Analysis

  • max time kernel
    120s
  • max time network
    134s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    27/05/2024, 04:22

General

  • Target

    LayetuFixed.exe

  • Size

    152.7MB

  • MD5

    ca69a17342334f059af9870f71e11d92

  • SHA1

    0578b9de979115dc86a3240b971a02ae23ced048

  • SHA256

    3315d6c9d1b61def96442441dcb5f85bb850423da0edbe58c8d82ccf375382d6

  • SHA512

    e4933a0703a94690dfcf6ae5a212cefb1c1021b9584b10f82ca7437625b0b30f57e6ff08e9e7a47fb8f656b84a7ca92f56f47040e522a4f07f81599fe3157c3e

  • SSDEEP

    1572864:qLBZB52nvuZ7wVuMbgR7Sp6kYdEctmhoLsPagBsgkx52HYhwj+vfIBUdoJnP9Dj0:qypCmJctBjj2+Jv

Malware Config

Signatures

  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

  • Checks processor information in registry 2 TTPs 7 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\LayetuFixed.exe
    "C:\Users\Admin\AppData\Local\Temp\LayetuFixed.exe"
    1⤵
    • Loads dropped DLL
    • Checks processor information in registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:220
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "chcp"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4540
      • C:\Windows\system32\chcp.com
        chcp
        3⤵
          PID:3284
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "mshta "javascript:new ActiveXObject('WScript.Shell').Popup('An unknown error happened when trying to extract Unity engine files. Contact this app developers or try again later.', 0, 'UNITY_ENGINE_ERROR', 16);close()""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4388
        • C:\Windows\system32\mshta.exe
          mshta "javascript:new ActiveXObject('WScript.Shell').Popup('An unknown error happened when trying to extract Unity engine files. Contact this app developers or try again later.', 0, 'UNITY_ENGINE_ERROR', 16);close()"
          3⤵
            PID:3360
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /d /s /c "echo %COMPUTERNAME%.%USERDNSDOMAIN%"
          2⤵
            PID:3804
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
            2⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4952
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
            2⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2928
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
            2⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2136
          • C:\Users\Admin\AppData\Local\Temp\LayetuFixed.exe
            "C:\Users\Admin\AppData\Local\Temp\LayetuFixed.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\LayetuFixed" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1808 --field-trial-handle=1812,i,8480906607993683325,9160004760859249656,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
            2⤵
              PID:4256
            • C:\Users\Admin\AppData\Local\Temp\LayetuFixed.exe
              "C:\Users\Admin\AppData\Local\Temp\LayetuFixed.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\LayetuFixed" --mojo-platform-channel-handle=1976 --field-trial-handle=1812,i,8480906607993683325,9160004760859249656,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
              2⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:2772
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /d /s /c "findstr /C:"Detected boot environment" "%windir%\Panther\setupact.log""
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:4900
              • C:\Windows\system32\findstr.exe
                findstr /C:"Detected boot environment" "C:\Windows\Panther\setupact.log"
                3⤵
                  PID:3952
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /d /s /c "where /r . *.sqlite"
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:3992
                • C:\Windows\system32\where.exe
                  where /r . *.sqlite
                  3⤵
                    PID:4788
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
                  2⤵
                    PID:1188
                    • C:\Windows\system32\tasklist.exe
                      tasklist
                      3⤵
                      • Enumerates processes with tasklist
                      • Suspicious use of AdjustPrivilegeToken
                      PID:656
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /d /s /c "where /r . cookies.sqlite"
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2132
                    • C:\Windows\system32\where.exe
                      where /r . cookies.sqlite
                      3⤵
                        PID:4592

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                    Filesize

                    3KB

                    MD5

                    900713b658f108100bb7aa144134dbca

                    SHA1

                    7a05dd4d5cd03542c5187c8a3036f30b9d79daf0

                    SHA256

                    c59ad3c5b09e5adab5c6d20e70fc87edce830a1e696ea2b49b51fe99ae084da8

                    SHA512

                    85a5b109a01035e1ac4dec839f6b84bd6a141c6938e51f78915748a9a593b011367f1d8c7c72060a986f993ca3206fde30929b18be8d51d60cc1525a73613f8d

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                    Filesize

                    2KB

                    MD5

                    80ef418749393790b80930b9d1b1ed38

                    SHA1

                    baae03cf53c24cb4b4e16618f69dd770e75b17f5

                    SHA256

                    a9116390b696f61a4e6fb4887cc9e1cd896c2dbdc92693d247ccaa3ee590cfbb

                    SHA512

                    935c42409d95d6e35082cdad292e85d938988c5957e05b81c7473ce7b149457b3d47047c1eeba985d4b1f87b240cdb426537989d4dbf2621143c2090df2abcd1

                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jsk4ak3k.tto.ps1

                    Filesize

                    1B

                    MD5

                    c4ca4238a0b923820dcc509a6f75849b

                    SHA1

                    356a192b7913b04c54574d18c28d46e6395428ab

                    SHA256

                    6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

                    SHA512

                    4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

                  • \Users\Admin\AppData\Local\Temp\2d30fa9b-8f63-42ef-838e-d8bcbec643a1.tmp.node

                    Filesize

                    131KB

                    MD5

                    6e6099c2f4d4de15433e0dbcd349119d

                    SHA1

                    9fd012e75761793fc2fc23070d01d9720e8dc4c5

                    SHA256

                    736dc58a84d1c80820f919f3300c8ef17f2cdabb13eeb6e4c5b4eec20b4f5aa5

                    SHA512

                    8b09508bd24cf1d0c9c1f7873426cb583abd354833ec2c90faefc6b212c239b87e178cd40349706c9e4d8fce09e83f9def6d285f8848e8d0c5057fb4388f9ee3

                  • \Users\Admin\AppData\Local\Temp\deeae670-7b3e-402b-bd1a-e6d5f0b28f6e.tmp.node

                    Filesize

                    1.8MB

                    MD5

                    49cfd5c64849f5f0d83992136571fb22

                    SHA1

                    ffc3272232f63c6bf20960de2edef97bfe8717ca

                    SHA256

                    3a962d74ad8f54332c261d2a337881746ef9f6fe4c3675252ab11ae29a2b51fc

                    SHA512

                    931c9fe564d943f51888238cc67e723d168da14a35bb4b13917d5e9f71276650f5774d0d430ba67dbc3e738634d1090b52c8f4e9a451321767c0ab1dcf1fa95e

                  • memory/2136-34-0x00000220735F0000-0x0000022073612000-memory.dmp

                    Filesize

                    136KB

                  • memory/2136-88-0x0000022073550000-0x000002207358C000-memory.dmp

                    Filesize

                    240KB

                  • memory/2928-149-0x000001EC718A0000-0x000001EC71916000-memory.dmp

                    Filesize

                    472KB

                  • memory/2928-378-0x000001EC715C0000-0x000001EC715E2000-memory.dmp

                    Filesize

                    136KB

                  • memory/2928-349-0x000001EC715C0000-0x000001EC715EA000-memory.dmp

                    Filesize

                    168KB