Overview

overview

7

Static

static

1

LTTS7 Engi...on.exe

windows7-x64

6

LTTS7 Engi...on.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    23s
  • max time network
    35s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    14/04/2023, 13:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LTTS7 Engine Full Distribution.exe

  • Size

    14.8MB

  • MD5

    19c968b35da20bf0acc3a00bc11e0132

  • SHA1

    6336bf10960f8c8db4206d570ed65e7b15cc1742

  • SHA256

    2bcaaae78e79d37e344760e51b3fabde018101ffabb2505daf47c5d5a35191ba

  • SHA512

    37d6c31ac9f94d97101868ce47e2697e1d8b1fe2bd3f67862fb8ef8efd10f86a9abc631bd8895061c28b060d4a7b691797f7c12cc846d79a52bb6c14a3aa23d6

  • SSDEEP

    393216:SA0TTnrZru9s8Gnj1aoE4s8Gnj1aoEfP05wUjVG7h:Svnr9us8EMoE4s8EMoEfP0SJ7

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\LTTS7 Engine Full Distribution.exe
    "C:\Users\Admin\AppData\Local\Temp\LTTS7 Engine Full Distribution.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1348
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /L*v c:\LTTS_7-EngineFull.log /I "C:\Program Files (x86)\Common Files\Wise Installation Wizard\WIS16096EE733434835B9AFC63492BD89B3_7_5_0.MSI" WISE_SETUP_EXE_PATH="C:\Users\Admin\AppData\Local\Temp\LTTS7 Engine Full Distribution.exe"
      2⤵
      • Enumerates connected drives
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:1788
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1296
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 5F290585B254A15EDB47A71443C25749 C
      2⤵
        PID:328

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Common Files\Wise Installation Wizard\WIS16096EE733434835B9AFC63492BD89B3_7_5_0.MSI
      Filesize

      14.8MB

      MD5

      96ee8ef36e2f2dd0b6ceae4f70aaeebd

      SHA1

      e9783eb7bb3a04764efc7d43c9f9f2e6c04450a2

      SHA256

      7bcf1e131c8cd3a92721b66733ca8bca66ab451eb5f5a31c907fdfca969c5872

      SHA512

      df5204a0bfc34cda6dc93bb9c06238aa7118d6fd0b844c6a55e6dcb38137444aabd3ce4915fcef968d7c29e50b77641829613226b48dfa1ebf19079495a3970f

      Download Submit

    • C:\Program Files (x86)\Common Files\Wise Installation Wizard\WIS16096EE733434835B9AFC63492BD89B3_7_5_0.MSI
      Filesize

      14.8MB

      MD5

      96ee8ef36e2f2dd0b6ceae4f70aaeebd

      SHA1

      e9783eb7bb3a04764efc7d43c9f9f2e6c04450a2

      SHA256

      7bcf1e131c8cd3a92721b66733ca8bca66ab451eb5f5a31c907fdfca969c5872

      SHA512

      df5204a0bfc34cda6dc93bb9c06238aa7118d6fd0b844c6a55e6dcb38137444aabd3ce4915fcef968d7c29e50b77641829613226b48dfa1ebf19079495a3970f

      Download Submit