Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/01/2024, 19:21

General

  • Target

    a803651431c71f5a15932648c8171172.exe

  • Size

    108KB

  • MD5

    a803651431c71f5a15932648c8171172

  • SHA1

    244e9ea02a6823b44a9d08df28fa6fde69f8d865

  • SHA256

    29d9ee9d182854ba4aaf84769c34139d2c77e3ff3389c365c50933994a771e4c

  • SHA512

    fcca68583f20517e7983b8f77574cd8fd1c3e6590db92ec90521accac8d59e6c9c936c4f3fb6f9f08e7de994524484976963101bcda6f752e2d54ce5b3fa1df7

  • SSDEEP

    1536:wA9c/KiB6oQ7Lh5+sXmNt0ttlPXLq0zTrk3:d8moIeZt8XTzTo3

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 27 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a803651431c71f5a15932648c8171172.exe
    "C:\Users\Admin\AppData\Local\Temp\a803651431c71f5a15932648c8171172.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4472
    • C:\Users\Admin\layek.exe
      "C:\Users\Admin\layek.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4884

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\layek.exe

          Filesize

          16KB

          MD5

          74a9f7c401e884125660f8343011a6ea

          SHA1

          5afdc662386f087bc493922f1063b285ea21b9a7

          SHA256

          2b0d530ab1cfc3dee51806a404f88fbe122388cc54fe0ae4f1b026c24780efd3

          SHA512

          12c8a4b20b04ec1c7f2d065ebb91bce0da22c9bf0c587db6c43477131813f2bfddcfe60c308b15b35cad9c42cb9cf5993f938b0bc7bec103ded8993c0cdae73c

        • C:\Users\Admin\layek.exe

          Filesize

          108KB

          MD5

          fb8803ebbcb89432d7110399172adfe0

          SHA1

          3bfd4700c6125fbb7f7c511fbe3db1fa387aeae9

          SHA256

          6b5aec3bdb1ae6b87be32dd6b275a85e74e074a05e9458570a22cee0414f4130

          SHA512

          1c68efbd8117b493bb1ad98bf7bec81599887980520cbe60df4bdc6f5f60d004618cb4da4a07078edb3e7a3e3fe83d15e6c94f7a3637fc5e41346c1cb9964be7

        • C:\Users\Admin\layek.exe

          Filesize

          1KB

          MD5

          2b9b2e4e273cd2ae85623ba078db61c4

          SHA1

          a9900d1d2709d3454ee1af4f9ef68157a98895bc

          SHA256

          39d734bc8403cd375e058d631376321633fab03936f3dcb7ac8bf86097219dfb

          SHA512

          6239758615caefdde66e5e8ff5a8550c629f0ab8c13093aa4ac7b49f166df25eaf2b71dae2226ac94f718baacdba357a09e648ecb50114df246fc44aeb61fbce