Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
07/01/2024, 19:21
Static task
static1
Behavioral task
behavioral1
Sample
a803651431c71f5a15932648c8171172.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
a803651431c71f5a15932648c8171172.exe
Resource
win10v2004-20231215-en
General
-
Target
a803651431c71f5a15932648c8171172.exe
-
Size
108KB
-
MD5
a803651431c71f5a15932648c8171172
-
SHA1
244e9ea02a6823b44a9d08df28fa6fde69f8d865
-
SHA256
29d9ee9d182854ba4aaf84769c34139d2c77e3ff3389c365c50933994a771e4c
-
SHA512
fcca68583f20517e7983b8f77574cd8fd1c3e6590db92ec90521accac8d59e6c9c936c4f3fb6f9f08e7de994524484976963101bcda6f752e2d54ce5b3fa1df7
-
SSDEEP
1536:wA9c/KiB6oQ7Lh5+sXmNt0ttlPXLq0zTrk3:d8moIeZt8XTzTo3
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" a803651431c71f5a15932648c8171172.exe Set value (int) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" layek.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation a803651431c71f5a15932648c8171172.exe -
Executes dropped EXE 1 IoCs
pid Process 4884 layek.exe -
Adds Run key to start application 2 TTPs 27 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\layek = "C:\\Users\\Admin\\layek.exe /m" layek.exe Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\layek = "C:\\Users\\Admin\\layek.exe /b" layek.exe Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\layek = "C:\\Users\\Admin\\layek.exe /p" layek.exe Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\layek = "C:\\Users\\Admin\\layek.exe /s" layek.exe Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\layek = "C:\\Users\\Admin\\layek.exe /y" layek.exe Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\layek = "C:\\Users\\Admin\\layek.exe /o" layek.exe Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\layek = "C:\\Users\\Admin\\layek.exe /w" layek.exe Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\layek = "C:\\Users\\Admin\\layek.exe /v" layek.exe Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\layek = "C:\\Users\\Admin\\layek.exe /n" layek.exe Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\layek = "C:\\Users\\Admin\\layek.exe /j" layek.exe Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\layek = "C:\\Users\\Admin\\layek.exe /i" layek.exe Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\layek = "C:\\Users\\Admin\\layek.exe /z" layek.exe Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\layek = "C:\\Users\\Admin\\layek.exe /u" layek.exe Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\layek = "C:\\Users\\Admin\\layek.exe /h" layek.exe Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\layek = "C:\\Users\\Admin\\layek.exe /x" layek.exe Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\layek = "C:\\Users\\Admin\\layek.exe /a" layek.exe Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\layek = "C:\\Users\\Admin\\layek.exe /r" layek.exe Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\layek = "C:\\Users\\Admin\\layek.exe /y" a803651431c71f5a15932648c8171172.exe Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\layek = "C:\\Users\\Admin\\layek.exe /g" layek.exe Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\layek = "C:\\Users\\Admin\\layek.exe /l" layek.exe Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\layek = "C:\\Users\\Admin\\layek.exe /q" layek.exe Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\layek = "C:\\Users\\Admin\\layek.exe /k" layek.exe Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\layek = "C:\\Users\\Admin\\layek.exe /c" layek.exe Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\layek = "C:\\Users\\Admin\\layek.exe /f" layek.exe Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\layek = "C:\\Users\\Admin\\layek.exe /t" layek.exe Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\layek = "C:\\Users\\Admin\\layek.exe /e" layek.exe Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\layek = "C:\\Users\\Admin\\layek.exe /d" layek.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4472 a803651431c71f5a15932648c8171172.exe 4472 a803651431c71f5a15932648c8171172.exe 4884 layek.exe 4884 layek.exe 4884 layek.exe 4884 layek.exe 4884 layek.exe 4884 layek.exe 4884 layek.exe 4884 layek.exe 4884 layek.exe 4884 layek.exe 4884 layek.exe 4884 layek.exe 4884 layek.exe 4884 layek.exe 4884 layek.exe 4884 layek.exe 4884 layek.exe 4884 layek.exe 4884 layek.exe 4884 layek.exe 4884 layek.exe 4884 layek.exe 4884 layek.exe 4884 layek.exe 4884 layek.exe 4884 layek.exe 4884 layek.exe 4884 layek.exe 4884 layek.exe 4884 layek.exe 4884 layek.exe 4884 layek.exe 4884 layek.exe 4884 layek.exe 4884 layek.exe 4884 layek.exe 4884 layek.exe 4884 layek.exe 4884 layek.exe 4884 layek.exe 4884 layek.exe 4884 layek.exe 4884 layek.exe 4884 layek.exe 4884 layek.exe 4884 layek.exe 4884 layek.exe 4884 layek.exe 4884 layek.exe 4884 layek.exe 4884 layek.exe 4884 layek.exe 4884 layek.exe 4884 layek.exe 4884 layek.exe 4884 layek.exe 4884 layek.exe 4884 layek.exe 4884 layek.exe 4884 layek.exe 4884 layek.exe 4884 layek.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4472 a803651431c71f5a15932648c8171172.exe 4884 layek.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4472 wrote to memory of 4884 4472 a803651431c71f5a15932648c8171172.exe 92 PID 4472 wrote to memory of 4884 4472 a803651431c71f5a15932648c8171172.exe 92 PID 4472 wrote to memory of 4884 4472 a803651431c71f5a15932648c8171172.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\a803651431c71f5a15932648c8171172.exe"C:\Users\Admin\AppData\Local\Temp\a803651431c71f5a15932648c8171172.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Users\Admin\layek.exe"C:\Users\Admin\layek.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4884
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD574a9f7c401e884125660f8343011a6ea
SHA15afdc662386f087bc493922f1063b285ea21b9a7
SHA2562b0d530ab1cfc3dee51806a404f88fbe122388cc54fe0ae4f1b026c24780efd3
SHA51212c8a4b20b04ec1c7f2d065ebb91bce0da22c9bf0c587db6c43477131813f2bfddcfe60c308b15b35cad9c42cb9cf5993f938b0bc7bec103ded8993c0cdae73c
-
Filesize
108KB
MD5fb8803ebbcb89432d7110399172adfe0
SHA13bfd4700c6125fbb7f7c511fbe3db1fa387aeae9
SHA2566b5aec3bdb1ae6b87be32dd6b275a85e74e074a05e9458570a22cee0414f4130
SHA5121c68efbd8117b493bb1ad98bf7bec81599887980520cbe60df4bdc6f5f60d004618cb4da4a07078edb3e7a3e3fe83d15e6c94f7a3637fc5e41346c1cb9964be7
-
Filesize
1KB
MD52b9b2e4e273cd2ae85623ba078db61c4
SHA1a9900d1d2709d3454ee1af4f9ef68157a98895bc
SHA25639d734bc8403cd375e058d631376321633fab03936f3dcb7ac8bf86097219dfb
SHA5126239758615caefdde66e5e8ff5a8550c629f0ab8c13093aa4ac7b49f166df25eaf2b71dae2226ac94f718baacdba357a09e648ecb50114df246fc44aeb61fbce