351eff0f25043d5dec4b7fc4cad03cfbd1a622d29c2a72395953c87f02d6b26c

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
11/03/2024, 10:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c063fc6d177f79ead4366c80200c4eda.exe
Size

280KB
MD5

c063fc6d177f79ead4366c80200c4eda
SHA1

43b1daab2da2a51ca23326f5e39dd16a939cd9b0
SHA256

351eff0f25043d5dec4b7fc4cad03cfbd1a622d29c2a72395953c87f02d6b26c
SHA512

e91c88d69f7ccd33cf05ca1ce31cb207f91d477d25b93b9717ed2ba86125406eaabad39162745593a47a9cfd0071f0c6b4d670c2d9b32fda1978a761eba3ef54
SSDEEP

6144:KIYIpydVsZyxyK5R8GYKi1Xfvs1tzH51t+ewSReXNc/W:6uydfiebOiW

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	c063fc6d177f79ead4366c80200c4eda.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	luogaos.exe

Executes dropped EXE 1 IoCs

pid	Process
2988	luogaos.exe

Loads dropped DLL 2 IoCs

pid	Process
1600	c063fc6d177f79ead4366c80200c4eda.exe
1600	c063fc6d177f79ead4366c80200c4eda.exe

Adds Run key to start application 2 TTPs 53 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\luogaos = "C:\\Users\\Admin\\luogaos.exe /l"	luogaos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\luogaos = "C:\\Users\\Admin\\luogaos.exe /T"	luogaos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\luogaos = "C:\\Users\\Admin\\luogaos.exe /h"	luogaos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\luogaos = "C:\\Users\\Admin\\luogaos.exe /k"	luogaos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\luogaos = "C:\\Users\\Admin\\luogaos.exe /I"	luogaos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\luogaos = "C:\\Users\\Admin\\luogaos.exe /F"	luogaos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\luogaos = "C:\\Users\\Admin\\luogaos.exe /Q"	luogaos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\luogaos = "C:\\Users\\Admin\\luogaos.exe /K"	luogaos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\luogaos = "C:\\Users\\Admin\\luogaos.exe /J"	luogaos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\luogaos = "C:\\Users\\Admin\\luogaos.exe /t"	luogaos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\luogaos = "C:\\Users\\Admin\\luogaos.exe /q"	luogaos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\luogaos = "C:\\Users\\Admin\\luogaos.exe /c"	luogaos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\luogaos = "C:\\Users\\Admin\\luogaos.exe /a"	luogaos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\luogaos = "C:\\Users\\Admin\\luogaos.exe /p"	luogaos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\luogaos = "C:\\Users\\Admin\\luogaos.exe /f"	luogaos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\luogaos = "C:\\Users\\Admin\\luogaos.exe /M"	luogaos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\luogaos = "C:\\Users\\Admin\\luogaos.exe /d"	luogaos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\luogaos = "C:\\Users\\Admin\\luogaos.exe /L"	luogaos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\luogaos = "C:\\Users\\Admin\\luogaos.exe /P"	luogaos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\luogaos = "C:\\Users\\Admin\\luogaos.exe /G"	luogaos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\luogaos = "C:\\Users\\Admin\\luogaos.exe /m"	luogaos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\luogaos = "C:\\Users\\Admin\\luogaos.exe /X"	luogaos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\luogaos = "C:\\Users\\Admin\\luogaos.exe /i"	luogaos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\luogaos = "C:\\Users\\Admin\\luogaos.exe /C"	luogaos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\luogaos = "C:\\Users\\Admin\\luogaos.exe /w"	luogaos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\luogaos = "C:\\Users\\Admin\\luogaos.exe /n"	luogaos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\luogaos = "C:\\Users\\Admin\\luogaos.exe /Z"	luogaos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\luogaos = "C:\\Users\\Admin\\luogaos.exe /A"	luogaos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\luogaos = "C:\\Users\\Admin\\luogaos.exe /W"	luogaos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\luogaos = "C:\\Users\\Admin\\luogaos.exe /O"	luogaos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\luogaos = "C:\\Users\\Admin\\luogaos.exe /v"	luogaos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\luogaos = "C:\\Users\\Admin\\luogaos.exe /N"	luogaos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\luogaos = "C:\\Users\\Admin\\luogaos.exe /e"	luogaos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\luogaos = "C:\\Users\\Admin\\luogaos.exe /D"	luogaos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\luogaos = "C:\\Users\\Admin\\luogaos.exe /V"	luogaos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\luogaos = "C:\\Users\\Admin\\luogaos.exe /H"	luogaos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\luogaos = "C:\\Users\\Admin\\luogaos.exe /z"	luogaos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\luogaos = "C:\\Users\\Admin\\luogaos.exe /g"	luogaos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\luogaos = "C:\\Users\\Admin\\luogaos.exe /S"	luogaos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\luogaos = "C:\\Users\\Admin\\luogaos.exe /s"	luogaos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\luogaos = "C:\\Users\\Admin\\luogaos.exe /y"	luogaos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\luogaos = "C:\\Users\\Admin\\luogaos.exe /x"	luogaos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\luogaos = "C:\\Users\\Admin\\luogaos.exe /U"	luogaos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\luogaos = "C:\\Users\\Admin\\luogaos.exe /j"	luogaos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\luogaos = "C:\\Users\\Admin\\luogaos.exe /B"	luogaos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\luogaos = "C:\\Users\\Admin\\luogaos.exe /b"	luogaos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\luogaos = "C:\\Users\\Admin\\luogaos.exe /r"	luogaos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\luogaos = "C:\\Users\\Admin\\luogaos.exe /Y"	luogaos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\luogaos = "C:\\Users\\Admin\\luogaos.exe /w"	c063fc6d177f79ead4366c80200c4eda.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\luogaos = "C:\\Users\\Admin\\luogaos.exe /R"	luogaos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\luogaos = "C:\\Users\\Admin\\luogaos.exe /o"	luogaos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\luogaos = "C:\\Users\\Admin\\luogaos.exe /u"	luogaos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\luogaos = "C:\\Users\\Admin\\luogaos.exe /E"	luogaos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1600	c063fc6d177f79ead4366c80200c4eda.exe
2988	luogaos.exe
2988	luogaos.exe
2988	luogaos.exe
2988	luogaos.exe
2988	luogaos.exe
2988	luogaos.exe
2988	luogaos.exe
2988	luogaos.exe
2988	luogaos.exe
2988	luogaos.exe
2988	luogaos.exe
2988	luogaos.exe
2988	luogaos.exe
2988	luogaos.exe
2988	luogaos.exe
2988	luogaos.exe
2988	luogaos.exe
2988	luogaos.exe
2988	luogaos.exe
2988	luogaos.exe
2988	luogaos.exe
2988	luogaos.exe
2988	luogaos.exe
2988	luogaos.exe
2988	luogaos.exe
2988	luogaos.exe
2988	luogaos.exe
2988	luogaos.exe
2988	luogaos.exe
2988	luogaos.exe
2988	luogaos.exe
2988	luogaos.exe
2988	luogaos.exe
2988	luogaos.exe
2988	luogaos.exe
2988	luogaos.exe
2988	luogaos.exe
2988	luogaos.exe
2988	luogaos.exe
2988	luogaos.exe
2988	luogaos.exe
2988	luogaos.exe
2988	luogaos.exe
2988	luogaos.exe
2988	luogaos.exe
2988	luogaos.exe
2988	luogaos.exe
2988	luogaos.exe
2988	luogaos.exe
2988	luogaos.exe
2988	luogaos.exe
2988	luogaos.exe
2988	luogaos.exe
2988	luogaos.exe
2988	luogaos.exe
2988	luogaos.exe
2988	luogaos.exe
2988	luogaos.exe
2988	luogaos.exe
2988	luogaos.exe
2988	luogaos.exe
2988	luogaos.exe
2988	luogaos.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1600	c063fc6d177f79ead4366c80200c4eda.exe
2988	luogaos.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 2988	1600	c063fc6d177f79ead4366c80200c4eda.exe	28
PID 1600 wrote to memory of 2988	1600	c063fc6d177f79ead4366c80200c4eda.exe	28
PID 1600 wrote to memory of 2988	1600	c063fc6d177f79ead4366c80200c4eda.exe	28
PID 1600 wrote to memory of 2988	1600	c063fc6d177f79ead4366c80200c4eda.exe	28

C:\Users\Admin\AppData\Local\Temp\c063fc6d177f79ead4366c80200c4eda.exe
"C:\Users\Admin\AppData\Local\Temp\c063fc6d177f79ead4366c80200c4eda.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Users\Admin\luogaos.exe
  "C:\Users\Admin\luogaos.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\luogaos.exe

Filesize
280KB

MD5
c79efdd8a7c8f3ab44d5546adfa136de

SHA1
c7e70ebf92d5e7827e908e99c99ada4a1024f02a

SHA256
6944823abd7883570179461f1c3e929d8fa9c51e5d1640faa8e82c0497de0279

SHA512
ee571291c2ef13c9a20ecabbdf4720f379aa5974d74f783dd9f0a30067ed229b6618f40dce30198fb3339c2a95e535e5ccf327a5e00b6ec5d24a27c5b4cede65

Download Submit