88ac2ec14b670f9e47812f52253e4b65eff370ed41d2b404fc70c20420afa9ef

Analysis

max time kernel
151s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2024, 07:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88ac2ec14b670f9e47812f52253e4b65eff370ed41d2b404fc70c20420afa9ef.exe
Size

168KB
MD5

40955156bc45a17d077020a9961ec656
SHA1

552ff364983c4c8c71d80c71f38b2a5a2312b028
SHA256

88ac2ec14b670f9e47812f52253e4b65eff370ed41d2b404fc70c20420afa9ef
SHA512

979b587491dc87adc9ba0d493842816f3c32913ae5e63e8a7aa80cb8b13fe76dc6db3b1aa9574d438b11eb23ae8d93a74f5bcb78074b01d39ae52a81bf764600
SSDEEP

3072:DhGs8vgY7SIsyeTlo/11hJl2czGRqxZdxxW970/:DhGDvgYi/lS1NJG6/xB

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	88ac2ec14b670f9e47812f52253e4b65eff370ed41d2b404fc70c20420afa9ef.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lvdiog.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	88ac2ec14b670f9e47812f52253e4b65eff370ed41d2b404fc70c20420afa9ef.exe

Executes dropped EXE 1 IoCs

pid	Process
2836	lvdiog.exe

Adds Run key to start application 2 TTPs 51 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvdiog = "C:\\Users\\Admin\\lvdiog.exe /u"	lvdiog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvdiog = "C:\\Users\\Admin\\lvdiog.exe /S"	lvdiog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvdiog = "C:\\Users\\Admin\\lvdiog.exe /K"	lvdiog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvdiog = "C:\\Users\\Admin\\lvdiog.exe /p"	lvdiog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvdiog = "C:\\Users\\Admin\\lvdiog.exe /l"	lvdiog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvdiog = "C:\\Users\\Admin\\lvdiog.exe /A"	lvdiog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvdiog = "C:\\Users\\Admin\\lvdiog.exe /q"	lvdiog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvdiog = "C:\\Users\\Admin\\lvdiog.exe /L"	lvdiog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvdiog = "C:\\Users\\Admin\\lvdiog.exe /v"	lvdiog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvdiog = "C:\\Users\\Admin\\lvdiog.exe /W"	lvdiog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvdiog = "C:\\Users\\Admin\\lvdiog.exe /b"	lvdiog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvdiog = "C:\\Users\\Admin\\lvdiog.exe /C"	lvdiog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvdiog = "C:\\Users\\Admin\\lvdiog.exe /H"	lvdiog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvdiog = "C:\\Users\\Admin\\lvdiog.exe /M"	88ac2ec14b670f9e47812f52253e4b65eff370ed41d2b404fc70c20420afa9ef.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvdiog = "C:\\Users\\Admin\\lvdiog.exe /x"	lvdiog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvdiog = "C:\\Users\\Admin\\lvdiog.exe /Z"	lvdiog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvdiog = "C:\\Users\\Admin\\lvdiog.exe /z"	lvdiog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvdiog = "C:\\Users\\Admin\\lvdiog.exe /X"	lvdiog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvdiog = "C:\\Users\\Admin\\lvdiog.exe /E"	lvdiog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvdiog = "C:\\Users\\Admin\\lvdiog.exe /V"	lvdiog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvdiog = "C:\\Users\\Admin\\lvdiog.exe /G"	lvdiog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvdiog = "C:\\Users\\Admin\\lvdiog.exe /d"	lvdiog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvdiog = "C:\\Users\\Admin\\lvdiog.exe /e"	lvdiog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvdiog = "C:\\Users\\Admin\\lvdiog.exe /P"	lvdiog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvdiog = "C:\\Users\\Admin\\lvdiog.exe /Q"	lvdiog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvdiog = "C:\\Users\\Admin\\lvdiog.exe /y"	lvdiog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvdiog = "C:\\Users\\Admin\\lvdiog.exe /k"	lvdiog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvdiog = "C:\\Users\\Admin\\lvdiog.exe /N"	lvdiog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvdiog = "C:\\Users\\Admin\\lvdiog.exe /m"	lvdiog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvdiog = "C:\\Users\\Admin\\lvdiog.exe /B"	lvdiog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvdiog = "C:\\Users\\Admin\\lvdiog.exe /n"	lvdiog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvdiog = "C:\\Users\\Admin\\lvdiog.exe /g"	lvdiog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvdiog = "C:\\Users\\Admin\\lvdiog.exe /M"	lvdiog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvdiog = "C:\\Users\\Admin\\lvdiog.exe /s"	lvdiog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvdiog = "C:\\Users\\Admin\\lvdiog.exe /o"	lvdiog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvdiog = "C:\\Users\\Admin\\lvdiog.exe /a"	lvdiog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvdiog = "C:\\Users\\Admin\\lvdiog.exe /h"	lvdiog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvdiog = "C:\\Users\\Admin\\lvdiog.exe /J"	lvdiog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvdiog = "C:\\Users\\Admin\\lvdiog.exe /U"	lvdiog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvdiog = "C:\\Users\\Admin\\lvdiog.exe /j"	lvdiog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvdiog = "C:\\Users\\Admin\\lvdiog.exe /T"	lvdiog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvdiog = "C:\\Users\\Admin\\lvdiog.exe /c"	lvdiog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvdiog = "C:\\Users\\Admin\\lvdiog.exe /D"	lvdiog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvdiog = "C:\\Users\\Admin\\lvdiog.exe /I"	lvdiog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvdiog = "C:\\Users\\Admin\\lvdiog.exe /R"	lvdiog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvdiog = "C:\\Users\\Admin\\lvdiog.exe /Y"	lvdiog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvdiog = "C:\\Users\\Admin\\lvdiog.exe /t"	lvdiog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvdiog = "C:\\Users\\Admin\\lvdiog.exe /r"	lvdiog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvdiog = "C:\\Users\\Admin\\lvdiog.exe /O"	lvdiog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvdiog = "C:\\Users\\Admin\\lvdiog.exe /F"	lvdiog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvdiog = "C:\\Users\\Admin\\lvdiog.exe /i"	lvdiog.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3740	88ac2ec14b670f9e47812f52253e4b65eff370ed41d2b404fc70c20420afa9ef.exe
3740	88ac2ec14b670f9e47812f52253e4b65eff370ed41d2b404fc70c20420afa9ef.exe
2836	lvdiog.exe
2836	lvdiog.exe
2836	lvdiog.exe
2836	lvdiog.exe
2836	lvdiog.exe
2836	lvdiog.exe
2836	lvdiog.exe
2836	lvdiog.exe
2836	lvdiog.exe
2836	lvdiog.exe
2836	lvdiog.exe
2836	lvdiog.exe
2836	lvdiog.exe
2836	lvdiog.exe
2836	lvdiog.exe
2836	lvdiog.exe
2836	lvdiog.exe
2836	lvdiog.exe
2836	lvdiog.exe
2836	lvdiog.exe
2836	lvdiog.exe
2836	lvdiog.exe
2836	lvdiog.exe
2836	lvdiog.exe
2836	lvdiog.exe
2836	lvdiog.exe
2836	lvdiog.exe
2836	lvdiog.exe
2836	lvdiog.exe
2836	lvdiog.exe
2836	lvdiog.exe
2836	lvdiog.exe
2836	lvdiog.exe
2836	lvdiog.exe
2836	lvdiog.exe
2836	lvdiog.exe
2836	lvdiog.exe
2836	lvdiog.exe
2836	lvdiog.exe
2836	lvdiog.exe
2836	lvdiog.exe
2836	lvdiog.exe
2836	lvdiog.exe
2836	lvdiog.exe
2836	lvdiog.exe
2836	lvdiog.exe
2836	lvdiog.exe
2836	lvdiog.exe
2836	lvdiog.exe
2836	lvdiog.exe
2836	lvdiog.exe
2836	lvdiog.exe
2836	lvdiog.exe
2836	lvdiog.exe
2836	lvdiog.exe
2836	lvdiog.exe
2836	lvdiog.exe
2836	lvdiog.exe
2836	lvdiog.exe
2836	lvdiog.exe
2836	lvdiog.exe
2836	lvdiog.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3740	88ac2ec14b670f9e47812f52253e4b65eff370ed41d2b404fc70c20420afa9ef.exe
2836	lvdiog.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3740 wrote to memory of 2836	3740	88ac2ec14b670f9e47812f52253e4b65eff370ed41d2b404fc70c20420afa9ef.exe	98
PID 3740 wrote to memory of 2836	3740	88ac2ec14b670f9e47812f52253e4b65eff370ed41d2b404fc70c20420afa9ef.exe	98
PID 3740 wrote to memory of 2836	3740	88ac2ec14b670f9e47812f52253e4b65eff370ed41d2b404fc70c20420afa9ef.exe	98

C:\Users\Admin\AppData\Local\Temp\88ac2ec14b670f9e47812f52253e4b65eff370ed41d2b404fc70c20420afa9ef.exe
"C:\Users\Admin\AppData\Local\Temp\88ac2ec14b670f9e47812f52253e4b65eff370ed41d2b404fc70c20420afa9ef.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3740
- C:\Users\Admin\lvdiog.exe
  "C:\Users\Admin\lvdiog.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3096 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
1⤵
PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\lvdiog.exe

Filesize
168KB

MD5
1eb499475419e5ebe38f73813d7e52eb

SHA1
5a479531b0e3fc2a012f14e7f0f2390c3ccb7394

SHA256
bf9beec507d5b6e56f2601c0e595f7befd074e30af9baee0c14c70dc556c0d7b

SHA512
d69a0e6032a1e0d0a894d78b30e95e0d678a7742152e283538e234446003322d81626e98ea551012513e6ebeb1920b095a71e87e255e21fa49d72a91f854b3e4

Download Submit