Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
25-02-2024 14:45
Static task
static1
Behavioral task
behavioral1
Sample
a40daeb3dd6687dae9b31900277a83d8.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
a40daeb3dd6687dae9b31900277a83d8.exe
Resource
win10v2004-20240221-en
General
-
Target
a40daeb3dd6687dae9b31900277a83d8.exe
-
Size
132KB
-
MD5
a40daeb3dd6687dae9b31900277a83d8
-
SHA1
7a821d797311f61b9f0ee9c50dd825f66d94d482
-
SHA256
c3c0bd7d23956c37c1251bc2304528c53ae0a147aa2112c3955590b959d3bf86
-
SHA512
472c62a065fb8f32e3eed066471b4346f24cb0c45f3e51bc4c2296db540b5080761f746f3fd55e3c54885ea7329d392d79fefebcbb6bb37d8cfc20c2a5787f84
-
SSDEEP
3072:qApHG6d+xspX7//GSeIlLXkskMvB00bsMyXeWLkf:qApHGaI+7//leIBXTkMZ00bsMyXeAk
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" a40daeb3dd6687dae9b31900277a83d8.exe Set value (int) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" lauof.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\Control Panel\International\Geo\Nation a40daeb3dd6687dae9b31900277a83d8.exe -
Executes dropped EXE 1 IoCs
pid Process 3744 lauof.exe -
Adds Run key to start application 2 TTPs 50 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lauof = "C:\\Users\\Admin\\lauof.exe /Q" lauof.exe Set value (str) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lauof = "C:\\Users\\Admin\\lauof.exe /Y" lauof.exe Set value (str) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lauof = "C:\\Users\\Admin\\lauof.exe /z" lauof.exe Set value (str) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lauof = "C:\\Users\\Admin\\lauof.exe /d" lauof.exe Set value (str) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lauof = "C:\\Users\\Admin\\lauof.exe /m" lauof.exe Set value (str) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lauof = "C:\\Users\\Admin\\lauof.exe /x" lauof.exe Set value (str) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lauof = "C:\\Users\\Admin\\lauof.exe /q" lauof.exe Set value (str) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lauof = "C:\\Users\\Admin\\lauof.exe /y" lauof.exe Set value (str) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lauof = "C:\\Users\\Admin\\lauof.exe /r" lauof.exe Set value (str) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lauof = "C:\\Users\\Admin\\lauof.exe /R" lauof.exe Set value (str) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lauof = "C:\\Users\\Admin\\lauof.exe /S" lauof.exe Set value (str) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lauof = "C:\\Users\\Admin\\lauof.exe /E" lauof.exe Set value (str) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lauof = "C:\\Users\\Admin\\lauof.exe /O" lauof.exe Set value (str) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lauof = "C:\\Users\\Admin\\lauof.exe /g" lauof.exe Set value (str) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lauof = "C:\\Users\\Admin\\lauof.exe /v" lauof.exe Set value (str) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lauof = "C:\\Users\\Admin\\lauof.exe /o" lauof.exe Set value (str) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lauof = "C:\\Users\\Admin\\lauof.exe /B" lauof.exe Set value (str) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lauof = "C:\\Users\\Admin\\lauof.exe /G" lauof.exe Set value (str) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lauof = "C:\\Users\\Admin\\lauof.exe /w" lauof.exe Set value (str) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lauof = "C:\\Users\\Admin\\lauof.exe /j" lauof.exe Set value (str) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lauof = "C:\\Users\\Admin\\lauof.exe /A" lauof.exe Set value (str) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lauof = "C:\\Users\\Admin\\lauof.exe /W" lauof.exe Set value (str) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lauof = "C:\\Users\\Admin\\lauof.exe /a" lauof.exe Set value (str) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lauof = "C:\\Users\\Admin\\lauof.exe /t" lauof.exe Set value (str) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lauof = "C:\\Users\\Admin\\lauof.exe /f" lauof.exe Set value (str) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lauof = "C:\\Users\\Admin\\lauof.exe /N" lauof.exe Set value (str) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lauof = "C:\\Users\\Admin\\lauof.exe /n" lauof.exe Set value (str) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lauof = "C:\\Users\\Admin\\lauof.exe /u" lauof.exe Set value (str) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lauof = "C:\\Users\\Admin\\lauof.exe /b" a40daeb3dd6687dae9b31900277a83d8.exe