade9475ec2f00e44b5b4d66e031544efa6efa062fb7c15c.exeltyaof.exepid process 1352 f54e0dd1613d77636ade9475ec2f00e44b5b4d66e031544efa6efa062fb7c15c.exe 1272 ltyaof.exe 1272 ltyaof.exe 1272 ltyaof.exe 1272 ltyaof.exe 1272 ltyaof.exe 1272 ltyaof.exe 1272 ltyaof.exe 1272 ltyaof.exe 1272 ltyaof.exe 1272 ltyaof.exe 1272 ltyaof.exe 1272 ltyaof.exe 1272 ltyaof.exe 1272 ltyaof.exe 1272 ltyaof.exe 1272 ltyaof.exe 1272 ltyaof.exe 1272 ltyaof.exe 1272 ltyaof.exe 1272 ltyaof.exe 1272 ltyaof.exe 1272 ltyaof.exe 1272 ltyaof.exe 1272 ltyaof.exe 1272 ltyaof.exe 1272 ltyaof.exe 1272 ltyaof.exe 1272 ltyaof.exe 1272 ltyaof.exe 1272 ltyaof.exe 1272 ltyaof.exe 1272 ltyaof.exe 1272 ltyaof.exe 1272 ltyaof.exe 1272 ltyaof.exe 1272 ltyaof.exe 1272 ltyaof.exe 1272 ltyaof.exe 1272 ltyaof.exe 1272 ltyaof.exe 1272 ltyaof.exe 1272 ltyaof.exe 1272 ltyaof.exe 1272 ltyaof.exe 1272 ltyaof.exe 1272 ltyaof.exe 1272 ltyaof.exe 1272 ltyaof.exe 1272 ltyaof.exe 1272 ltyaof.exe 1272 ltyaof.exe 1272 ltyaof.exe 1272 ltyaof.exe 1272 ltyaof.exe 1272 ltyaof.exe 1272 ltyaof.exe 1272 ltyaof.exe 1272 ltyaof.exe 1272 ltyaof.exe 1272 ltyaof.exe 1272 ltyaof.exe 1272 ltyaof.exe 1272 ltyaof.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
f54e0dd1613d77636ade9475ec2f00e44b5b4d66e031544efa6efa062fb7c15c.exeltyaof.exepid process 1352 f54e0dd1613d77636ade9475ec2f00e44b5b4d66e031544efa6efa062fb7c15c.exe 1272 ltyaof.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
f54e0dd1613d77636ade9475ec2f00e44b5b4d66e031544efa6efa062fb7c15c.exedescription pid process target process PID 1352 wrote to memory of 1272 1352 f54e0dd1613d77636ade9475ec2f00e44b5b4d66e031544efa6efa062fb7c15c.exe ltyaof.exe PID 1352 wrote to memory of 1272 1352 f54e0dd1613d77636ade9475ec2f00e44b5b4d66e031544efa6efa062fb7c15c.exe ltyaof.exe PID 1352 wrote to memory of 1272 1352 f54e0dd1613d77636ade9475ec2f00e44b5b4d66e031544efa6efa062fb7c15c.exe ltyaof.exe PID 1352 wrote to memory of 1272 1352 f54e0dd1613d77636ade9475ec2f00e44b5b4d66e031544efa6efa062fb7c15c.exe ltyaof.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f54e0dd1613d77636ade9475ec2f00e44b5b4d66e031544efa6efa062fb7c15c.exe"C:\Users\Admin\AppData\Local\Temp\f54e0dd1613d77636ade9475ec2f00e44b5b4d66e031544efa6efa062fb7c15c.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\ltyaof.exe"C:\Users\Admin\ltyaof.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\ltyaof.exeFilesize
332KB
MD57bd65de73fa13320a03299ffb60617c4
SHA1a7232b8a882edf01f5a7b1bc0111ea72e14b4277
SHA256bb315f39030873adf91e75e091e04a470ec826864ea5c3e70781617bffc2b8ac
SHA512e024bc8114986bc9709f73fe90cb46af69ccfdd5cf7adfc80fc58d9014d1ab760651f8fe4a5700116d09b1aaf3157ce2bd9959a7e8bbaab35c73bc331ff99a60
-
C:\Users\Admin\ltyaof.exeFilesize
332KB
MD57bd65de73fa13320a03299ffb60617c4
SHA1a7232b8a882edf01f5a7b1bc0111ea72e14b4277
SHA256bb315f39030873adf91e75e091e04a470ec826864ea5c3e70781617bffc2b8ac
SHA512e024bc8114986bc9709f73fe90cb46af69ccfdd5cf7adfc80fc58d9014d1ab760651f8fe4a5700116d09b1aaf3157ce2bd9959a7e8bbaab35c73bc331ff99a60
-
\Users\Admin\ltyaof.exeFilesize
332KB
MD57bd65de73fa13320a03299ffb60617c4
SHA1a7232b8a882edf01f5a7b1bc0111ea72e14b4277
SHA256bb315f39030873adf91e75e091e04a470ec826864ea5c3e70781617bffc2b8ac
SHA512e024bc8114986bc9709f73fe90cb46af69ccfdd5cf7adfc80fc58d9014d1ab760651f8fe4a5700116d09b1aaf3157ce2bd9959a7e8bbaab35c73bc331ff99a60
-
\Users\Admin\ltyaof.exeFilesize
332KB
MD57bd65de73fa13320a03299ffb60617c4
SHA1a7232b8a882edf01f5a7b1bc0111ea72e14b4277
SHA256bb315f39030873adf91e75e091e04a470ec826864ea5c3e70781617bffc2b8ac
SHA512e024bc8114986bc9709f73fe90cb46af69ccfdd5cf7adfc80fc58d9014d1ab760651f8fe4a5700116d09b1aaf3157ce2bd9959a7e8bbaab35c73bc331ff99a60
-
memory/1272-59-0x0000000000000000-mapping.dmp
-
memory/1352-56-0x0000000075601000-0x0000000075603000-memory.dmpFilesize
8KB