9a41f8fdcbe631d597a9902ee78f384d7518e6508274a494188a78c531657e56

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
16/10/2023, 02:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13b00a599adf4a61890cbd91445d2ec8.exe
Size

13.4MB
MD5

13b00a599adf4a61890cbd91445d2ec8
SHA1

d06563a69e4451da10481d71ddb0610519ad017f
SHA256

9a41f8fdcbe631d597a9902ee78f384d7518e6508274a494188a78c531657e56
SHA512

0ece9a759d561d3786c45e0dd0d255f650b421bf95a62bb96edceecbe12d68fa1d84a5468c099cd8dceb4cdf62a6781864fff6150aca30d630d256f5481eac23
SSDEEP

393216:FZRT1dK3sROLQ1iP0pmj4taHcOZGTwjSIG/EBpKZkWd:FZRT1dK3sROLQ1iP0pmj4taHcOZGwOIa

Score

8^/10

persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\LTService\ImagePath = "\"C:\\Windows\\LTSvc\\LTSVC.exe\" -sLTService"	installutil.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\LTSvcMon\ImagePath = "\"C:\\Windows\\LTsvc\\LTSvcMon.exe\""	installutil.exe

Executes dropped EXE 2 IoCs

pid	Process
1356	LTSVC.exe
308	LTSvcMon.exe

Loads dropped DLL 3 IoCs

pid	Process
1356	LTSVC.exe
1616	regsvr32.exe
1356	LTSVC.exe

Registers COM server for autorun 1 TTPs 33 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D101D9C-18CC-4E78-8D78-389E48478FCA}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{459C65ED-AA9C-4CF1-9A24-7685505F919A}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BBC521C8-2792-43FE-9C91-CCA7E8ACBCC9}\InprocServer32\ = "C:\\Windows\\LTsvc\\wodVPN.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C198C98-0E27-40E4-972C-FDC656EC30D7}\InprocServer32\ = "C:\\Windows\\LTsvc\\wodVPN.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B0B8CDD6-8AAA-4426-82E9-9455140124A1}\InprocServer32\ = "C:\\Windows\\LTsvc\\wodVPN.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B1B00A43-7A54-4A0F-B35D-B4334811FAA4}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B1B00A43-7A54-4A0F-B35D-B4334811FAA4}\InprocServer32\ = "C:\\Windows\\LTsvc\\wodVPN.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7BE3886B-0C12-4D87-AC0B-09A5CE4E6BD6}\InprocServer32\ = "C:\\Windows\\LTsvc\\wodVPN.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{459C65ED-AA9C-4CF1-9A24-7685505F919A}\InprocServer32\ = "C:\\Windows\\LTsvc\\wodVPN.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BBC521C8-2792-43FE-9C91-CCA7E8ACBCC9}\InprocServer32\ThreadingModel = "both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7E092B5C-795B-46BC-886A-DFFBBBC9A117}\InprocServer32\ = "C:\\Windows\\LTsvc\\wodVPN.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B0B8CDD6-8AAA-4426-82E9-9455140124A1}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B0B8CDD6-8AAA-4426-82E9-9455140124A1}\InprocServer32\ThreadingModel = "both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7BE3886B-0C12-4D87-AC0B-09A5CE4E6BD6}\InprocServer32\ThreadingModel = "both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BBC521C8-2792-43FE-9C91-CCA7E8ACBCC9}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C59A1D54-8CD7-4795-AEDD-F6F6E2DE1FE7}\InprocServer32\ThreadingModel = "both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D101D9C-18CC-4E78-8D78-389E48478FCA}\InprocServer32\ = "C:\\Windows\\LTsvc\\wodVPN.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{15DD3BF6-5A11-4407-8399-A19AC10C65D0}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{15DD3BF6-5A11-4407-8399-A19AC10C65D0}\InprocServer32\ThreadingModel = "both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C198C98-0E27-40E4-972C-FDC656EC30D7}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C198C98-0E27-40E4-972C-FDC656EC30D7}\InprocServer32\ThreadingModel = "both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{09DF1DCA-C076-498A-8370-AD6F878B6C6A}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7E092B5C-795B-46BC-886A-DFFBBBC9A117}\InprocServer32\ThreadingModel = "both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C59A1D54-8CD7-4795-AEDD-F6F6E2DE1FE7}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B1B00A43-7A54-4A0F-B35D-B4334811FAA4}\InprocServer32\ThreadingModel = "both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{09DF1DCA-C076-498A-8370-AD6F878B6C6A}\InprocServer32\ = "C:\\Windows\\LTsvc\\wodVPN.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{459C65ED-AA9C-4CF1-9A24-7685505F919A}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7BE3886B-0C12-4D87-AC0B-09A5CE4E6BD6}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D101D9C-18CC-4E78-8D78-389E48478FCA}\InprocServer32\ThreadingModel = "both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7E092B5C-795B-46BC-886A-DFFBBBC9A117}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{09DF1DCA-C076-498A-8370-AD6F878B6C6A}\InprocServer32\ThreadingModel = "both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{15DD3BF6-5A11-4407-8399-A19AC10C65D0}\InprocServer32\ = "C:\\Windows\\LTsvc\\wodVPN.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C59A1D54-8CD7-4795-AEDD-F6F6E2DE1FE7}\InprocServer32\ = "C:\\Windows\\LTsvc\\wodVPN.dll"	regsvr32.exe

