a90037b93ee6b719096ceb8193c3ae2deb016ffdfe15417152da580083c4b9d4

Analysis

max time kernel
243s
max time network
226s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 19:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a90037b93ee6b719096ceb8193c3ae2deb016ffdfe15417152da580083c4b9d4.exe
Size

216KB
MD5

c1ae6a71dd5adac2a52ffae2ecd89123
SHA1

226606621a3a160450f5d6a09ebcc628453f91bb
SHA256

a90037b93ee6b719096ceb8193c3ae2deb016ffdfe15417152da580083c4b9d4
SHA512

4fecce67e9e1411b6464412525d35ec5efd9fc8c1625a6bbb657f9861bcc319d501aab90b5d501f5d570791b611cd02a8b2811e2bb28d2af17b8b8d70a9b932c
SSDEEP

3072:h4OzH5gn9OdmLGeCfcpwA5f3CEoEtUMbfwDQ:aOzUOK7cKiED54Q

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lauduy.exe

Executes dropped EXE 1 IoCs

pid	Process
1160	lauduy.exe

Loads dropped DLL 2 IoCs

pid	Process
652	a90037b93ee6b719096ceb8193c3ae2deb016ffdfe15417152da580083c4b9d4.exe
652	a90037b93ee6b719096ceb8193c3ae2deb016ffdfe15417152da580083c4b9d4.exe