Set value (str) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lauof = "C:\\Users\\Admin\\lauof.exe /P" lauof.exe Set value (str) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lauof = "C:\\Users\\Admin\\lauof.exe /T" lauof.exe Set value (str) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lauof = "C:\\Users\\Admin\\lauof.exe /D" lauof.exe Set value (str) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lauof = "C:\\Users\\Admin\\lauof.exe /V" lauof.exe Set value (str) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lauof = "C:\\Users\\Admin\\lauof.exe /M" lauof.exe Set value (str) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lauof = "C:\\Users\\Admin\\lauof.exe /i" lauof.exe Set value (str) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lauof = "C:\\Users\\Admin\\lauof.exe /s" lauof.exe Set value (str) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lauof = "C:\\Users\\Admin\\lauof.exe /X" lauof.exe Set value (str) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lauof = "C:\\Users\\Admin\\lauof.exe /H" lauof.exe Set value (str) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lauof = "C:\\Users\\Admin\\lauof.exe /I" lauof.exe Set value (str) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lauof = "C:\\Users\\Admin\\lauof.exe /c" lauof.exe Set value (str) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lauof = "C:\\Users\\Admin\\lauof.exe /C" lauof.exe Set value (str) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lauof = "C:\\Users\\Admin\\lauof.exe /J" lauof.exe Set value (str) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lauof = "C:\\Users\\Admin\\lauof.exe /Z" lauof.exe Set value (str) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lauof = "C:\\Users\\Admin\\lauof.exe /l" lauof.exe Set value (str) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lauof = "C:\\Users\\Admin\\lauof.exe /h" lauof.exe Set value (str) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lauof = "C:\\Users\\Admin\\lauof.exe /F" lauof.exe Set value (str) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lauof = "C:\\Users\\Admin\\lauof.exe /K" lauof.exe Set value (str) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lauof = "C:\\Users\\Admin\\lauof.exe /e" lauof.exe Set value (str) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lauof = "C:\\Users\\Admin\\lauof.exe /L" lauof.exe Set value (str) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lauof = "C:\\Users\\Admin\\lauof.exe /k" lauof.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2588 a40daeb3dd6687dae9b31900277a83d8.exe 2588 a40daeb3dd6687dae9b31900277a83d8.exe 3744 lauof.exe 3744 lauof.exe 3744 lauof.exe 3744 lauof.exe 3744 lauof.exe 3744 lauof.exe 3744 lauof.exe 3744 lauof.exe 3744 lauof.exe 3744 lauof.exe 3744 lauof.exe 3744 lauof.exe 3744 lauof.exe 3744 lauof.exe 3744 lauof.exe 3744 lauof.exe 3744 lauof.exe 3744 lauof.exe 3744 lauof.exe 3744 lauof.exe 3744 lauof.exe 3744 lauof.exe 3744 lauof.exe 3744 lauof.exe 3744 lauof.exe 3744 lauof.exe 3744 lauof.exe 3744 lauof.exe 3744 lauof.exe 3744 lauof.exe 3744 lauof.exe 3744 lauof.exe 3744 lauof.exe 3744 lauof.exe 3744 lauof.exe 3744 lauof.exe 3744 lauof.exe 3744 lauof.exe 3744 lauof.exe 3744 lauof.exe 3744 lauof.exe 3744 lauof.exe 3744 lauof.exe 3744 lauof.exe 3744 lauof.exe 3744 lauof.exe 3744 lauof.exe 3744 lauof.exe 3744 lauof.exe 3744 lauof.exe 3744 lauof.exe 3744 lauof.exe 3744 lauof.exe 3744 lauof.exe 3744 lauof.exe 3744 lauof.exe 3744 lauof.exe 3744 lauof.exe 3744 lauof.exe 3744 lauof.exe 3744 lauof.exe 3744 lauof.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2588 a40daeb3dd6687dae9b31900277a83d8.exe 3744 lauof.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2588 wrote to memory of 3744 2588 a40daeb3dd6687dae9b31900277a83d8.exe 94 PID 2588 wrote to memory of 3744 2588 a40daeb3dd6687dae9b31900277a83d8.exe 94 PID 2588 wrote to memory of 3744 2588 a40daeb3dd6687dae9b31900277a83d8.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\a40daeb3dd6687dae9b31900277a83d8.exe"C:\Users\Admin\AppData\Local\Temp\a40daeb3dd6687dae9b31900277a83d8.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Users\Admin\lauof.exe"C:\Users\Admin\lauof.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3744
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
132KB
MD5c73b06c7dde39956b831c82aa10be848
SHA1a1ee5a7b994f83bdbe0a6f24462432e092a33b17
SHA256ce0cd8eabcf302ab4dd2870e5f075013f88a9b2873e796ee62a77f959ba532a3
SHA512456a0aba96ad8a0092aa98964a8eb16269b4d2dd34e5db51e408792aa4106cd09f2262752064c327b781700ec4b92fbc7ca1c27bc87934db540a905d606b9415