dfe818f3df5f307b47a379b8e8d3488a33986e499a479e20232595b8df27b726

Analysis

max time kernel
168s
max time network
108s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-12-2022 09:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dfe818f3df5f307b47a379b8e8d3488a33986e499a479e20232595b8df27b726.exe
Size

200KB
MD5

41dc8f94b3fb5c83b103528e3e0f565b
SHA1

3bae256333ab966ee33038706234b4598dfd751e
SHA256

dfe818f3df5f307b47a379b8e8d3488a33986e499a479e20232595b8df27b726
SHA512

1d1ee483d48c20ad04d438f6e0b493d5e33450e7c625fad03ee755935aed6b116df9fa004f2218aa841eeb50ca7eec5b750082459c29e1d492c97ff3f0e4db82
SSDEEP

3072:8UHV90tQ9nLHbB9WHCS0AgTlhsp3mWEQS:d4QxL7B9WHK9Jhsp3aZ

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	dfe818f3df5f307b47a379b8e8d3488a33986e499a479e20232595b8df27b726.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	laana.exe

Executes dropped EXE 1 IoCs

pid	Process
1156	laana.exe

Loads dropped DLL 2 IoCs

pid	Process
1628	dfe818f3df5f307b47a379b8e8d3488a33986e499a479e20232595b8df27b726.exe
1628	dfe818f3df5f307b47a379b8e8d3488a33986e499a479e20232595b8df27b726.exe

Adds Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\laana = "C:\\Users\\Admin\\laana.exe /t"	laana.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\laana = "C:\\Users\\Admin\\laana.exe /k"	laana.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\laana = "C:\\Users\\Admin\\laana.exe /f"	laana.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\laana = "C:\\Users\\Admin\\laana.exe /l"	laana.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\laana = "C:\\Users\\Admin\\laana.exe /b"	laana.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\laana = "C:\\Users\\Admin\\laana.exe /u"	laana.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\laana = "C:\\Users\\Admin\\laana.exe /g"	laana.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\laana = "C:\\Users\\Admin\\laana.exe /z"	laana.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\laana = "C:\\Users\\Admin\\laana.exe /v"	laana.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\laana = "C:\\Users\\Admin\\laana.exe /s"	laana.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\laana = "C:\\Users\\Admin\\laana.exe /i"	laana.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\laana = "C:\\Users\\Admin\\laana.exe /e"	laana.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\laana = "C:\\Users\\Admin\\laana.exe /w"	laana.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\laana = "C:\\Users\\Admin\\laana.exe /c"	laana.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\laana = "C:\\Users\\Admin\\laana.exe /m"	laana.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\	dfe818f3df5f307b47a379b8e8d3488a33986e499a479e20232595b8df27b726.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\laana = "C:\\Users\\Admin\\laana.exe /t"	dfe818f3df5f307b47a379b8e8d3488a33986e499a479e20232595b8df27b726.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\	laana.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\laana = "C:\\Users\\Admin\\laana.exe /n"	laana.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\laana = "C:\\Users\\Admin\\laana.exe /o"	laana.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\laana = "C:\\Users\\Admin\\laana.exe /a"	laana.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\laana = "C:\\Users\\Admin\\laana.exe /r"	laana.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\laana = "C:\\Users\\Admin\\laana.exe /p"	laana.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\laana = "C:\\Users\\Admin\\laana.exe /q"	laana.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\laana = "C:\\Users\\Admin\\laana.exe /y"	laana.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\laana = "C:\\Users\\Admin\\laana.exe /j"	laana.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\laana = "C:\\Users\\Admin\\laana.exe /x"	laana.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\laana = "C:\\Users\\Admin\\laana.exe /d"	laana.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\laana = "C:\\Users\\Admin\\laana.exe /h"	laana.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1628	dfe818f3df5f307b47a379b8e8d3488a33986e499a479e20232595b8df27b726.exe
1156	laana.exe
1156	laana.exe
1156	laana.exe
1156	laana.exe
1156	laana.exe
1156	laana.exe
1156	laana.exe
1156	laana.exe
1156	laana.exe
1156	laana.exe
1156	laana.exe
1156	laana.exe
1156	laana.exe
1156	laana.exe
1156	laana.exe
1156	laana.exe
1156	laana.exe
1156	laana.exe
1156	laana.exe
1156	laana.exe
1156	laana.exe
1156	laana.exe
1156	laana.exe
1156	laana.exe
1156	laana.exe
1156	laana.exe
1156	laana.exe
1156	laana.exe
1156	laana.exe
1156	laana.exe
1156	laana.exe
1156	laana.exe
1156	laana.exe
1156	laana.exe
1156	laana.exe
1156	laana.exe
1156	laana.exe
1156	laana.exe
1156	laana.exe
1156	laana.exe
1156	laana.exe
1156	laana.exe
1156	laana.exe
1156	laana.exe
1156	laana.exe
1156	laana.exe
1156	laana.exe
1156	laana.exe
1156	laana.exe
1156	laana.exe
1156	laana.exe
1156	laana.exe
1156	laana.exe
1156	laana.exe
1156	laana.exe
1156	laana.exe
1156	laana.exe
1156	laana.exe
1156	laana.exe
1156	laana.exe
1156	laana.exe
1156	laana.exe
1156	laana.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1628	dfe818f3df5f307b47a379b8e8d3488a33986e499a479e20232595b8df27b726.exe
1156	laana.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 1156	1628	dfe818f3df5f307b47a379b8e8d3488a33986e499a479e20232595b8df27b726.exe	28
PID 1628 wrote to memory of 1156	1628	dfe818f3df5f307b47a379b8e8d3488a33986e499a479e20232595b8df27b726.exe	28
PID 1628 wrote to memory of 1156	1628	dfe818f3df5f307b47a379b8e8d3488a33986e499a479e20232595b8df27b726.exe	28
PID 1628 wrote to memory of 1156	1628	dfe818f3df5f307b47a379b8e8d3488a33986e499a479e20232595b8df27b726.exe	28

C:\Users\Admin\AppData\Local\Temp\dfe818f3df5f307b47a379b8e8d3488a33986e499a479e20232595b8df27b726.exe
"C:\Users\Admin\AppData\Local\Temp\dfe818f3df5f307b47a379b8e8d3488a33986e499a479e20232595b8df27b726.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Users\Admin\laana.exe
  "C:\Users\Admin\laana.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1156

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\laana.exe

Filesize
200KB

MD5
d870e8f7e18c7fb845cd70784a3e7841

SHA1
099245c82eb7cb32cfcba6a17c4e55b6b337a08b

SHA256
1eeb591db0207db6cf400b1964846927f86997052290f3ecca6b6934fbca68c6

SHA512
dbd4ceb907edfe77cf4e0cb90a89e67b91932a46bda54b19c4f7950b9b633097872c03d198e9623e6a67cb72ab0e967ff36b1ab26d349a31a4bd9e461783c5ed

Download Submit
C:\Users\Admin\laana.exe

Filesize
200KB

MD5
d870e8f7e18c7fb845cd70784a3e7841

SHA1
099245c82eb7cb32cfcba6a17c4e55b6b337a08b

SHA256
1eeb591db0207db6cf400b1964846927f86997052290f3ecca6b6934fbca68c6

SHA512
dbd4ceb907edfe77cf4e0cb90a89e67b91932a46bda54b19c4f7950b9b633097872c03d198e9623e6a67cb72ab0e967ff36b1ab26d349a31a4bd9e461783c5ed

Download Submit
\Users\Admin\laana.exe

Filesize
200KB

MD5
d870e8f7e18c7fb845cd70784a3e7841

SHA1
099245c82eb7cb32cfcba6a17c4e55b6b337a08b

SHA256
1eeb591db0207db6cf400b1964846927f86997052290f3ecca6b6934fbca68c6

SHA512
dbd4ceb907edfe77cf4e0cb90a89e67b91932a46bda54b19c4f7950b9b633097872c03d198e9623e6a67cb72ab0e967ff36b1ab26d349a31a4bd9e461783c5ed

Download Submit
\Users\Admin\laana.exe

Filesize
200KB

MD5
d870e8f7e18c7fb845cd70784a3e7841

SHA1
099245c82eb7cb32cfcba6a17c4e55b6b337a08b

SHA256
1eeb591db0207db6cf400b1964846927f86997052290f3ecca6b6934fbca68c6

SHA512
dbd4ceb907edfe77cf4e0cb90a89e67b91932a46bda54b19c4f7950b9b633097872c03d198e9623e6a67cb72ab0e967ff36b1ab26d349a31a4bd9e461783c5ed

Download Submit
memory/1156-59-0x0000000000000000-mapping.dmp

Download
memory/1628-56-0x0000000075BE1000-0x0000000075BE3000-memory.dmp

Filesize
8KB

Download