Adds Run key to start application 2 TTPs 45 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\lauduy = "C:\\Users\\Admin\\lauduy.exe /m"	lauduy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\lauduy = "C:\\Users\\Admin\\lauduy.exe /h"	lauduy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\lauduy = "C:\\Users\\Admin\\lauduy.exe /H"	lauduy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\lauduy = "C:\\Users\\Admin\\lauduy.exe /D"	lauduy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\lauduy = "C:\\Users\\Admin\\lauduy.exe /Y"	lauduy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\lauduy = "C:\\Users\\Admin\\lauduy.exe /A"	lauduy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\lauduy = "C:\\Users\\Admin\\lauduy.exe /s"	lauduy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\lauduy = "C:\\Users\\Admin\\lauduy.exe /W"	lauduy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\lauduy = "C:\\Users\\Admin\\lauduy.exe /G"	lauduy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\lauduy = "C:\\Users\\Admin\\lauduy.exe /x"	lauduy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\lauduy = "C:\\Users\\Admin\\lauduy.exe /r"	lauduy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\lauduy = "C:\\Users\\Admin\\lauduy.exe /T"	lauduy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\lauduy = "C:\\Users\\Admin\\lauduy.exe /g"	lauduy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\lauduy = "C:\\Users\\Admin\\lauduy.exe /S"	lauduy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\lauduy = "C:\\Users\\Admin\\lauduy.exe /z"	lauduy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\lauduy = "C:\\Users\\Admin\\lauduy.exe /V"	lauduy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\lauduy = "C:\\Users\\Admin\\lauduy.exe /n"	lauduy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\lauduy = "C:\\Users\\Admin\\lauduy.exe /F"	lauduy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\lauduy = "C:\\Users\\Admin\\lauduy.exe /w"	lauduy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\lauduy = "C:\\Users\\Admin\\lauduy.exe /E"	lauduy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\lauduy = "C:\\Users\\Admin\\lauduy.exe /B"	lauduy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\lauduy = "C:\\Users\\Admin\\lauduy.exe /b"	lauduy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\lauduy = "C:\\Users\\Admin\\lauduy.exe /q"	lauduy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\lauduy = "C:\\Users\\Admin\\lauduy.exe /K"	lauduy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\lauduy = "C:\\Users\\Admin\\lauduy.exe /p"	lauduy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\lauduy = "C:\\Users\\Admin\\lauduy.exe /d"	lauduy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\lauduy = "C:\\Users\\Admin\\lauduy.exe /l"	lauduy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\lauduy = "C:\\Users\\Admin\\lauduy.exe /e"	lauduy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\lauduy = "C:\\Users\\Admin\\lauduy.exe /a"	lauduy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\lauduy = "C:\\Users\\Admin\\lauduy.exe /U"	lauduy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\lauduy = "C:\\Users\\Admin\\lauduy.exe /X"	lauduy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\lauduy = "C:\\Users\\Admin\\lauduy.exe /i"	lauduy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\lauduy = "C:\\Users\\Admin\\lauduy.exe /v"	lauduy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\lauduy = "C:\\Users\\Admin\\lauduy.exe /P"	lauduy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\lauduy = "C:\\Users\\Admin\\lauduy.exe /Z"	lauduy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\lauduy = "C:\\Users\\Admin\\lauduy.exe /t"	lauduy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\lauduy = "C:\\Users\\Admin\\lauduy.exe /C"	lauduy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\lauduy = "C:\\Users\\Admin\\lauduy.exe /I"	lauduy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\lauduy = "C:\\Users\\Admin\\lauduy.exe /u"	lauduy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\lauduy = "C:\\Users\\Admin\\lauduy.exe /f"	lauduy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\lauduy = "C:\\Users\\Admin\\lauduy.exe /M"	lauduy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\lauduy = "C:\\Users\\Admin\\lauduy.exe /N"	lauduy.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	lauduy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\lauduy = "C:\\Users\\Admin\\lauduy.exe /Q"	lauduy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\lauduy = "C:\\Users\\Admin\\lauduy.exe /k"	lauduy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe
1160	lauduy.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
652	a90037b93ee6b719096ceb8193c3ae2deb016ffdfe15417152da580083c4b9d4.exe
1160	lauduy.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 652 wrote to memory of 1160	652	a90037b93ee6b719096ceb8193c3ae2deb016ffdfe15417152da580083c4b9d4.exe	28
PID 652 wrote to memory of 1160	652	a90037b93ee6b719096ceb8193c3ae2deb016ffdfe15417152da580083c4b9d4.exe	28
PID 652 wrote to memory of 1160	652	a90037b93ee6b719096ceb8193c3ae2deb016ffdfe15417152da580083c4b9d4.exe	28
PID 652 wrote to memory of 1160	652	a90037b93ee6b719096ceb8193c3ae2deb016ffdfe15417152da580083c4b9d4.exe	28
PID 1160 wrote to memory of 652	1160	lauduy.exe	27
PID 1160 wrote to memory of 652	1160	lauduy.exe	27
PID 1160 wrote to memory of 652	1160	lauduy.exe	27
PID 1160 wrote to memory of 652	1160	lauduy.exe	27
PID 1160 wrote to memory of 652	1160	lauduy.exe	27
PID 1160 wrote to memory of 652	1160	lauduy.exe	27
PID 1160 wrote to memory of 652	1160	lauduy.exe	27
PID 1160 wrote to memory of 652	1160	lauduy.exe	27
PID 1160 wrote to memory of 652	1160	lauduy.exe	27
PID 1160 wrote to memory of 652	1160	lauduy.exe	27
PID 1160 wrote to memory of 652	1160	lauduy.exe	27
PID 1160 wrote to memory of 652	1160	lauduy.exe	27
PID 1160 wrote to memory of 652	1160	lauduy.exe	27
PID 1160 wrote to memory of 652	1160	lauduy.exe	27
PID 1160 wrote to memory of 652	1160	lauduy.exe	27
PID 1160 wrote to memory of 652	1160	lauduy.exe	27
PID 1160 wrote to memory of 652	1160	lauduy.exe	27
PID 1160 wrote to memory of 652	1160	lauduy.exe	27
PID 1160 wrote to memory of 652	1160	lauduy.exe	27
PID 1160 wrote to memory of 652	1160	lauduy.exe	27
PID 1160 wrote to memory of 652	1160	lauduy.exe	27
PID 1160 wrote to memory of 652	1160	lauduy.exe	27
PID 1160 wrote to memory of 652	1160	lauduy.exe	27
PID 1160 wrote to memory of 652	1160	lauduy.exe	27
PID 1160 wrote to memory of 652	1160	lauduy.exe	27
PID 1160 wrote to memory of 652	1160	lauduy.exe	27
PID 1160 wrote to memory of 652	1160	lauduy.exe	27
PID 1160 wrote to memory of 652	1160	lauduy.exe	27
PID 1160 wrote to memory of 652	1160	lauduy.exe	27
PID 1160 wrote to memory of 652	1160	lauduy.exe	27
PID 1160 wrote to memory of 652	1160	lauduy.exe	27
PID 1160 wrote to memory of 652	1160	lauduy.exe	27
PID 1160 wrote to memory of 652	1160	lauduy.exe	27
PID 1160 wrote to memory of 652	1160	lauduy.exe	27
PID 1160 wrote to memory of 652	1160	lauduy.exe	27
PID 1160 wrote to memory of 652	1160	lauduy.exe	27
PID 1160 wrote to memory of 652	1160	lauduy.exe	27
PID 1160 wrote to memory of 652	1160	lauduy.exe	27
PID 1160 wrote to memory of 652	1160	lauduy.exe	27
PID 1160 wrote to memory of 652	1160	lauduy.exe	27
PID 1160 wrote to memory of 652	1160	lauduy.exe	27
PID 1160 wrote to memory of 652	1160	lauduy.exe	27
PID 1160 wrote to memory of 652	1160	lauduy.exe	27
PID 1160 wrote to memory of 652	1160	lauduy.exe	27
PID 1160 wrote to memory of 652	1160	lauduy.exe	27
PID 1160 wrote to memory of 652	1160	lauduy.exe	27
PID 1160 wrote to memory of 652	1160	lauduy.exe	27
PID 1160 wrote to memory of 652	1160	lauduy.exe	27
PID 1160 wrote to memory of 652	1160	lauduy.exe	27
PID 1160 wrote to memory of 652	1160	lauduy.exe	27
PID 1160 wrote to memory of 652	1160	lauduy.exe	27
PID 1160 wrote to memory of 652	1160	lauduy.exe	27
PID 1160 wrote to memory of 652	1160	lauduy.exe	27
PID 1160 wrote to memory of 652	1160	lauduy.exe	27
PID 1160 wrote to memory of 652	1160	lauduy.exe	27
PID 1160 wrote to memory of 652	1160	lauduy.exe	27
PID 1160 wrote to memory of 652	1160	lauduy.exe	27
PID 1160 wrote to memory of 652	1160	lauduy.exe	27
PID 1160 wrote to memory of 652	1160	lauduy.exe	27
PID 1160 wrote to memory of 652	1160	lauduy.exe	27