Modifies boot configuration data using bcdedit 1 IoCs

pid	Process
2192	BCDedit.exe

Drops file in Windows directory 28 IoCs

description	ioc	Process
File created	C:\Windows\LTsvc\cad.exe	LTSVC.exe
File created	C:\Windows\LTSvc\LabTech.ico	13b00a599adf4a61890cbd91445d2ec8.exe
File created	C:\Windows\LTsvc\Interfaces.dll	LTSVC.exe
File created	C:\Windows\LTsvc\cpuidsdk64.dll	LTSVC.exe
File created	C:\Windows\LTSvc\LTSVC.InstallState	installutil.exe
File created	C:\Windows\LTSvc\LTSVC.exe	13b00a599adf4a61890cbd91445d2ec8.exe
File created	C:\Windows\LTsvc\wodVPN64.dll	LTSVC.exe
File opened for modification	C:\Windows\LTsvc\LTSvcMon.InstallLog	installutil.exe
File created	C:\Windows\LTsvc\screenhooks.dll	LTSVC.exe
File created	C:\Windows\LTsvc\labvnc.ini	LTSVC.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.InstallLog	installutil.exe
File created	C:\Windows\LTsvc\NoSensors	LTSVC.exe
File opened for modification	C:\Windows\LTsvc\ultravnc.ini	LTSVC.exe
File opened for modification	C:\Windows\LTSvc\LTSVCMon.txt	LTSvcMon.exe
File opened for modification	C:\Windows\LTSvc\LTSVC.InstallLog	installutil.exe
File opened for modification	C:\Windows\LTsvc\LTErrors.txt	LTSVC.exe
File created	C:\Windows\LTsvc\PS.exe	LTSVC.exe
File created	C:\Windows\LTsvc\vnchooks.dll	LTSVC.exe
File created	C:\Windows\LTsvc\SCHook.dll	LTSVC.exe
File created	C:\Windows\LTsvc\ultravnc.ini	LTSVC.exe
File created	C:\Windows\LTsvc\LSR.exe	LTSVC.exe
File created	C:\Windows\LTsvc\LTSvcMon.exe	LTSVC.exe
File created	C:\Windows\LTSvc\LTTray.exe	13b00a599adf4a61890cbd91445d2ec8.exe
File created	C:\Windows\LTsvc\sas.dll	LTSVC.exe
File created	C:\Windows\LTsvc\labvnc.exe	LTSVC.exe
File created	C:\Windows\LTsvc\LTSvcMon.InstallState	installutil.exe
File created	C:\Windows\LTSvc\Interfaces.dll	13b00a599adf4a61890cbd91445d2ec8.exe
File created	C:\Windows\LTsvc\tvnserver.exe	LTSVC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 19 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Wow6432Node\Sysinternals\PsExec	LTSVC.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals	LTSVC.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\PsExec\EulaAccepted = "1"	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\C	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Wow6432Node	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsKill	LTSVC.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\C\EulaAccepted = "1"	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Wow6432Node\Sysinternals\C	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Wow6432Node\Sysinternals	LTSVC.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Wow6432Node\Sysinternals\C\EulaAccepted = "1"	LTSVC.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Wow6432Node\Sysinternals\PsExec\EulaAccepted = "1"	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	LTSVC.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\PsExec	LTSVC.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\PsKill\EulaAccepted = "1"	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Wow6432Node\Sysinternals\C	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	LTSVC.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WeOnlyDo.VPNUsers.1\CLSID\ = "{C59A1D54-8CD7-4795-AEDD-F6F6E2DE1FE7}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4060697F-931D-4D71-8864-D47557560740}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9BA4C7B5-4941-4473-A1F5-187AD734C009}\TypeLib\ = "{26818C76-2CAC-4C7E-9704-E3A037D4F3DB}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1BD84436-87A4-488E-968E-E07CAB0157F8}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{57144698-03FD-41B6-8479-73A8EB19DDA7}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C198C98-0E27-40E4-972C-FDC656EC30D7}\InprocServer32\ThreadingModel = "both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WeOnlyDo.VPNMediator.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7BE3886B-0C12-4D87-AC0B-09A5CE4E6BD6}\VersionIndependentProgID\ = "WeOnlyDo.VPNInterfaces"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WeOnlyDo.VPNInterface.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34FCE977-800B-47D3-AA58-E2B1ED957710}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B8218469-6598-4D1A-83A4-7759F3740236}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1646101F-5EDD-456C-A734-E6E7456C7C1F}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B0B8CDD6-8AAA-4426-82E9-9455140124A1}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B0B8CDD6-8AAA-4426-82E9-9455140124A1}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7BE3886B-0C12-4D87-AC0B-09A5CE4E6BD6}\InprocServer32\ = "C:\\Windows\\LTsvc\\wodVPN.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2CF1E24C-A9B6-45AF-8AED-13888061FB87}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B8218469-6598-4D1A-83A4-7759F3740236}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WeOnlyDo.VPNUsers	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WeOnlyDo.VPNInterface.1\CLSID\ = "{09DF1DCA-C076-498A-8370-AD6F878B6C6A}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1BD84436-87A4-488E-968E-E07CAB0157F8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0D415168-980F-4B2C-BFF2-DB68EC60149D}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3A926488-E5E7-453D-8492-18A4B64804A5}\TypeLib\ = "{26818C76-2CAC-4C7E-9704-E3A037D4F3DB}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0D415168-980F-4B2C-BFF2-DB68EC60149D}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{459C65ED-AA9C-4CF1-9A24-7685505F919A}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B1B00A43-7A54-4A0F-B35D-B4334811FAA4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{26818C76-2CAC-4C7E-9704-E3A037D4F3DB}\1.0\0\win64\ = "C:\\Windows\\LTsvc\\wodVPN.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9BA4C7B5-4941-4473-A1F5-187AD734C009}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3A926488-E5E7-453D-8492-18A4B64804A5}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A926488-E5E7-453D-8492-18A4B64804A5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BBC521C8-2792-43FE-9C91-CCA7E8ACBCC9}\ = "VPNChannels Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{09DF1DCA-C076-498A-8370-AD6F878B6C6A}\VersionIndependentProgID\ = "WeOnlyDo.VPNInterface"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34FCE977-800B-47D3-AA58-E2B1ED957710}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B7A786AC-285C-4924-9E9F-2FBF97499299}\TypeLib\ = "{26818C76-2CAC-4C7E-9704-E3A037D4F3DB}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B7A786AC-285C-4924-9E9F-2FBF97499299}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{15DD3BF6-5A11-4407-8399-A19AC10C65D0}\InprocServer32\ = "C:\\Windows\\LTsvc\\wodVPN.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WeOnlyDo.VPNInterface\CLSID\ = "{09DF1DCA-C076-498A-8370-AD6F878B6C6A}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{57144698-03FD-41B6-8479-73A8EB19DDA7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WeOnlyDo.VPNChannel.1\CLSID\ = "{15DD3BF6-5A11-4407-8399-A19AC10C65D0}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B0B8CDD6-8AAA-4426-82E9-9455140124A1}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{26818C76-2CAC-4C7E-9704-E3A037D4F3DB}\1.0\ = "WeOnlyDo! COM VPN Component"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1BD84436-87A4-488E-968E-E07CAB0157F8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57144698-03FD-41B6-8479-73A8EB19DDA7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{15DD3BF6-5A11-4407-8399-A19AC10C65D0}\ = "VPNChannel Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{15DD3BF6-5A11-4407-8399-A19AC10C65D0}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B1B00A43-7A54-4A0F-B35D-B4334811FAA4}\InprocServer32\ThreadingModel = "both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B7A786AC-285C-4924-9E9F-2FBF97499299}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57144698-03FD-41B6-8479-73A8EB19DDA7}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{902D4CE3-EA2D-4334-BD07-FCBCD0AFBDB1}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1646101F-5EDD-456C-A734-E6E7456C7C1F}\ = "IwodVPNNotify"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WeOnlyDo.VPNChannels\CLSID\ = "{BBC521C8-2792-43FE-9C91-CCA7E8ACBCC9}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WeOnlyDo.VPNUser\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WeOnlyDo.VPNRelay.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34FCE977-800B-47D3-AA58-E2B1ED957710}\TypeLib\ = "{26818C76-2CAC-4C7E-9704-E3A037D4F3DB}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1BD84436-87A4-488E-968E-E07CAB0157F8}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WeOnlyDo.VPNUser.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3607E98A-C816-486C-AEC9-A64C8FDEAB6D}\ = "_IwodVPNComEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1BD84436-87A4-488E-968E-E07CAB0157F8}\TypeLib\ = "{26818C76-2CAC-4C7E-9704-E3A037D4F3DB}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CF1E24C-A9B6-45AF-8AED-13888061FB87}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WeOnlyDo.TCPHandler\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9BA4C7B5-4941-4473-A1F5-187AD734C009}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1BD84436-87A4-488E-968E-E07CAB0157F8}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WeOnlyDo.VPNChannel	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C59A1D54-8CD7-4795-AEDD-F6F6E2DE1FE7}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WeOnlyDo.VPNRelays.1	regsvr32.exe

Runs net.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1356	LTSVC.exe
Token: SeDebugPrivilege	308	LTSvcMon.exe
Token: 33	308	LTSvcMon.exe
Token: SeIncBasePriorityPrivilege	308	LTSvcMon.exe
Token: 33	308	LTSvcMon.exe
Token: SeIncBasePriorityPrivilege	308	LTSvcMon.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2940	2200	13b00a599adf4a61890cbd91445d2ec8.exe	28
PID 2200 wrote to memory of 2940	2200	13b00a599adf4a61890cbd91445d2ec8.exe	28
PID 2200 wrote to memory of 2940	2200	13b00a599adf4a61890cbd91445d2ec8.exe	28
PID 1356 wrote to memory of 1616	1356	LTSVC.exe	31
PID 1356 wrote to memory of 1616	1356	LTSVC.exe	31
PID 1356 wrote to memory of 1616	1356	LTSVC.exe	31
PID 1356 wrote to memory of 1616	1356	LTSVC.exe	31
PID 1356 wrote to memory of 1616	1356	LTSVC.exe	31
PID 1356 wrote to memory of 1848	1356	LTSVC.exe	35
PID 1356 wrote to memory of 1848	1356	LTSVC.exe	35
PID 1356 wrote to memory of 1848	1356	LTSVC.exe	35
PID 1356 wrote to memory of 2100	1356	LTSVC.exe	37
PID 1356 wrote to memory of 2100	1356	LTSVC.exe	37
PID 1356 wrote to memory of 2100	1356	LTSVC.exe	37
PID 1356 wrote to memory of 328	1356	LTSVC.exe	39
PID 1356 wrote to memory of 328	1356	LTSVC.exe	39
PID 1356 wrote to memory of 328	1356	LTSVC.exe	39
PID 328 wrote to memory of 1968	328	CMD.exe	41
PID 328 wrote to memory of 1968	328	CMD.exe	41
PID 328 wrote to memory of 1968	328	CMD.exe	41
PID 1968 wrote to memory of 1368	1968	net.exe	42
PID 1968 wrote to memory of 1368	1968	net.exe	42
PID 1968 wrote to memory of 1368	1968	net.exe	42
PID 1356 wrote to memory of 2192	1356	LTSVC.exe	44
PID 1356 wrote to memory of 2192	1356	LTSVC.exe	44
PID 1356 wrote to memory of 2192	1356	LTSVC.exe	44

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\SoftwareSASGeneration = "1"	LTSVC.exe

C:\Users\Admin\AppData\Local\Temp\13b00a599adf4a61890cbd91445d2ec8.exe
"C:\Users\Admin\AppData\Local\Temp\13b00a599adf4a61890cbd91445d2ec8.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\installutil.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\installutil.exe" /name=LTService /account=localsystem C:\Windows\LTSvc\LTSVC.exe
  2⤵
  - Sets service image path in registry
  - Drops file in Windows directory
  PID:2940

C:\Windows\LTSvc\LTSVC.exe
"C:\Windows\LTSvc\LTSVC.exe" -sLTService
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1356
- C:\Windows\System32\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Windows\LTsvc\wodVPN.dll"
  2⤵
  - Loads dropped DLL
  - Registers COM server for autorun
  - Modifies registry class
  PID:1616
- C:\Windows\system32\Net1.exe
  "Net1.exe" Stop PSEXESVC
  2⤵
  PID:1848
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\installutil.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\installutil.exe" /i C:\Windows\LTsvc\LTSvcMon.exe
  2⤵
  - Sets service image path in registry
  - Drops file in Windows directory
  PID:2100
- C:\Windows\system32\CMD.exe
  "CMD.exe" /c NET Start LTSvcMon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:328
- - C:\Windows\system32\net.exe
    NET Start LTSvcMon
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1968
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 Start LTSvcMon
      4⤵
      PID:1368
- C:\Windows\system32\BCDedit.exe
  "C:\Windows\system32\BCDedit.exe" /deletevalue SAFEBOOT
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2192

C:\Windows\LTsvc\LTSvcMon.exe
"C:\Windows\LTsvc\LTSvcMon.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\LTSvc\Interfaces.dll

Filesize
32KB

MD5
319611c6466bca80fb4b74a8518946df

SHA1
30d4651c6d998990d3952dccc168b5da4ee14d5f

SHA256
76abdebcf029a5318d36de860c068b73c6a7482c8b340e0fabb80955723b79f2

SHA512
9e232c43872dddeb6d71ce86d6bb46a4e1339062d50328213defdfe18faefbce9861b97c950b88a976a500d0c5893da2265909bedea6a9956c2e9d4458b720fa

Download Submit
C:\Windows\LTSvc\LTErrors.txt

Filesize
5KB

MD5
0c9c8cf8a0b9bc87d3389727b951c49d

SHA1
0ee8f83f57b7635d481d7e75fd99699dcdda7c5f

SHA256
75d1091cd3aa1367ba751b1500484a5b6f2fd45a722e60182c19627d5d377ff2

SHA512
815a78ca57072740eea424f64602b352dd5dffcc1fc40dbf81de49db34ce454d538888101efdabb65283ff58edac42f2f3d3d66097d9e406b214cd20d3f05ea0

Download Submit
C:\Windows\LTSvc\LTSVC.InstallLog

Filesize
241B

MD5
34a3bbe46a5c768dc6337c68dcfcf9a9

SHA1
2def0716e518833c3302db952260148fb31eed5e

SHA256
dc8a71bc7d2642e8334e4b31a6911931dc6f470729922360fb42eec195f569e4

SHA512
b3d7419611b43de1a48cac3f84c9969e49c031254ba5c7c840492d0c9f0033d201259967bf7e1595a7668f247b32bee4bca58ac4a88421664c60666b7497ad8e

Download Submit
C:\Windows\LTSvc\LTSVC.InstallLog

Filesize
622B

MD5
8188d27e23bbdbee67be2b5126885e75

SHA1
9f22be482135eb0ed55375076026bfa898db2e35

SHA256
20939988afe3ead0d605004ced365dd6c467cc9303f8d76185124202cc06e03a

SHA512
929b53c5172ef9659d794e0adf7d6561fd7ec022dcf86327515d91df292667ee237ce8d8618cb05a22f47e65107b35deebd3ddcebe2fc40d39bc79cd233f688b

Download Submit
C:\Windows\LTSvc\LTSVC.exe

Filesize
12.0MB

MD5
a796283d5a5b9e113355958e39c1d388

SHA1
a3e590a6c2205c1ff5b89f0188c2c67a75db4c44

SHA256
d3dccdfda00ea5629de7371e1ec88d92f92975621f0c4252f96cfc660bef56d9

SHA512
34961ce91b74f069586d6099ede2e5007e78607f1028a33752f3e3c9fceed788286288935e2eca696705b7581631e2066a6051d5eb6092e52b4886b77fb73f1d

Download Submit
C:\Windows\LTSvc\LTSVC.exe

Filesize
12.0MB

MD5
a796283d5a5b9e113355958e39c1d388

SHA1
a3e590a6c2205c1ff5b89f0188c2c67a75db4c44

SHA256
d3dccdfda00ea5629de7371e1ec88d92f92975621f0c4252f96cfc660bef56d9

SHA512
34961ce91b74f069586d6099ede2e5007e78607f1028a33752f3e3c9fceed788286288935e2eca696705b7581631e2066a6051d5eb6092e52b4886b77fb73f1d

Download Submit
C:\Windows\LTSvc\LTSvcMon.InstallLog

Filesize
212B

MD5
6a153dbed36eca64862584bda3ce73ca

SHA1
fe4e10523f256a19f1fdb8869664f98e13c5b3fa

SHA256
59db7ad1e9c20c2bee7467cadbad90d23b58882c3a61eb9922d7308cdf78373c

SHA512
656df0637737e43a184cc8db2ea547ed3ea1467326abcde861a4de6813b9a468538675b98738d8ac446f507d6ffe20ea9848850a9a64b018309dbe08241fd3f1

Download Submit
C:\Windows\LTSvc\LTSvcMon.InstallLog

Filesize
561B

MD5
51c0c9834c451d55172d60f847c31e89

SHA1
0503354fdd3a4276a56da54262f90c637a09b7b8

SHA256
aec5ec7b1c4b3fdc3e6dc6e4001645683d5ec8cb211f325068425db102470387

SHA512
1fec7f1c1856d8ab6053e8a6f7250f96e5c7daf18b80251b83a2e1dcdd2fdbae0d2deca51cf6b0ed0bc08056e3c067c7520313899f22e46c9358fc05911f86cb

Download Submit
C:\Windows\LTSvc\LTSvcMon.exe

Filesize
94KB

MD5
880b96625544c4c34aea975a68756c91

SHA1
387475f73a473c38f54c707d95a589c77fc73696

SHA256
af2aaa8fc0f46396aedafda44939d30e3524b2db4ca46b4454007999419b09ad

SHA512
f97b429f947cdd2bc6c9f6b8e6aef7a525a36530ff500365e86ee71a7a0ff68e2aa6e168fe5b31c08f6e9ad921072790f0cf0be42612607bbea4e4105ad339a0

Download Submit
C:\Windows\LTsvc\LTSvcMon.exe

Filesize
94KB

MD5
880b96625544c4c34aea975a68756c91

SHA1
387475f73a473c38f54c707d95a589c77fc73696

SHA256
af2aaa8fc0f46396aedafda44939d30e3524b2db4ca46b4454007999419b09ad

SHA512
f97b429f947cdd2bc6c9f6b8e6aef7a525a36530ff500365e86ee71a7a0ff68e2aa6e168fe5b31c08f6e9ad921072790f0cf0be42612607bbea4e4105ad339a0

Download Submit
C:\Windows\LTsvc\LTTray.exe

Filesize
1.2MB

MD5
094e26afac4ec4487eb99eb7f86b5e88

SHA1
859c5c679e8ecd18b60f8b2bc2a1c17bec4975c3

SHA256
ac3e0a24eee0e0e1fa8bb34676c3c17cc8cfc0d7dea35e6cf2490851e0c60865

SHA512
daad5487df58111d1b18afdd3def6764ef73b0f0cba69dd250cbf61dfc513ce42cd425927e50c449d86c88e71e2d40ccba520ba7bbac6b6569c5765d0f0b3996

Download Submit
C:\Windows\LTsvc\wodVPN.dll

Filesize
524KB

MD5
97c73bd1cc0011d111316d924532be35

SHA1
a3bccbdbdcb536c772e67d8f265996caff1c8207

SHA256
3e31fac9ba997faf1ade072050ac56cf4d1bddd47f5dd342825e04e8af91a9fa

SHA512
97793caa945d69fb5b89780428bbfa7c0d45864f3d7b5063311ed898c10c3e63ed0f7762b3a73de794026a3be9e8fcdeb5afb44217cdd6f198921067244aff1f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.InstallLog

Filesize
568B

MD5
ec8b582d48d6bb9cc7084650dd81561c

SHA1
95b544a9139836ddeba3f5345242c520449ac823

SHA256
3de8085a9ee68703a5c9abc05c65712fbf65ccac18f392bdc622f92a86021e1f

SHA512
e88f3934e61d6a8852abb24000a805b97a71f92d299179e04465420bd11ecbbd00b4fb19b1ba3d005b5c329fd79210bbdd2d0f2d722397676f834578984688bb

Download Submit
\Windows\LTSvc\cpuidsdk.dll

Filesize
1.8MB

MD5
9aad8219b81710030bede32f82025c2c

SHA1
171e38dc6a0246741dc57879ae6a763a2062b082

SHA256
d36e2e0dbbe6e1f1f868ebfc02e5375eae7aea159beb6e92512d0b367f5c3a8c

SHA512
c565a9fdea2991d0a526ea4a49d52896fd24a1057472eea2b09c7e70208dab5d3400344388879a274c42ace9f75a85ba399976d8fc08235c1c0a6891fd30758d

Download Submit
\Windows\LTSvc\wodVPN.dll

Filesize
524KB

MD5
97c73bd1cc0011d111316d924532be35

SHA1
a3bccbdbdcb536c772e67d8f265996caff1c8207

SHA256
3e31fac9ba997faf1ade072050ac56cf4d1bddd47f5dd342825e04e8af91a9fa

SHA512
97793caa945d69fb5b89780428bbfa7c0d45864f3d7b5063311ed898c10c3e63ed0f7762b3a73de794026a3be9e8fcdeb5afb44217cdd6f198921067244aff1f

Download Submit
\Windows\LTSvc\wodVPN.dll

Filesize
524KB

MD5
97c73bd1cc0011d111316d924532be35

SHA1
a3bccbdbdcb536c772e67d8f265996caff1c8207

SHA256
3e31fac9ba997faf1ade072050ac56cf4d1bddd47f5dd342825e04e8af91a9fa

SHA512
97793caa945d69fb5b89780428bbfa7c0d45864f3d7b5063311ed898c10c3e63ed0f7762b3a73de794026a3be9e8fcdeb5afb44217cdd6f198921067244aff1f

Download Submit
memory/308-192-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

Filesize
9.6MB

Download
memory/308-190-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

Filesize
9.6MB

Download
memory/308-191-0x0000000000AF0000-0x0000000000B70000-memory.dmp

Filesize
512KB

Download
memory/308-199-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

Filesize
9.6MB

Download
memory/1356-75-0x0000000001890000-0x0000000001910000-memory.dmp

Filesize
512KB

Download
memory/1356-74-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

Filesize
9.6MB

Download
memory/1356-76-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

Filesize
9.6MB

Download
memory/1356-105-0x0000000001830000-0x0000000001844000-memory.dmp

Filesize
80KB

Download
memory/1356-197-0x000000001A800000-0x000000001A856000-memory.dmp

Filesize
344KB

Download
memory/1356-198-0x0000000001890000-0x0000000001910000-memory.dmp

Filesize
512KB

Download
memory/1356-200-0x0000000001890000-0x0000000001910000-memory.dmp

Filesize
512KB

Download
memory/1356-125-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

Filesize
9.6MB

Download
memory/1356-126-0x0000000001890000-0x0000000001910000-memory.dmp

Filesize
512KB

Download
memory/2100-173-0x0000000000E70000-0x0000000000EF0000-memory.dmp

Filesize
512KB

Download
memory/2100-156-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

Filesize
9.6MB

Download
memory/2100-167-0x0000000000FF0000-0x000000000108A000-memory.dmp

Filesize
616KB

Download
memory/2100-168-0x0000000000830000-0x0000000000850000-memory.dmp

Filesize
128KB

Download
memory/2100-172-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

Filesize
9.6MB

Download
memory/2100-155-0x0000000000A20000-0x0000000000A3C000-memory.dmp

Filesize
112KB

Download
memory/2100-187-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

Filesize
9.6MB

Download
memory/2200-10-0x0000000002E10000-0x0000000002E90000-memory.dmp

Filesize
512KB

Download
memory/2200-109-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

Filesize
9.6MB

Download
memory/2200-0-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

Filesize
9.6MB

Download
memory/2200-1-0x0000000002E10000-0x0000000002E90000-memory.dmp

Filesize
512KB

Download
memory/2200-2-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

Filesize
9.6MB

Download
memory/2200-9-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

Filesize
9.6MB

Download
memory/2940-49-0x00000000009C0000-0x00000000009E0000-memory.dmp

Filesize
128KB

Download
memory/2940-33-0x000000001C370000-0x000000001CF6E000-memory.dmp

Filesize
12.0MB

Download
memory/2940-32-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

Filesize
9.6MB

Download
memory/2940-34-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

Filesize
9.6MB

Download
memory/2940-46-0x0000000000920000-0x00000000009BA000-memory.dmp

Filesize
616KB

Download
memory/2940-48-0x0000000000900000-0x000000000090E000-memory.dmp

Filesize
56KB

Download
memory/2940-67-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads