34e595b83b7bb8cb87366da963513f3fab248e366174a0753d55f126c08e6e58

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 14:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

022e71686224da861ba81730c15ef2b8.exe
Size

236KB
MD5

022e71686224da861ba81730c15ef2b8
SHA1

7e548b7d86d51ecdd07a9947bece222893592843
SHA256

34e595b83b7bb8cb87366da963513f3fab248e366174a0753d55f126c08e6e58
SHA512

712eaaaed70e0beb90ef4e4ce1dc30bb4e830caf2585d4242aa8ba0f9edee2080496821c43a226dab0887d802e8511be3a49889634a5624a7fe618202cae3db9
SSDEEP

3072:D6VlhsJ0JsvyMZeIT51B8u0gWCyiHCUPqgxh:dSJuyMwItf8u0gWCyiHCm

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	022e71686224da861ba81730c15ef2b8.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	laever.exe

Executes dropped EXE 1 IoCs

pid	Process
2124	laever.exe

Loads dropped DLL 2 IoCs

pid	Process
1696	022e71686224da861ba81730c15ef2b8.exe
1696	022e71686224da861ba81730c15ef2b8.exe

Adds Run key to start application 2 TTPs 27 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\laever = "C:\\Users\\Admin\\laever.exe /l"	laever.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\laever = "C:\\Users\\Admin\\laever.exe /d"	laever.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\laever = "C:\\Users\\Admin\\laever.exe /q"	laever.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\laever = "C:\\Users\\Admin\\laever.exe /c"	laever.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\laever = "C:\\Users\\Admin\\laever.exe /e"	laever.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\laever = "C:\\Users\\Admin\\laever.exe /v"	022e71686224da861ba81730c15ef2b8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\laever = "C:\\Users\\Admin\\laever.exe /z"	laever.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\laever = "C:\\Users\\Admin\\laever.exe /g"	laever.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\laever = "C:\\Users\\Admin\\laever.exe /j"	laever.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\laever = "C:\\Users\\Admin\\laever.exe /k"	laever.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\laever = "C:\\Users\\Admin\\laever.exe /n"	laever.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\laever = "C:\\Users\\Admin\\laever.exe /f"	laever.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\laever = "C:\\Users\\Admin\\laever.exe /a"	laever.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\laever = "C:\\Users\\Admin\\laever.exe /y"	laever.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\laever = "C:\\Users\\Admin\\laever.exe /o"	laever.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\laever = "C:\\Users\\Admin\\laever.exe /v"	laever.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\laever = "C:\\Users\\Admin\\laever.exe /u"	laever.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\laever = "C:\\Users\\Admin\\laever.exe /w"	laever.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\laever = "C:\\Users\\Admin\\laever.exe /x"	laever.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\laever = "C:\\Users\\Admin\\laever.exe /t"	laever.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\laever = "C:\\Users\\Admin\\laever.exe /i"	laever.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\laever = "C:\\Users\\Admin\\laever.exe /m"	laever.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\laever = "C:\\Users\\Admin\\laever.exe /h"	laever.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\laever = "C:\\Users\\Admin\\laever.exe /r"	laever.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\laever = "C:\\Users\\Admin\\laever.exe /p"	laever.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\laever = "C:\\Users\\Admin\\laever.exe /s"	laever.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\laever = "C:\\Users\\Admin\\laever.exe /b"	laever.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1696	022e71686224da861ba81730c15ef2b8.exe
2124	laever.exe
2124	laever.exe
2124	laever.exe
2124	laever.exe
2124	laever.exe
2124	laever.exe
2124	laever.exe
2124	laever.exe
2124	laever.exe
2124	laever.exe
2124	laever.exe
2124	laever.exe
2124	laever.exe
2124	laever.exe
2124	laever.exe
2124	laever.exe
2124	laever.exe
2124	laever.exe
2124	laever.exe
2124	laever.exe
2124	laever.exe
2124	laever.exe
2124	laever.exe
2124	laever.exe
2124	laever.exe
2124	laever.exe
2124	laever.exe
2124	laever.exe
2124	laever.exe
2124	laever.exe
2124	laever.exe
2124	laever.exe
2124	laever.exe
2124	laever.exe
2124	laever.exe
2124	laever.exe
2124	laever.exe
2124	laever.exe
2124	laever.exe
2124	laever.exe
2124	laever.exe
2124	laever.exe
2124	laever.exe
2124	laever.exe
2124	laever.exe
2124	laever.exe
2124	laever.exe
2124	laever.exe
2124	laever.exe
2124	laever.exe
2124	laever.exe
2124	laever.exe
2124	laever.exe
2124	laever.exe
2124	laever.exe
2124	laever.exe
2124	laever.exe
2124	laever.exe
2124	laever.exe
2124	laever.exe
2124	laever.exe
2124	laever.exe
2124	laever.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1696	022e71686224da861ba81730c15ef2b8.exe
2124	laever.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 2124	1696	022e71686224da861ba81730c15ef2b8.exe	28
PID 1696 wrote to memory of 2124	1696	022e71686224da861ba81730c15ef2b8.exe	28
PID 1696 wrote to memory of 2124	1696	022e71686224da861ba81730c15ef2b8.exe	28
PID 1696 wrote to memory of 2124	1696	022e71686224da861ba81730c15ef2b8.exe	28

C:\Users\Admin\AppData\Local\Temp\022e71686224da861ba81730c15ef2b8.exe
"C:\Users\Admin\AppData\Local\Temp\022e71686224da861ba81730c15ef2b8.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Users\Admin\laever.exe
  "C:\Users\Admin\laever.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\laever.exe

Filesize
82KB

MD5
ecd624d0a7c2f949e4e2bd5177838856

SHA1
2b5c5cf3fc37e1dc9a044616c5e36ec6a2607d78

SHA256
646a81bbee7192d18cf28d75ccebbd04cc82749e6323943d8a1e0b40944a27f4

SHA512
533e7822df143f213189291b03d37b2814ff9cb1a1b6ed097223e78912fab004b7f5997ea1b16dda9d221b0f9dea4ae6e345f62fe29b00ff9d50c3b6580658ff

Download Submit
C:\Users\Admin\laever.exe

Filesize
70KB

MD5
cd10e49dd7c201687d1f0e56e2dcc2aa

SHA1
007e30f1ae654e5310927edd79fa8399f093e7fe

SHA256
c1f42af72790cb674e2961e61989fac75c590db3d6cdd50c0d0e3968e748a6f1

SHA512
4a9f4b57199c3895e6961639a380522058ae2f11c6fbe9a66c607b9840ba5e17feb27011fa13eaa120590f4511813e507222002155d2ccf42ba06f82f4a01404

Download Submit
C:\Users\Admin\laever.exe

Filesize
89KB

MD5
5eff518ab7b4cb3a8e4d7f9bf8a8703e

SHA1
49d989f0b4ac18d72c47faacf71f04f244b3a69e

SHA256
34f07cd49bb73ef04a02feb3ec53723dcbdf4412e96a963a3bb5a31bf2ac1aa9

SHA512
386ad7d48995c4b71207100571a137846eb80ed3bbce7b82df3d12fb0590458eba7dabbe9cc5c149798fc513be6470818ca70dc23363040a6ad219e01e303ce3

Download Submit
\Users\Admin\laever.exe

Filesize
168KB

MD5
95c2cda9f684c58a83f27776d798a1f8

SHA1
e7aedf155e28a78d0ad664a0aa65f7c6afeb9846

SHA256
69cf072b1ccb838d64b3a1f1c96741ca3c0573a3780e0c446f828da2cb960ffa

SHA512
a7c50af406f723b90fe227a6d3a292adce70962bde074664b5df198f56c984d0f9e8bfd26d3eb2cec3d60b3a6759eabf729d360cde4065950e4ac1aa749795fd

Download Submit
\Users\Admin\laever.exe

Filesize
95KB

MD5
49da6aec90d449328168ed1fe20ed382

SHA1
35336fe444e922a836fd1ca32e4b4d84b2adef3c

SHA256
5f4a857413d43dc4baf479cc4a7aedf39464b224ca0d75340fc03e86feb97967

SHA512
b7ca71b5b5964de4880c7f26346bf01a309f73fe5956d6d6c72457604bac5ce42e38f04e2e595b7c3505568390c234609149ea6c2d126ced3ad226b1efa0fcfc

Download Submit
memory/1696-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1696-16-0x0000000002E50000-0x0000000002E8F000-memory.dmp

Filesize
252KB

Download
memory/1696-9-0x0000000002E50000-0x0000000002E8F000-memory.dmp

Filesize
252KB

Download
memory/2124-18-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download