C:\Users\Admin\AppData\Local\Temp\a90037b93ee6b719096ceb8193c3ae2deb016ffdfe15417152da580083c4b9d4.exe
"C:\Users\Admin\AppData\Local\Temp\a90037b93ee6b719096ceb8193c3ae2deb016ffdfe15417152da580083c4b9d4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:652
- C:\Users\Admin\lauduy.exe
  "C:\Users\Admin\lauduy.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1160

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\lauduy.exe

Filesize
216KB

MD5
40829b5e055de73a9be97b17490c53a0

SHA1
3f1356582f4539ca135629ec0be576ce504d4332

SHA256
d2b0c476d50e4f4d14649bfa87cad9824d087f4583222fe0eeef631c28bab2df

SHA512
8792a76770152e7df6e601720e5bf7f609e77133f57e9da9f67b3010693d7080242e1458e389c5c2929ea0eacace57b2d4ed59e1573a281c8a9b0f26f692b955

Download Submit
C:\Users\Admin\lauduy.exe

Filesize
216KB

MD5
40829b5e055de73a9be97b17490c53a0

SHA1
3f1356582f4539ca135629ec0be576ce504d4332

SHA256
d2b0c476d50e4f4d14649bfa87cad9824d087f4583222fe0eeef631c28bab2df

SHA512
8792a76770152e7df6e601720e5bf7f609e77133f57e9da9f67b3010693d7080242e1458e389c5c2929ea0eacace57b2d4ed59e1573a281c8a9b0f26f692b955

Download Submit
\Users\Admin\lauduy.exe

Filesize
216KB

MD5
40829b5e055de73a9be97b17490c53a0

SHA1
3f1356582f4539ca135629ec0be576ce504d4332

SHA256
d2b0c476d50e4f4d14649bfa87cad9824d087f4583222fe0eeef631c28bab2df

SHA512
8792a76770152e7df6e601720e5bf7f609e77133f57e9da9f67b3010693d7080242e1458e389c5c2929ea0eacace57b2d4ed59e1573a281c8a9b0f26f692b955

Download Submit
\Users\Admin\lauduy.exe

Filesize
216KB

MD5
40829b5e055de73a9be97b17490c53a0

SHA1
3f1356582f4539ca135629ec0be576ce504d4332

SHA256
d2b0c476d50e4f4d14649bfa87cad9824d087f4583222fe0eeef631c28bab2df

SHA512
8792a76770152e7df6e601720e5bf7f609e77133f57e9da9f67b3010693d7080242e1458e389c5c2929ea0eacace57b2d4ed59e1573a281c8a9b0f26f692b955

Download Submit
memory/652-56-0x0000000075531000-0x0000000075533000-memory.dmp

Filesize
8KB

Download