d269bb5aa0ec98c2a9a52084099233410a3edd42b542980badd5e1ca2912f5ff

Analysis

max time kernel
157s
max time network
174s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 14:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d269bb5aa0ec98c2a9a52084099233410a3edd42b542980badd5e1ca2912f5ff.exe
Size

180KB
MD5

51c1566a66e969db8679aa121a0a0106
SHA1

3432b3d48b04cc837c389ba32a69963b80df8d41
SHA256

d269bb5aa0ec98c2a9a52084099233410a3edd42b542980badd5e1ca2912f5ff
SHA512

ead2b01f68c8b34c9bff5da415345e7b92e59089827d7b59f604db48ef064263136da63550a517b94beae436147ad532bef8f3e1c25e9818bb2277f030e6a7ca
SSDEEP

3072:980AqSC+y50cm1tnRd5GK/fObT/bGinhssp9nPVmvEfL2co3ZwURmkPiR/+5JS3a:KhqSC+Lcm1Dd0K/fObT/bGihssp1Vmvt

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	d269bb5aa0ec98c2a9a52084099233410a3edd42b542980badd5e1ca2912f5ff.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	leulil.exe

Executes dropped EXE 1 IoCs

pid	Process
4488	leulil.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	d269bb5aa0ec98c2a9a52084099233410a3edd42b542980badd5e1ca2912f5ff.exe

Adds Run key to start application 2 TTPs 53 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leulil = "C:\\Users\\Admin\\leulil.exe /C"	leulil.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\	d269bb5aa0ec98c2a9a52084099233410a3edd42b542980badd5e1ca2912f5ff.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leulil = "C:\\Users\\Admin\\leulil.exe /V"	leulil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leulil = "C:\\Users\\Admin\\leulil.exe /i"	leulil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leulil = "C:\\Users\\Admin\\leulil.exe /t"	leulil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leulil = "C:\\Users\\Admin\\leulil.exe /w"	leulil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leulil = "C:\\Users\\Admin\\leulil.exe /w"	d269bb5aa0ec98c2a9a52084099233410a3edd42b542980badd5e1ca2912f5ff.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leulil = "C:\\Users\\Admin\\leulil.exe /o"	leulil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leulil = "C:\\Users\\Admin\\leulil.exe /N"	leulil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leulil = "C:\\Users\\Admin\\leulil.exe /c"	leulil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leulil = "C:\\Users\\Admin\\leulil.exe /e"	leulil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leulil = "C:\\Users\\Admin\\leulil.exe /r"	leulil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leulil = "C:\\Users\\Admin\\leulil.exe /J"	leulil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leulil = "C:\\Users\\Admin\\leulil.exe /O"	leulil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leulil = "C:\\Users\\Admin\\leulil.exe /E"	leulil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leulil = "C:\\Users\\Admin\\leulil.exe /z"	leulil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leulil = "C:\\Users\\Admin\\leulil.exe /d"	leulil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leulil = "C:\\Users\\Admin\\leulil.exe /W"	leulil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leulil = "C:\\Users\\Admin\\leulil.exe /B"	leulil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leulil = "C:\\Users\\Admin\\leulil.exe /q"	leulil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leulil = "C:\\Users\\Admin\\leulil.exe /h"	leulil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leulil = "C:\\Users\\Admin\\leulil.exe /s"	leulil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leulil = "C:\\Users\\Admin\\leulil.exe /D"	leulil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leulil = "C:\\Users\\Admin\\leulil.exe /U"	leulil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leulil = "C:\\Users\\Admin\\leulil.exe /T"	leulil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leulil = "C:\\Users\\Admin\\leulil.exe /x"	leulil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leulil = "C:\\Users\\Admin\\leulil.exe /S"	leulil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leulil = "C:\\Users\\Admin\\leulil.exe /p"	leulil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leulil = "C:\\Users\\Admin\\leulil.exe /F"	leulil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leulil = "C:\\Users\\Admin\\leulil.exe /H"	leulil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leulil = "C:\\Users\\Admin\\leulil.exe /Y"	leulil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leulil = "C:\\Users\\Admin\\leulil.exe /v"	leulil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leulil = "C:\\Users\\Admin\\leulil.exe /Z"	leulil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leulil = "C:\\Users\\Admin\\leulil.exe /n"	leulil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leulil = "C:\\Users\\Admin\\leulil.exe /A"	leulil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leulil = "C:\\Users\\Admin\\leulil.exe /M"	leulil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leulil = "C:\\Users\\Admin\\leulil.exe /u"	leulil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leulil = "C:\\Users\\Admin\\leulil.exe /y"	leulil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leulil = "C:\\Users\\Admin\\leulil.exe /R"	leulil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leulil = "C:\\Users\\Admin\\leulil.exe /j"	leulil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leulil = "C:\\Users\\Admin\\leulil.exe /k"	leulil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leulil = "C:\\Users\\Admin\\leulil.exe /L"	leulil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leulil = "C:\\Users\\Admin\\leulil.exe /G"	leulil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leulil = "C:\\Users\\Admin\\leulil.exe /X"	leulil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leulil = "C:\\Users\\Admin\\leulil.exe /g"	leulil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leulil = "C:\\Users\\Admin\\leulil.exe /I"	leulil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leulil = "C:\\Users\\Admin\\leulil.exe /P"	leulil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leulil = "C:\\Users\\Admin\\leulil.exe /f"	leulil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leulil = "C:\\Users\\Admin\\leulil.exe /l"	leulil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leulil = "C:\\Users\\Admin\\leulil.exe /Q"	leulil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leulil = "C:\\Users\\Admin\\leulil.exe /m"	leulil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leulil = "C:\\Users\\Admin\\leulil.exe /K"	leulil.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\	leulil.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1032	d269bb5aa0ec98c2a9a52084099233410a3edd42b542980badd5e1ca2912f5ff.exe
1032	d269bb5aa0ec98c2a9a52084099233410a3edd42b542980badd5e1ca2912f5ff.exe
4488	leulil.exe
4488	leulil.exe
4488	leulil.exe
4488	leulil.exe
4488	leulil.exe
4488	leulil.exe
4488	leulil.exe
4488	leulil.exe
4488	leulil.exe
4488	leulil.exe
4488	leulil.exe
4488	leulil.exe
4488	leulil.exe
4488	leulil.exe
4488	leulil.exe
4488	leulil.exe
4488	leulil.exe
4488	leulil.exe
4488	leulil.exe
4488	leulil.exe
4488	leulil.exe
4488	leulil.exe
4488	leulil.exe
4488	leulil.exe
4488	leulil.exe
4488	leulil.exe
4488	leulil.exe
4488	leulil.exe
4488	leulil.exe
4488	leulil.exe
4488	leulil.exe
4488	leulil.exe
4488	leulil.exe
4488	leulil.exe
4488	leulil.exe
4488	leulil.exe
4488	leulil.exe
4488	leulil.exe
4488	leulil.exe
4488	leulil.exe
4488	leulil.exe
4488	leulil.exe
4488	leulil.exe
4488	leulil.exe
4488	leulil.exe
4488	leulil.exe
4488	leulil.exe
4488	leulil.exe
4488	leulil.exe
4488	leulil.exe
4488	leulil.exe
4488	leulil.exe
4488	leulil.exe
4488	leulil.exe
4488	leulil.exe
4488	leulil.exe
4488	leulil.exe
4488	leulil.exe
4488	leulil.exe
4488	leulil.exe
4488	leulil.exe
4488	leulil.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1032	d269bb5aa0ec98c2a9a52084099233410a3edd42b542980badd5e1ca2912f5ff.exe
4488	leulil.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 4488	1032	d269bb5aa0ec98c2a9a52084099233410a3edd42b542980badd5e1ca2912f5ff.exe	79
PID 1032 wrote to memory of 4488	1032	d269bb5aa0ec98c2a9a52084099233410a3edd42b542980badd5e1ca2912f5ff.exe	79
PID 1032 wrote to memory of 4488	1032	d269bb5aa0ec98c2a9a52084099233410a3edd42b542980badd5e1ca2912f5ff.exe	79

C:\Users\Admin\AppData\Local\Temp\d269bb5aa0ec98c2a9a52084099233410a3edd42b542980badd5e1ca2912f5ff.exe
"C:\Users\Admin\AppData\Local\Temp\d269bb5aa0ec98c2a9a52084099233410a3edd42b542980badd5e1ca2912f5ff.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Users\Admin\leulil.exe
  "C:\Users\Admin\leulil.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\leulil.exe

Filesize
180KB

MD5
0f8a329b3424d3c804894a428daf4150

SHA1
d349bdc39be5121944b09b4f24109e97fc1a5da0

SHA256
1b77a541269a332701baee11019e5f14e2c570ed23447be7100c6cf26bc1e8af

SHA512
43676c7735e52798880e4039e56373f9a4e4d3a15ee3f41432422769adffb5596f0f17f7462ebf7856e399c66c2653a78512678d4a19023a444f65c258bf5f85

Download Submit
C:\Users\Admin\leulil.exe

Filesize
180KB

MD5
0f8a329b3424d3c804894a428daf4150

SHA1
d349bdc39be5121944b09b4f24109e97fc1a5da0

SHA256
1b77a541269a332701baee11019e5f14e2c570ed23447be7100c6cf26bc1e8af

SHA512
43676c7735e52798880e4039e56373f9a4e4d3a15ee3f41432422769adffb5596f0f17f7462ebf7856e399c66c2653a78512678d4a19023a444f65c258bf5f85

Download Submit