25d72641d7055d44479fd87048ef74015e6eaa9deb6b6f397402be8a2b582e3e

General

Target

2c2e88dd8795e6732c2a84969f7c2e24.exe
Size

260KB
MD5

2c2e88dd8795e6732c2a84969f7c2e24
SHA1

72a4e95e54e5c504cf2ca7337f76224874dc7c4b
SHA256

25d72641d7055d44479fd87048ef74015e6eaa9deb6b6f397402be8a2b582e3e
SHA512

ad176a479cf0136f9558c9c2eb3a859d4204164875ae8c5ec3e87e2ae8c6328409552a1743eb453b991d1d737bdd61f1776bb8e6d3be0540cc0361fff4029813
SSDEEP

3072:2gfAlNXvh25n/kZoSUjMqXnpWAkpAmTSrMaIOYt/jo7LAtPhjjtZnfHFEoWBfGVg:2dSgTSrMaIl/jcLijfHFEHWzXvjT85R

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	luaehi.exe

Executes dropped EXE 1 IoCs

pid	Process
2172	luaehi.exe

Loads dropped DLL 2 IoCs

pid	Process
1204	2c2e88dd8795e6732c2a84969f7c2e24.exe
1204	2c2e88dd8795e6732c2a84969f7c2e24.exe

Adds Run key to start application 2 TTPs 15 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\luaehi = "C:\\Users\\Admin\\luaehi.exe /J"	luaehi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\luaehi = "C:\\Users\\Admin\\luaehi.exe /W"	luaehi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\luaehi = "C:\\Users\\Admin\\luaehi.exe /s"	luaehi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\luaehi = "C:\\Users\\Admin\\luaehi.exe /O"	luaehi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\luaehi = "C:\\Users\\Admin\\luaehi.exe /m"	luaehi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\luaehi = "C:\\Users\\Admin\\luaehi.exe /u"	luaehi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\luaehi = "C:\\Users\\Admin\\luaehi.exe /Y"	luaehi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\luaehi = "C:\\Users\\Admin\\luaehi.exe /b"	luaehi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\luaehi = "C:\\Users\\Admin\\luaehi.exe /d"	luaehi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\luaehi = "C:\\Users\\Admin\\luaehi.exe /Q"	luaehi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\luaehi = "C:\\Users\\Admin\\luaehi.exe /P"	luaehi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\luaehi = "C:\\Users\\Admin\\luaehi.exe /F"	luaehi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\luaehi = "C:\\Users\\Admin\\luaehi.exe /X"	luaehi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\luaehi = "C:\\Users\\Admin\\luaehi.exe /h"	luaehi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\luaehi = "C:\\Users\\Admin\\luaehi.exe /c"	luaehi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2172	luaehi.exe
2172	luaehi.exe
2172	luaehi.exe
2172	luaehi.exe
2172	luaehi.exe
2172	luaehi.exe
2172	luaehi.exe
2172	luaehi.exe
2172	luaehi.exe
2172	luaehi.exe
2172	luaehi.exe
2172	luaehi.exe
2172	luaehi.exe
2172	luaehi.exe
2172	luaehi.exe
2172	luaehi.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1204	2c2e88dd8795e6732c2a84969f7c2e24.exe
2172	luaehi.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 2172	1204	2c2e88dd8795e6732c2a84969f7c2e24.exe	28
PID 1204 wrote to memory of 2172	1204	2c2e88dd8795e6732c2a84969f7c2e24.exe	28
PID 1204 wrote to memory of 2172	1204	2c2e88dd8795e6732c2a84969f7c2e24.exe	28
PID 1204 wrote to memory of 2172	1204	2c2e88dd8795e6732c2a84969f7c2e24.exe	28

C:\Users\Admin\AppData\Local\Temp\2c2e88dd8795e6732c2a84969f7c2e24.exe
"C:\Users\Admin\AppData\Local\Temp\2c2e88dd8795e6732c2a84969f7c2e24.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Users\Admin\luaehi.exe
  "C:\Users\Admin\luaehi.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2172