d4e320418054b7a407c9fcc0d443cdd6e43474ede23779515f6051758906b906

Analysis

max time kernel
151s
max time network
84s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/12/2022, 00:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d4e320418054b7a407c9fcc0d443cdd6e43474ede23779515f6051758906b906.exe
Size

88KB
MD5

3f094ec0d0568411921f84b686ec7612
SHA1

d013b5ea81debbc9cf57d9c4a4115ad55ec7c949
SHA256

d4e320418054b7a407c9fcc0d443cdd6e43474ede23779515f6051758906b906
SHA512

2dbea62287f901b4602470484d2cc74b365b44af32458c97c256b3ec91d045685358072aab702f4b13626d0b87c745cdd7478b3696b5f7f991b66da3046936f3
SSDEEP

768:Hp6jxOJETcBZmIHpFeh6RM1rA8dOsk7jbqqRkA5okK1DfsvtDzsXjLft+9o1Jz:Hpcx/ABLFUnzJA5o9BfItDoXjLl0+z

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	d4e320418054b7a407c9fcc0d443cdd6e43474ede23779515f6051758906b906.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lfmak.exe

Executes dropped EXE 1 IoCs

pid	Process
1044	lfmak.exe

Loads dropped DLL 2 IoCs

pid	Process
848	d4e320418054b7a407c9fcc0d443cdd6e43474ede23779515f6051758906b906.exe
848	d4e320418054b7a407c9fcc0d443cdd6e43474ede23779515f6051758906b906.exe

Adds Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\lfmak = "C:\\Users\\Admin\\lfmak.exe /c"	lfmak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\lfmak = "C:\\Users\\Admin\\lfmak.exe /s"	lfmak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\lfmak = "C:\\Users\\Admin\\lfmak.exe /p"	lfmak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\lfmak = "C:\\Users\\Admin\\lfmak.exe /f"	lfmak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\lfmak = "C:\\Users\\Admin\\lfmak.exe /h"	lfmak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\lfmak = "C:\\Users\\Admin\\lfmak.exe /k"	lfmak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\lfmak = "C:\\Users\\Admin\\lfmak.exe /l"	lfmak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\lfmak = "C:\\Users\\Admin\\lfmak.exe /b"	lfmak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\lfmak = "C:\\Users\\Admin\\lfmak.exe /j"	lfmak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\lfmak = "C:\\Users\\Admin\\lfmak.exe /a"	lfmak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\lfmak = "C:\\Users\\Admin\\lfmak.exe /z"	lfmak.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	d4e320418054b7a407c9fcc0d443cdd6e43474ede23779515f6051758906b906.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\lfmak = "C:\\Users\\Admin\\lfmak.exe /g"	lfmak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\lfmak = "C:\\Users\\Admin\\lfmak.exe /v"	lfmak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\lfmak = "C:\\Users\\Admin\\lfmak.exe /t"	lfmak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\lfmak = "C:\\Users\\Admin\\lfmak.exe /q"	lfmak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\lfmak = "C:\\Users\\Admin\\lfmak.exe /g"	d4e320418054b7a407c9fcc0d443cdd6e43474ede23779515f6051758906b906.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\lfmak = "C:\\Users\\Admin\\lfmak.exe /w"	lfmak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\lfmak = "C:\\Users\\Admin\\lfmak.exe /i"	lfmak.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	lfmak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\lfmak = "C:\\Users\\Admin\\lfmak.exe /m"	lfmak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\lfmak = "C:\\Users\\Admin\\lfmak.exe /u"	lfmak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\lfmak = "C:\\Users\\Admin\\lfmak.exe /n"	lfmak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\lfmak = "C:\\Users\\Admin\\lfmak.exe /e"	lfmak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\lfmak = "C:\\Users\\Admin\\lfmak.exe /x"	lfmak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\lfmak = "C:\\Users\\Admin\\lfmak.exe /y"	lfmak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\lfmak = "C:\\Users\\Admin\\lfmak.exe /d"	lfmak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\lfmak = "C:\\Users\\Admin\\lfmak.exe /r"	lfmak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\lfmak = "C:\\Users\\Admin\\lfmak.exe /o"	lfmak.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
848	d4e320418054b7a407c9fcc0d443cdd6e43474ede23779515f6051758906b906.exe
1044	lfmak.exe
1044	lfmak.exe
1044	lfmak.exe
1044	lfmak.exe
1044	lfmak.exe
1044	lfmak.exe
1044	lfmak.exe
1044	lfmak.exe
1044	lfmak.exe
1044	lfmak.exe
1044	lfmak.exe
1044	lfmak.exe
1044	lfmak.exe
1044	lfmak.exe
1044	lfmak.exe
1044	lfmak.exe
1044	lfmak.exe
1044	lfmak.exe
1044	lfmak.exe
1044	lfmak.exe
1044	lfmak.exe
1044	lfmak.exe
1044	lfmak.exe
1044	lfmak.exe
1044	lfmak.exe
1044	lfmak.exe
1044	lfmak.exe
1044	lfmak.exe
1044	lfmak.exe
1044	lfmak.exe
1044	lfmak.exe
1044	lfmak.exe
1044	lfmak.exe
1044	lfmak.exe
1044	lfmak.exe
1044	lfmak.exe
1044	lfmak.exe
1044	lfmak.exe
1044	lfmak.exe
1044	lfmak.exe
1044	lfmak.exe
1044	lfmak.exe
1044	lfmak.exe
1044	lfmak.exe
1044	lfmak.exe
1044	lfmak.exe
1044	lfmak.exe
1044	lfmak.exe
1044	lfmak.exe
1044	lfmak.exe
1044	lfmak.exe
1044	lfmak.exe
1044	lfmak.exe
1044	lfmak.exe
1044	lfmak.exe
1044	lfmak.exe
1044	lfmak.exe
1044	lfmak.exe
1044	lfmak.exe
1044	lfmak.exe
1044	lfmak.exe
1044	lfmak.exe
1044	lfmak.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
848	d4e320418054b7a407c9fcc0d443cdd6e43474ede23779515f6051758906b906.exe
1044	lfmak.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 1044	848	d4e320418054b7a407c9fcc0d443cdd6e43474ede23779515f6051758906b906.exe	27
PID 848 wrote to memory of 1044	848	d4e320418054b7a407c9fcc0d443cdd6e43474ede23779515f6051758906b906.exe	27
PID 848 wrote to memory of 1044	848	d4e320418054b7a407c9fcc0d443cdd6e43474ede23779515f6051758906b906.exe	27
PID 848 wrote to memory of 1044	848	d4e320418054b7a407c9fcc0d443cdd6e43474ede23779515f6051758906b906.exe	27

C:\Users\Admin\AppData\Local\Temp\d4e320418054b7a407c9fcc0d443cdd6e43474ede23779515f6051758906b906.exe
"C:\Users\Admin\AppData\Local\Temp\d4e320418054b7a407c9fcc0d443cdd6e43474ede23779515f6051758906b906.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:848
- C:\Users\Admin\lfmak.exe
  "C:\Users\Admin\lfmak.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\lfmak.exe

Filesize
88KB

MD5
ee5879eb6eb31ce9b81e70b28c4f2484

SHA1
dba8640f2e728c1052147dbfc3025f550c21d7f1

SHA256
200f965186c06d0265ae7c695d401d2235e267707c0860a008e17e31d76a61e7

SHA512
a87d0793b3a6e1ef3a14397c1f7a4b83477c260572da75d08bc0520512d54ede498f2c936a0aa7bbdf56ded9e949b416a44430785b48d85db01422f9f93aeb8a

Download Submit
C:\Users\Admin\lfmak.exe

Filesize
88KB

MD5
ee5879eb6eb31ce9b81e70b28c4f2484

SHA1
dba8640f2e728c1052147dbfc3025f550c21d7f1

SHA256
200f965186c06d0265ae7c695d401d2235e267707c0860a008e17e31d76a61e7

SHA512
a87d0793b3a6e1ef3a14397c1f7a4b83477c260572da75d08bc0520512d54ede498f2c936a0aa7bbdf56ded9e949b416a44430785b48d85db01422f9f93aeb8a

Download Submit
\Users\Admin\lfmak.exe

Filesize
88KB

MD5
ee5879eb6eb31ce9b81e70b28c4f2484

SHA1
dba8640f2e728c1052147dbfc3025f550c21d7f1

SHA256
200f965186c06d0265ae7c695d401d2235e267707c0860a008e17e31d76a61e7

SHA512
a87d0793b3a6e1ef3a14397c1f7a4b83477c260572da75d08bc0520512d54ede498f2c936a0aa7bbdf56ded9e949b416a44430785b48d85db01422f9f93aeb8a

Download Submit
\Users\Admin\lfmak.exe

Filesize
88KB

MD5
ee5879eb6eb31ce9b81e70b28c4f2484

SHA1
dba8640f2e728c1052147dbfc3025f550c21d7f1

SHA256
200f965186c06d0265ae7c695d401d2235e267707c0860a008e17e31d76a61e7

SHA512
a87d0793b3a6e1ef3a14397c1f7a4b83477c260572da75d08bc0520512d54ede498f2c936a0aa7bbdf56ded9e949b416a44430785b48d85db01422f9f93aeb8a

Download Submit
memory/848-56-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

Filesize
8KB

Download