9a41f8fdcbe631d597a9902ee78f384d7518e6508274a494188a78c531657e56

Analysis

max time kernel
63s
max time network
67s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
16/10/2023, 02:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13b00a599adf4a61890cbd91445d2ec8.exe
Size

13.4MB
MD5

13b00a599adf4a61890cbd91445d2ec8
SHA1

d06563a69e4451da10481d71ddb0610519ad017f
SHA256

9a41f8fdcbe631d597a9902ee78f384d7518e6508274a494188a78c531657e56
SHA512

0ece9a759d561d3786c45e0dd0d255f650b421bf95a62bb96edceecbe12d68fa1d84a5468c099cd8dceb4cdf62a6781864fff6150aca30d630d256f5481eac23
SSDEEP

393216:FZRT1dK3sROLQ1iP0pmj4taHcOZGTwjSIG/EBpKZkWd:FZRT1dK3sROLQ1iP0pmj4taHcOZGwOIa

Score

8^/10

evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 21 IoCs

evasion

Windows Service

T1543.003

pid	Process
4544	netsh.exe
4772	netsh.exe
1972	netsh.exe
2372	netsh.exe
4300	netsh.exe
1340	netsh.exe
3560	netsh.exe
4440	netsh.exe
2796	netsh.exe
468	netsh.exe
5000	netsh.exe
3032	netsh.exe
3436	netsh.exe
4108	netsh.exe
4136	netsh.exe
3656	netsh.exe
732	netsh.exe
404	netsh.exe
1964	netsh.exe
1348	netsh.exe
3376	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LTService\ImagePath = "\"C:\\Windows\\LTSvc\\LTSVC.exe\" -sLTService"	installutil.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	13b00a599adf4a61890cbd91445d2ec8.exe

Executes dropped EXE 1 IoCs

pid	Process
1168	LTSVC.exe

Loads dropped DLL 3 IoCs

pid	Process
1168	LTSVC.exe
3216	regsvr32.exe
1168	LTSVC.exe

Registers COM server for autorun 1 TTPs 33 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C59A1D54-8CD7-4795-AEDD-F6F6E2DE1FE7}\InprocServer32\ThreadingModel = "both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{09DF1DCA-C076-498A-8370-AD6F878B6C6A}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D101D9C-18CC-4E78-8D78-389E48478FCA}\InprocServer32\ThreadingModel = "both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{459C65ED-AA9C-4CF1-9A24-7685505F919A}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{459C65ED-AA9C-4CF1-9A24-7685505F919A}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B1B00A43-7A54-4A0F-B35D-B4334811FAA4}\InprocServer32\ = "C:\\Windows\\LTsvc\\wodVPN.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7BE3886B-0C12-4D87-AC0B-09A5CE4E6BD6}\InprocServer32\ThreadingModel = "both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D101D9C-18CC-4E78-8D78-389E48478FCA}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7E092B5C-795B-46BC-886A-DFFBBBC9A117}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7E092B5C-795B-46BC-886A-DFFBBBC9A117}\InprocServer32\ThreadingModel = "both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C198C98-0E27-40E4-972C-FDC656EC30D7}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B1B00A43-7A54-4A0F-B35D-B4334811FAA4}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{09DF1DCA-C076-498A-8370-AD6F878B6C6A}\InprocServer32\ = "C:\\Windows\\LTsvc\\wodVPN.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7BE3886B-0C12-4D87-AC0B-09A5CE4E6BD6}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{459C65ED-AA9C-4CF1-9A24-7685505F919A}\InprocServer32\ = "C:\\Windows\\LTsvc\\wodVPN.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BBC521C8-2792-43FE-9C91-CCA7E8ACBCC9}\InprocServer32\ = "C:\\Windows\\LTsvc\\wodVPN.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C198C98-0E27-40E4-972C-FDC656EC30D7}\InprocServer32\ThreadingModel = "both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B0B8CDD6-8AAA-4426-82E9-9455140124A1}\InprocServer32\ = "C:\\Windows\\LTsvc\\wodVPN.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B0B8CDD6-8AAA-4426-82E9-9455140124A1}\InprocServer32\ThreadingModel = "both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{15DD3BF6-5A11-4407-8399-A19AC10C65D0}\InprocServer32\ThreadingModel = "both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C59A1D54-8CD7-4795-AEDD-F6F6E2DE1FE7}\InprocServer32\ = "C:\\Windows\\LTsvc\\wodVPN.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B1B00A43-7A54-4A0F-B35D-B4334811FAA4}\InprocServer32\ThreadingModel = "both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{09DF1DCA-C076-498A-8370-AD6F878B6C6A}\InprocServer32\ThreadingModel = "both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BBC521C8-2792-43FE-9C91-CCA7E8ACBCC9}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{15DD3BF6-5A11-4407-8399-A19AC10C65D0}\InprocServer32\ = "C:\\Windows\\LTsvc\\wodVPN.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7E092B5C-795B-46BC-886A-DFFBBBC9A117}\InprocServer32\ = "C:\\Windows\\LTsvc\\wodVPN.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7BE3886B-0C12-4D87-AC0B-09A5CE4E6BD6}\InprocServer32\ = "C:\\Windows\\LTsvc\\wodVPN.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D101D9C-18CC-4E78-8D78-389E48478FCA}\InprocServer32\ = "C:\\Windows\\LTsvc\\wodVPN.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BBC521C8-2792-43FE-9C91-CCA7E8ACBCC9}\InprocServer32\ThreadingModel = "both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{15DD3BF6-5A11-4407-8399-A19AC10C65D0}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C59A1D54-8CD7-4795-AEDD-F6F6E2DE1FE7}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C198C98-0E27-40E4-972C-FDC656EC30D7}\InprocServer32\ = "C:\\Windows\\LTsvc\\wodVPN.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B0B8CDD6-8AAA-4426-82E9-9455140124A1}\InprocServer32	regsvr32.exe

An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs

pid	Process
4864	CMD.exe

Drops file in Windows directory 25 IoCs

description	ioc	Process
File created	C:\Windows\LTsvc\LTSvcMon.exe	LTSVC.exe
File created	C:\Windows\LTSvc\LabTech.ico	13b00a599adf4a61890cbd91445d2ec8.exe
File created	C:\Windows\LTSvc\LTSVC.exe	13b00a599adf4a61890cbd91445d2ec8.exe
File created	C:\Windows\LTSvc\Interfaces.dll	13b00a599adf4a61890cbd91445d2ec8.exe
File created	C:\Windows\LTsvc\Interfaces.dll	LTSVC.exe
File opened for modification	C:\Windows\LTsvc\LTErrors.txt	LTSVC.exe
File created	C:\Windows\LTsvc\LTTray.exe	LTSVC.exe
File created	C:\Windows\LTsvc\NoSensors	LTSVC.exe
File created	C:\Windows\LTsvc\PS.exe	LTSVC.exe
File opened for modification	C:\Windows\LTsvc\ultravnc.ini	LTSVC.exe
File created	C:\Windows\LTsvc\vnchooks.dll	LTSVC.exe
File created	C:\Windows\LTSvc\LTSVC.InstallState	installutil.exe
File created	C:\Windows\LTsvc\wodVPN64.dll	LTSVC.exe
File created	C:\Windows\LTsvc\cad.exe	LTSVC.exe
File created	C:\Windows\LTsvc\labvnc.ini	LTSVC.exe
File created	C:\Windows\LTSvc\LTTray.exe	13b00a599adf4a61890cbd91445d2ec8.exe
File created	C:\Windows\LTsvc\cpuidsdk64.dll	LTSVC.exe
File created	C:\Windows\LTsvc\screenhooks.dll	LTSVC.exe
File created	C:\Windows\LTsvc\sas.dll	LTSVC.exe
File created	C:\Windows\LTsvc\labvnc.exe	LTSVC.exe
File created	C:\Windows\LTsvc\ultravnc.ini	LTSVC.exe
File created	C:\Windows\LTsvc\SCHook.dll	LTSVC.exe
File created	C:\Windows\LTsvc\LSR.exe	LTSVC.exe
File opened for modification	C:\Windows\LTSvc\LTSVC.InstallLog	installutil.exe
File created	C:\Windows\LTsvc\tvnserver.exe	LTSVC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 13 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsKill	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\C	LTSVC.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\C\EulaAccepted = "1"	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals	LTSVC.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsKill\EulaAccepted = "1"	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	LTSVC.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	LTSVC.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	LTSVC.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	LTSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	LTSVC.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	LTSVC.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{459C65ED-AA9C-4CF1-9A24-7685505F919A}\ProgID\ = "WeOnlyDo.wodVPNCom.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WeOnlyDo.VPNChannels.1\ = "VPNChannels Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WeOnlyDo.VPNChannels.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BBC521C8-2792-43FE-9C91-CCA7E8ACBCC9}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BBC521C8-2792-43FE-9C91-CCA7E8ACBCC9}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B0B8CDD6-8AAA-4426-82E9-9455140124A1}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{09DF1DCA-C076-498A-8370-AD6F878B6C6A}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C198C98-0E27-40E4-972C-FDC656EC30D7}\ = "VPNRelay Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WeOnlyDo.VPNRelays.1\CLSID\ = "{B0B8CDD6-8AAA-4426-82E9-9455140124A1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WeOnlyDo.VPNInterface	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4060697F-931D-4D71-8864-D47557560740}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1BD84436-87A4-488E-968E-E07CAB0157F8}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B8218469-6598-4D1A-83A4-7759F3740236}\TypeLib\ = "{26818C76-2CAC-4C7E-9704-E3A037D4F3DB}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WeOnlyDo.VPNUser\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C59A1D54-8CD7-4795-AEDD-F6F6E2DE1FE7}\ = "VPNUsers Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D101D9C-18CC-4E78-8D78-389E48478FCA}\InprocServer32\ = "C:\\Windows\\LTsvc\\wodVPN.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{26818C76-2CAC-4C7E-9704-E3A037D4F3DB}\1.0\0\win64	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{26818C76-2CAC-4C7E-9704-E3A037D4F3DB}\1.0\HELPDIR\ = "C:\\Windows\\LTsvc\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3607E98A-C816-486C-AEC9-A64C8FDEAB6D}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4060697F-931D-4D71-8864-D47557560740}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9BA4C7B5-4941-4473-A1F5-187AD734C009}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{902D4CE3-EA2D-4334-BD07-FCBCD0AFBDB1}\TypeLib\ = "{26818C76-2CAC-4C7E-9704-E3A037D4F3DB}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1646101F-5EDD-456C-A734-E6E7456C7C1F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WeOnlyDo.VPNChannel.1\CLSID\ = "{15DD3BF6-5A11-4407-8399-A19AC10C65D0}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WeOnlyDo.VPNUsers\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B0B8CDD6-8AAA-4426-82E9-9455140124A1}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B0B8CDD6-8AAA-4426-82E9-9455140124A1}\InprocServer32\ThreadingModel = "both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34FCE977-800B-47D3-AA58-E2B1ED957710}\ = "IVPNChannel"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{902D4CE3-EA2D-4334-BD07-FCBCD0AFBDB1}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7E092B5C-795B-46BC-886A-DFFBBBC9A117}\InprocServer32\ThreadingModel = "both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WeOnlyDo.VPNUsers\ = "VPNUsers Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7BE3886B-0C12-4D87-AC0B-09A5CE4E6BD6}\InprocServer32\ThreadingModel = "both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{57144698-03FD-41B6-8479-73A8EB19DDA7}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3A926488-E5E7-453D-8492-18A4B64804A5}\ = "IVPNInterfaces"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{459C65ED-AA9C-4CF1-9A24-7685505F919A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WeOnlyDo.VPNUsers.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C59A1D54-8CD7-4795-AEDD-F6F6E2DE1FE7}\VersionIndependentProgID\ = "WeOnlyDo.VPNUsers"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B1B00A43-7A54-4A0F-B35D-B4334811FAA4}\InprocServer32\ThreadingModel = "both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D101D9C-18CC-4E78-8D78-389E48478FCA}\ProgID\ = "WeOnlyDo.TCPHandler.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34FCE977-800B-47D3-AA58-E2B1ED957710}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4060697F-931D-4D71-8864-D47557560740}\ = "IVPNUsers"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9BA4C7B5-4941-4473-A1F5-187AD734C009}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1BD84436-87A4-488E-968E-E07CAB0157F8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0D415168-980F-4B2C-BFF2-DB68EC60149D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WeOnlyDo.VPNInterface\ = "VPNInterface Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{09DF1DCA-C076-498A-8370-AD6F878B6C6A}\InprocServer32\ThreadingModel = "both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WeOnlyDo.TCPHandler.1\CLSID\ = "{9D101D9C-18CC-4E78-8D78-389E48478FCA}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1646101F-5EDD-456C-A734-E6E7456C7C1F}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WeOnlyDo.VPNMediator.1\ = "VPNMediator Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{26818C76-2CAC-4C7E-9704-E3A037D4F3DB}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{34FCE977-800B-47D3-AA58-E2B1ED957710}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D415168-980F-4B2C-BFF2-DB68EC60149D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7BE3886B-0C12-4D87-AC0B-09A5CE4E6BD6}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{26818C76-2CAC-4C7E-9704-E3A037D4F3DB}\1.0\0\win64\ = "C:\\Windows\\LTsvc\\wodVPN.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B7A786AC-285C-4924-9E9F-2FBF97499299}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CF1E24C-A9B6-45AF-8AED-13888061FB87}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{15DD3BF6-5A11-4407-8399-A19AC10C65D0}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C59A1D54-8CD7-4795-AEDD-F6F6E2DE1FE7}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B1B00A43-7A54-4A0F-B35D-B4334811FAA4}\InprocServer32\ = "C:\\Windows\\LTsvc\\wodVPN.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7BE3886B-0C12-4D87-AC0B-09A5CE4E6BD6}\VersionIndependentProgID\ = "WeOnlyDo.VPNInterfaces"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9BA4C7B5-4941-4473-A1F5-187AD734C009}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2CF1E24C-A9B6-45AF-8AED-13888061FB87}\ = "ITCPHandler"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{15DD3BF6-5A11-4407-8399-A19AC10C65D0}\VersionIndependentProgID\ = "WeOnlyDo.VPNChannel"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B1B00A43-7A54-4A0F-B35D-B4334811FAA4}	regsvr32.exe

Runs net.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
656	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1168	LTSVC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 2668	1404	13b00a599adf4a61890cbd91445d2ec8.exe	95
PID 1404 wrote to memory of 2668	1404	13b00a599adf4a61890cbd91445d2ec8.exe	95
PID 1168 wrote to memory of 3216	1168	LTSVC.exe	99
PID 1168 wrote to memory of 3216	1168	LTSVC.exe	99
PID 1168 wrote to memory of 4932	1168	LTSVC.exe	101
PID 1168 wrote to memory of 4932	1168	LTSVC.exe	101
PID 1168 wrote to memory of 4956	1168	LTSVC.exe	103
PID 1168 wrote to memory of 4956	1168	LTSVC.exe	103
PID 4956 wrote to memory of 1964	4956	CMD.exe	105
PID 4956 wrote to memory of 1964	4956	CMD.exe	105
PID 1168 wrote to memory of 4928	1168	LTSVC.exe	106
PID 1168 wrote to memory of 4928	1168	LTSVC.exe	106
PID 4928 wrote to memory of 3032	4928	CMD.exe	108
PID 4928 wrote to memory of 3032	4928	CMD.exe	108
PID 1168 wrote to memory of 1760	1168	LTSVC.exe	109
PID 1168 wrote to memory of 1760	1168	LTSVC.exe	109
PID 1760 wrote to memory of 1972	1760	CMD.exe	111
PID 1760 wrote to memory of 1972	1760	CMD.exe	111
PID 1168 wrote to memory of 1112	1168	LTSVC.exe	112
PID 1168 wrote to memory of 1112	1168	LTSVC.exe	112
PID 1112 wrote to memory of 3436	1112	CMD.exe	114
PID 1112 wrote to memory of 3436	1112	CMD.exe	114
PID 1168 wrote to memory of 4420	1168	LTSVC.exe	115
PID 1168 wrote to memory of 4420	1168	LTSVC.exe	115
PID 4420 wrote to memory of 1348	4420	CMD.exe	117
PID 4420 wrote to memory of 1348	4420	CMD.exe	117
PID 1168 wrote to memory of 4784	1168	LTSVC.exe	118
PID 1168 wrote to memory of 4784	1168	LTSVC.exe	118
PID 4784 wrote to memory of 3376	4784	CMD.exe	120
PID 4784 wrote to memory of 3376	4784	CMD.exe	120
PID 1168 wrote to memory of 636	1168	LTSVC.exe	121
PID 1168 wrote to memory of 636	1168	LTSVC.exe	121
PID 636 wrote to memory of 2372	636	CMD.exe	123
PID 636 wrote to memory of 2372	636	CMD.exe	123
PID 1168 wrote to memory of 4416	1168	LTSVC.exe	124
PID 1168 wrote to memory of 4416	1168	LTSVC.exe	124
PID 4416 wrote to memory of 4136	4416	CMD.exe	126
PID 4416 wrote to memory of 4136	4416	CMD.exe	126
PID 1168 wrote to memory of 4864	1168	LTSVC.exe	127
PID 1168 wrote to memory of 4864	1168	LTSVC.exe	127
PID 4864 wrote to memory of 3656	4864	CMD.exe	129
PID 4864 wrote to memory of 3656	4864	CMD.exe	129
PID 1168 wrote to memory of 4472	1168	LTSVC.exe	130
PID 1168 wrote to memory of 4472	1168	LTSVC.exe	130
PID 4472 wrote to memory of 3560	4472	CMD.exe	132
PID 4472 wrote to memory of 3560	4472	CMD.exe	132
PID 1168 wrote to memory of 1012	1168	LTSVC.exe	133
PID 1168 wrote to memory of 1012	1168	LTSVC.exe	133
PID 1012 wrote to memory of 732	1012	CMD.exe	135
PID 1012 wrote to memory of 732	1012	CMD.exe	135
PID 1168 wrote to memory of 3280	1168	LTSVC.exe	136
PID 1168 wrote to memory of 3280	1168	LTSVC.exe	136
PID 3280 wrote to memory of 4108	3280	CMD.exe	138
PID 3280 wrote to memory of 4108	3280	CMD.exe	138
PID 1168 wrote to memory of 4776	1168	LTSVC.exe	139
PID 1168 wrote to memory of 4776	1168	LTSVC.exe	139
PID 4776 wrote to memory of 4440	4776	CMD.exe	141
PID 4776 wrote to memory of 4440	4776	CMD.exe	141
PID 1168 wrote to memory of 3760	1168	LTSVC.exe	142
PID 1168 wrote to memory of 3760	1168	LTSVC.exe	142
PID 3760 wrote to memory of 2796	3760	CMD.exe	144
PID 3760 wrote to memory of 2796	3760	CMD.exe	144
PID 1168 wrote to memory of 2204	1168	LTSVC.exe	145
PID 1168 wrote to memory of 2204	1168	LTSVC.exe	145

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\SoftwareSASGeneration = "1"	LTSVC.exe

C:\Users\Admin\AppData\Local\Temp\13b00a599adf4a61890cbd91445d2ec8.exe
"C:\Users\Admin\AppData\Local\Temp\13b00a599adf4a61890cbd91445d2ec8.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\installutil.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\installutil.exe" /name=LTService /account=localsystem C:\Windows\LTSvc\LTSVC.exe
  2⤵
  - Sets service image path in registry
  - Drops file in Windows directory
  PID:2668

C:\Windows\LTSvc\LTSVC.exe
"C:\Windows\LTSvc\LTSVC.exe" -sLTService
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1168
- C:\Windows\System32\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Windows\LTsvc\wodVPN.dll"
  2⤵
  - Loads dropped DLL
  - Registers COM server for autorun
  - Modifies registry class
  PID:3216
- C:\Windows\system32\Net1.exe
  "Net1.exe" Stop PSEXESVC
  2⤵
  PID:4932
- C:\Windows\system32\CMD.exe
  "CMD.exe" /c netsh advfirewall firewall Delete rule name="Allow NetFasTalk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall Delete rule name="Allow NetFasTalk"
    3⤵
    - Modifies Windows Firewall
    PID:1964
- C:\Windows\system32\CMD.exe
  "CMD.exe" /c netsh advfirewall firewall Delete rule name="Allow Local VNC"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4928
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall Delete rule name="Allow Local VNC"
    3⤵
    - Modifies Windows Firewall
    PID:3032
- C:\Windows\system32\CMD.exe
  "CMD.exe" /c netsh advfirewall firewall Delete rule name="Allow Local Redir"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall Delete rule name="Allow Local Redir"
    3⤵
    - Modifies Windows Firewall
    PID:1972
- C:\Windows\system32\CMD.exe
  "CMD.exe" /c netsh advfirewall firewall Delete rule name="Allow Tunnel StunRelay"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1112
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall Delete rule name="Allow Tunnel StunRelay"
    3⤵
    - Modifies Windows Firewall
    PID:3436
- C:\Windows\system32\CMD.exe
  "CMD.exe" /c netsh advfirewall firewall Delete rule name="Allow Tunnel"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4420
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall Delete rule name="Allow Tunnel"
    3⤵
    - Modifies Windows Firewall
    PID:1348
- C:\Windows\system32\CMD.exe
  "CMD.exe" /c netsh advfirewall firewall Delete rule name="AgentService"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall Delete rule name="AgentService"
    3⤵
    - Modifies Windows Firewall
    PID:3376
- C:\Windows\system32\CMD.exe
  "CMD.exe" /c netsh advfirewall firewall Delete rule name="AgentMonitor"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:636
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall Delete rule name="AgentMonitor"
    3⤵
    - Modifies Windows Firewall
    PID:2372
- C:\Windows\system32\CMD.exe
  "CMD.exe" /c netsh advfirewall firewall Delete rule name="AgentTray"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4416
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall Delete rule name="AgentTray"
    3⤵
    - Modifies Windows Firewall
    PID:4136
- C:\Windows\system32\CMD.exe
  "CMD.exe" /c netsh advfirewall firewall Add rule name="Allow NetFasTalk" dir=in protocol=udp localport=162,42000,42001,42002,42003,42004 remoteip=localsubnet action=allow
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  - Suspicious use of WriteProcessMemory
  PID:4864
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall Add rule name="Allow NetFasTalk" dir=in protocol=udp localport=162,42000,42001,42002,42003,42004 remoteip=localsubnet action=allow
    3⤵
    - Modifies Windows Firewall
    PID:3656
- C:\Windows\system32\CMD.exe
  "CMD.exe" /c netsh advfirewall firewall Add rule name="Allow Local VNC" dir=in protocol=tcp localport=4995,4996,4997,4998,4999 remoteip=localsubnet action=allow
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4472
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall Add rule name="Allow Local VNC" dir=in protocol=tcp localport=4995,4996,4997,4998,4999 remoteip=localsubnet action=allow
    3⤵
    - Modifies Windows Firewall
    PID:3560
- C:\Windows\system32\CMD.exe
  "CMD.exe" /c netsh advfirewall firewall Add rule name="Allow Local Redir" dir=in protocol=tcp remoteip=127.0.0.1 action=allow
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1012
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall Add rule name="Allow Local Redir" dir=in protocol=tcp remoteip=127.0.0.1 action=allow
    3⤵
    - Modifies Windows Firewall
    PID:732
- C:\Windows\system32\CMD.exe
  "CMD.exe" /c netsh advfirewall firewall Add rule name="Allow Local Redir" dir=in protocol=tcp localip=127.0.0.1 action=allow
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3280
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall Add rule name="Allow Local Redir" dir=in protocol=tcp localip=127.0.0.1 action=allow
    3⤵
    - Modifies Windows Firewall
    PID:4108
- C:\Windows\system32\CMD.exe
  "CMD.exe" /c netsh advfirewall firewall Add rule name="Allow Tunnel StunRelay" dir=out protocol=udp localport=70-75 action=allow
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4776
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall Add rule name="Allow Tunnel StunRelay" dir=out protocol=udp localport=70-75 action=allow
    3⤵
    - Modifies Windows Firewall
    PID:4440
- C:\Windows\system32\CMD.exe
  "CMD.exe" /c netsh advfirewall firewall Add rule name="Allow Tunnel" dir=out protocol=udp localport=40000-41000 action=allow
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3760
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall Add rule name="Allow Tunnel" dir=out protocol=udp localport=40000-41000 action=allow
    3⤵
    - Modifies Windows Firewall
    PID:2796
- C:\Windows\system32\CMD.exe
  "CMD.exe" /c netsh advfirewall firewall Add rule name="Allow Tunnel" dir=in protocol=udp localport=40000-41000 action=allow
  2⤵
  PID:2204
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall Add rule name="Allow Tunnel" dir=in protocol=udp localport=40000-41000 action=allow
    3⤵
    - Modifies Windows Firewall
    PID:404
- C:\Windows\system32\CMD.exe
  "CMD.exe" /c netsh advfirewall firewall add rule name="AgentService" dir=in action=allow program="%Windir%\LTsvc\LTSVC.exe" enable=yes
  2⤵
  PID:2828
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="AgentService" dir=in action=allow program="C:\Windows\LTsvc\LTSVC.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:4300
- C:\Windows\system32\CMD.exe
  "CMD.exe" /c netsh advfirewall firewall add rule name="AgentService" dir=out action=allow program="%Windir%\LTsvc\LTSVC.exe" enable=yes
  2⤵
  PID:872
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="AgentService" dir=out action=allow program="C:\Windows\LTsvc\LTSVC.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:468
- C:\Windows\system32\CMD.exe
  "CMD.exe" /c netsh advfirewall firewall add rule name="AgentMonitor" dir=in action=allow program="%Windir%\LTsvc\LTSVCmon.exe" enable=yes
  2⤵
  PID:2916
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="AgentMonitor" dir=in action=allow program="C:\Windows\LTsvc\LTSVCmon.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:4544
- C:\Windows\system32\CMD.exe
  "CMD.exe" /c netsh advfirewall firewall add rule name="AgentMonitor" dir=out action=allow program="%Windir%\LTsvc\LTSVCmon.exe" enable=yes
  2⤵
  PID:2520
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="AgentMonitor" dir=out action=allow program="C:\Windows\LTsvc\LTSVCmon.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:4772
- C:\Windows\system32\CMD.exe
  "CMD.exe" /c netsh advfirewall firewall add rule name="AgentTray" dir=in action=allow program="%Windir%\LTsvc\LTTray.exe" enable=yes
  2⤵
  PID:2644
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="AgentTray" dir=in action=allow program="C:\Windows\LTsvc\LTTray.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:1340
- C:\Windows\system32\CMD.exe
  "CMD.exe" /c netsh advfirewall firewall add rule name="AgentTray" dir=out action=allow program="%Windir%\LTsvc\LTTray.exe" enable=yes
  2⤵
  PID:2148
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="AgentTray" dir=out action=allow program="C:\Windows\LTsvc\LTTray.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:5000
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\installutil.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\installutil.exe" /i C:\Windows\LTsvc\LTSvcMon.exe
  2⤵
  PID:4348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\InstallLog.txt

Filesize
1002B

MD5
b599f00b3d5545bca74dd70afe6e2fb0

SHA1
4fa29ad049c095b36d629aa96c65e2970c96eb91

SHA256
23556e579da0885cc42a049277589cd245dcdb285992ad3a0442b1b37a08d2f6

SHA512
b916757d67f4b00d49cd95b5cb59ff4668cdfb5f54ace5fdf86321e77903ed67abf3239652640238643da884ad4193b466b6dcce0dc24297ae24bc999b309a61

Download Submit
C:\Windows\LTSvc\Interfaces.dll

Filesize
32KB

MD5
319611c6466bca80fb4b74a8518946df

SHA1
30d4651c6d998990d3952dccc168b5da4ee14d5f

SHA256
76abdebcf029a5318d36de860c068b73c6a7482c8b340e0fabb80955723b79f2

SHA512
9e232c43872dddeb6d71ce86d6bb46a4e1339062d50328213defdfe18faefbce9861b97c950b88a976a500d0c5893da2265909bedea6a9956c2e9d4458b720fa

Download Submit
C:\Windows\LTSvc\LTSVC.InstallLog

Filesize
602B

MD5
a03f1efc5c12286d99f3d7ff73ca4063

SHA1
212cc11ad3150deadb3a2cc788fc68e546ba22a4

SHA256
946026d6c8073876ae4eb2c4af9ff543729471be04f10547a56220814c4c2354

SHA512
83ef59a93b39c722a7b839d9f216e3e743b97230c7e9a2d2ecbbc8e6296c46dc08a275e95c9afbb2712ad9949d080c237ae33c9439d9f96727f715c9eb0a17d4

Download Submit
C:\Windows\LTSvc\LTSVC.InstallLog

Filesize
622B

MD5
8188d27e23bbdbee67be2b5126885e75

SHA1
9f22be482135eb0ed55375076026bfa898db2e35

SHA256
20939988afe3ead0d605004ced365dd6c467cc9303f8d76185124202cc06e03a

SHA512
929b53c5172ef9659d794e0adf7d6561fd7ec022dcf86327515d91df292667ee237ce8d8618cb05a22f47e65107b35deebd3ddcebe2fc40d39bc79cd233f688b

Download Submit
C:\Windows\LTSvc\LTSVC.exe

Filesize
12.0MB

MD5
a796283d5a5b9e113355958e39c1d388

SHA1
a3e590a6c2205c1ff5b89f0188c2c67a75db4c44

SHA256
d3dccdfda00ea5629de7371e1ec88d92f92975621f0c4252f96cfc660bef56d9

SHA512
34961ce91b74f069586d6099ede2e5007e78607f1028a33752f3e3c9fceed788286288935e2eca696705b7581631e2066a6051d5eb6092e52b4886b77fb73f1d

Download Submit
C:\Windows\LTSvc\LTSVC.exe

Filesize
12.0MB

MD5
a796283d5a5b9e113355958e39c1d388

SHA1
a3e590a6c2205c1ff5b89f0188c2c67a75db4c44

SHA256
d3dccdfda00ea5629de7371e1ec88d92f92975621f0c4252f96cfc660bef56d9

SHA512
34961ce91b74f069586d6099ede2e5007e78607f1028a33752f3e3c9fceed788286288935e2eca696705b7581631e2066a6051d5eb6092e52b4886b77fb73f1d

Download Submit
C:\Windows\LTSvc\cpuidsdk.dll

Filesize
1.8MB

MD5
9aad8219b81710030bede32f82025c2c

SHA1
171e38dc6a0246741dc57879ae6a763a2062b082

SHA256
d36e2e0dbbe6e1f1f868ebfc02e5375eae7aea159beb6e92512d0b367f5c3a8c

SHA512
c565a9fdea2991d0a526ea4a49d52896fd24a1057472eea2b09c7e70208dab5d3400344388879a274c42ace9f75a85ba399976d8fc08235c1c0a6891fd30758d

Download Submit
C:\Windows\LTSvc\labvnc.ini

Filesize
954B

MD5
f2d8de98b38c268fac609d576142e2bf

SHA1
6c00be7c0b390ff6041d58d8ca543d0f3df51cf7

SHA256
d57fa9fa15427a67d547d20ce2640642573bafe6c1366c68a17e19320b816039

SHA512
7f872d6241b4bcefc394d01ac68bec2333c6a9599706ebe9a68956bf5a08898a00ed8223ff31626891d755e7b37dc98103c447fb36efb048be05f32e4122eb11

Download Submit
C:\Windows\LTSvc\wodVPN.dll

Filesize
524KB

MD5
97c73bd1cc0011d111316d924532be35

SHA1
a3bccbdbdcb536c772e67d8f265996caff1c8207

SHA256
3e31fac9ba997faf1ade072050ac56cf4d1bddd47f5dd342825e04e8af91a9fa

SHA512
97793caa945d69fb5b89780428bbfa7c0d45864f3d7b5063311ed898c10c3e63ed0f7762b3a73de794026a3be9e8fcdeb5afb44217cdd6f198921067244aff1f

Download Submit
C:\Windows\LTSvc\wodVPN.dll

Filesize
524KB

MD5
97c73bd1cc0011d111316d924532be35

SHA1
a3bccbdbdcb536c772e67d8f265996caff1c8207

SHA256
3e31fac9ba997faf1ade072050ac56cf4d1bddd47f5dd342825e04e8af91a9fa

SHA512
97793caa945d69fb5b89780428bbfa7c0d45864f3d7b5063311ed898c10c3e63ed0f7762b3a73de794026a3be9e8fcdeb5afb44217cdd6f198921067244aff1f

Download Submit
C:\Windows\LTsvc\LTTray.exe

Filesize
1.2MB

MD5
094e26afac4ec4487eb99eb7f86b5e88

SHA1
859c5c679e8ecd18b60f8b2bc2a1c17bec4975c3

SHA256
ac3e0a24eee0e0e1fa8bb34676c3c17cc8cfc0d7dea35e6cf2490851e0c60865

SHA512
daad5487df58111d1b18afdd3def6764ef73b0f0cba69dd250cbf61dfc513ce42cd425927e50c449d86c88e71e2d40ccba520ba7bbac6b6569c5765d0f0b3996

Download Submit
C:\Windows\LTsvc\wodVPN.dll

Filesize
524KB

MD5
97c73bd1cc0011d111316d924532be35

SHA1
a3bccbdbdcb536c772e67d8f265996caff1c8207

SHA256
3e31fac9ba997faf1ade072050ac56cf4d1bddd47f5dd342825e04e8af91a9fa

SHA512
97793caa945d69fb5b89780428bbfa7c0d45864f3d7b5063311ed898c10c3e63ed0f7762b3a73de794026a3be9e8fcdeb5afb44217cdd6f198921067244aff1f

Download Submit
memory/1168-82-0x0000000001FA0000-0x0000000001FB0000-memory.dmp

Filesize
64KB

Download
memory/1168-128-0x00007FF9BD5B0000-0x00007FF9BDF51000-memory.dmp

Filesize
9.6MB

Download
memory/1168-169-0x0000000001FA0000-0x0000000001FB0000-memory.dmp

Filesize
64KB

Download
memory/1168-142-0x0000000001FA0000-0x0000000001FB0000-memory.dmp

Filesize
64KB

Download
memory/1168-135-0x000000001E3F0000-0x000000001E452000-memory.dmp

Filesize
392KB

Download
memory/1168-129-0x0000000001FA0000-0x0000000001FB0000-memory.dmp

Filesize
64KB

Download
memory/1168-120-0x000000001BFF0000-0x000000001C004000-memory.dmp

Filesize
80KB

Download
memory/1168-97-0x000000001D830000-0x000000001DD3E000-memory.dmp

Filesize
5.1MB

Download
memory/1168-90-0x0000000001FA0000-0x0000000001FB0000-memory.dmp

Filesize
64KB

Download
memory/1168-87-0x0000000001FA0000-0x0000000001FB0000-memory.dmp

Filesize
64KB

Download
memory/1168-86-0x000000001C190000-0x000000001C1DC000-memory.dmp

Filesize
304KB

Download
memory/1168-81-0x00007FF9BD5B0000-0x00007FF9BDF51000-memory.dmp

Filesize
9.6MB

Download
memory/1168-84-0x00007FF9BD5B0000-0x00007FF9BDF51000-memory.dmp

Filesize
9.6MB

Download
memory/1404-4-0x000000001C920000-0x000000001C940000-memory.dmp

Filesize
128KB

Download
memory/1404-3-0x00000000022F0000-0x0000000002300000-memory.dmp

Filesize
64KB

Download
memory/1404-2-0x000000001CB20000-0x000000001CE2E000-memory.dmp

Filesize
3.1MB

Download
memory/1404-6-0x000000001C9F0000-0x000000001CA96000-memory.dmp

Filesize
664KB

Download
memory/1404-1-0x00007FF9BD5B0000-0x00007FF9BDF51000-memory.dmp

Filesize
9.6MB

Download
memory/1404-91-0x00007FF9BD5B0000-0x00007FF9BDF51000-memory.dmp

Filesize
9.6MB

Download
memory/1404-13-0x00007FF9BD5B0000-0x00007FF9BDF51000-memory.dmp

Filesize
9.6MB

Download
memory/1404-0-0x00007FF9BD5B0000-0x00007FF9BDF51000-memory.dmp

Filesize
9.6MB

Download
memory/1404-5-0x000000001D700000-0x000000001DBCE000-memory.dmp

Filesize
4.8MB

Download
memory/1404-14-0x00000000022F0000-0x0000000002300000-memory.dmp

Filesize
64KB

Download
memory/2668-38-0x00007FF9BD5B0000-0x00007FF9BDF51000-memory.dmp

Filesize
9.6MB

Download
memory/2668-37-0x00007FF9BD5B0000-0x00007FF9BDF51000-memory.dmp

Filesize
9.6MB

Download
memory/2668-35-0x0000000001630000-0x0000000001648000-memory.dmp

Filesize
96KB

Download
memory/2668-54-0x000000001CB00000-0x000000001CB0E000-memory.dmp

Filesize
56KB

Download
memory/2668-43-0x000000001CB50000-0x000000001CB74000-memory.dmp

Filesize
144KB

Download
memory/2668-56-0x000000001D340000-0x000000001D3DC000-memory.dmp

Filesize
624KB

Download
memory/2668-40-0x000000001D620000-0x000000001E21E000-memory.dmp

Filesize
12.0MB

Download
memory/2668-74-0x00007FF9BD5B0000-0x00007FF9BDF51000-memory.dmp

Filesize
9.6MB

Download
memory/2668-39-0x00000000015D0000-0x00000000015E0000-memory.dmp

Filesize
64KB

Download
memory/4348-173-0x00007FF9BD5B0000-0x00007FF9BDF51000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads