Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
3LayetuFixed.exe
windows10-1703-x64
7$PLUGINSDI...er.dll
windows10-1703-x64
1$PLUGINSDI...ls.dll
windows10-1703-x64
3$PLUGINSDI...em.dll
windows10-1703-x64
3$PLUGINSDI...ll.dll
windows10-1703-x64
3LICENSES.c...m.html
windows10-1703-x64
1LayetuFixed.exe
windows10-1703-x64
7d3dcompiler_47.dll
windows10-1703-x64
1ffmpeg.dll
windows10-1703-x64
1libEGL.dll
windows10-1703-x64
1libGLESv2.dll
windows10-1703-x64
1locales/af.ps1
windows10-1703-x64
3locales/uk.ps1
windows10-1703-x64
3resources/elevate.exe
windows10-1703-x64
1vk_swiftshader.dll
windows10-1703-x64
1vulkan-1.dll
windows10-1703-x64
1$PLUGINSDI...ec.dll
windows10-1703-x64
3$PLUGINSDI...7z.dll
windows10-1703-x64
3$R0/Uninst...ed.exe
windows10-1703-x64
7$PLUGINSDI...ls.dll
windows10-1703-x64
3$PLUGINSDI...em.dll
windows10-1703-x64
3$PLUGINSDI...ll.dll
windows10-1703-x64
3$PLUGINSDI...ec.dll
windows10-1703-x64
3Analysis
-
max time kernel
120s -
max time network
134s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
27/05/2024, 04:22
Static task
static1
Behavioral task
behavioral1
Sample
LayetuFixed.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
$PLUGINSDIR/SpiderBanner.dll
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10-20240404-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10-20240404-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/WinShell.dll
Resource
win10-20240404-en
Behavioral task
behavioral6
Sample
LICENSES.chromium.html
Resource
win10-20240404-en
Behavioral task
behavioral7
Sample
LayetuFixed.exe
Resource
win10-20240404-en
Behavioral task
behavioral8
Sample
d3dcompiler_47.dll
Resource
win10-20240404-en
Behavioral task
behavioral9
Sample
ffmpeg.dll
Resource
win10-20240404-en
Behavioral task
behavioral10
Sample
libEGL.dll
Resource
win10-20240404-en
Behavioral task
behavioral11
Sample
libGLESv2.dll
Resource
win10-20240404-en
Behavioral task
behavioral12
Sample
locales/af.ps1
Resource
win10-20240404-en
Behavioral task
behavioral13
Sample
locales/uk.ps1
Resource
win10-20240404-en
Behavioral task
behavioral14
Sample
resources/elevate.exe
Resource
win10-20240404-en
Behavioral task
behavioral15
Sample
vk_swiftshader.dll
Resource
win10-20240404-en
Behavioral task
behavioral16
Sample
vulkan-1.dll
Resource
win10-20240404-en
Behavioral task
behavioral17
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10-20240404-en
Behavioral task
behavioral18
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win10-20240404-en
Behavioral task
behavioral19
Sample
$R0/Uninstall LayetuFixed.exe
Resource
win10-20240404-en
Behavioral task
behavioral20
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10-20240404-en
Behavioral task
behavioral21
Sample
$PLUGINSDIR/System.dll
Resource
win10-20240404-en
Behavioral task
behavioral22
Sample
$PLUGINSDIR/WinShell.dll
Resource
win10-20240404-en
Behavioral task
behavioral23
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10-20240404-en
General
-
Target
LayetuFixed.exe
-
Size
152.7MB
-
MD5
ca69a17342334f059af9870f71e11d92
-
SHA1
0578b9de979115dc86a3240b971a02ae23ced048
-
SHA256
3315d6c9d1b61def96442441dcb5f85bb850423da0edbe58c8d82ccf375382d6
-
SHA512
e4933a0703a94690dfcf6ae5a212cefb1c1021b9584b10f82ca7437625b0b30f57e6ff08e9e7a47fb8f656b84a7ca92f56f47040e522a4f07f81599fe3157c3e
-
SSDEEP
1572864:qLBZB52nvuZ7wVuMbgR7Sp6kYdEctmhoLsPagBsgkx52HYhwj+vfIBUdoJnP9Dj0:qypCmJctBjj2+Jv
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
pid Process 220 LayetuFixed.exe 220 LayetuFixed.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 ipinfo.io 3 ipinfo.io -
pid Process 4952 powershell.exe 2136 powershell.exe 2928 powershell.exe -
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 LayetuFixed.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz LayetuFixed.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString LayetuFixed.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 LayetuFixed.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 LayetuFixed.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz LayetuFixed.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString LayetuFixed.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 656 tasklist.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 4952 powershell.exe 2136 powershell.exe 2928 powershell.exe 2928 powershell.exe 2136 powershell.exe 4952 powershell.exe 2772 LayetuFixed.exe 2772 LayetuFixed.exe 2928 powershell.exe 2136 powershell.exe 4952 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 220 LayetuFixed.exe Token: SeCreatePagefilePrivilege 220 LayetuFixed.exe Token: SeDebugPrivilege 2136 powershell.exe Token: SeDebugPrivilege 4952 powershell.exe Token: SeDebugPrivilege 2928 powershell.exe Token: SeShutdownPrivilege 220 LayetuFixed.exe Token: SeCreatePagefilePrivilege 220 LayetuFixed.exe Token: SeIncreaseQuotaPrivilege 2928 powershell.exe Token: SeSecurityPrivilege 2928 powershell.exe Token: SeTakeOwnershipPrivilege 2928 powershell.exe Token: SeLoadDriverPrivilege 2928 powershell.exe Token: SeSystemProfilePrivilege 2928 powershell.exe Token: SeSystemtimePrivilege 2928 powershell.exe Token: SeProfSingleProcessPrivilege 2928 powershell.exe Token: SeIncBasePriorityPrivilege 2928 powershell.exe Token: SeCreatePagefilePrivilege 2928 powershell.exe Token: SeBackupPrivilege 2928 powershell.exe Token: SeRestorePrivilege 2928 powershell.exe Token: SeShutdownPrivilege 2928 powershell.exe Token: SeDebugPrivilege 2928 powershell.exe Token: SeSystemEnvironmentPrivilege 2928 powershell.exe Token: SeRemoteShutdownPrivilege 2928 powershell.exe Token: SeUndockPrivilege 2928 powershell.exe Token: SeManageVolumePrivilege 2928 powershell.exe Token: 33 2928 powershell.exe Token: 34 2928 powershell.exe Token: 35 2928 powershell.exe Token: 36 2928 powershell.exe Token: SeIncreaseQuotaPrivilege 4952 powershell.exe Token: SeSecurityPrivilege 4952 powershell.exe Token: SeTakeOwnershipPrivilege 4952 powershell.exe Token: SeLoadDriverPrivilege 4952 powershell.exe Token: SeSystemProfilePrivilege 4952 powershell.exe Token: SeSystemtimePrivilege 4952 powershell.exe Token: SeProfSingleProcessPrivilege 4952 powershell.exe Token: SeIncBasePriorityPrivilege 4952 powershell.exe Token: SeCreatePagefilePrivilege 4952 powershell.exe Token: SeBackupPrivilege 4952 powershell.exe Token: SeRestorePrivilege 4952 powershell.exe Token: SeShutdownPrivilege 4952 powershell.exe Token: SeDebugPrivilege 4952 powershell.exe Token: SeSystemEnvironmentPrivilege 4952 powershell.exe Token: SeRemoteShutdownPrivilege 4952 powershell.exe Token: SeUndockPrivilege 4952 powershell.exe Token: SeManageVolumePrivilege 4952 powershell.exe Token: 33 4952 powershell.exe Token: 34 4952 powershell.exe Token: 35 4952 powershell.exe Token: 36 4952 powershell.exe Token: SeShutdownPrivilege 220 LayetuFixed.exe Token: SeCreatePagefilePrivilege 220 LayetuFixed.exe Token: SeShutdownPrivilege 220 LayetuFixed.exe Token: SeCreatePagefilePrivilege 220 LayetuFixed.exe Token: SeDebugPrivilege 656 tasklist.exe Token: SeShutdownPrivilege 220 LayetuFixed.exe Token: SeCreatePagefilePrivilege 220 LayetuFixed.exe Token: SeShutdownPrivilege 220 LayetuFixed.exe Token: SeCreatePagefilePrivilege 220 LayetuFixed.exe Token: SeShutdownPrivilege 220 LayetuFixed.exe Token: SeCreatePagefilePrivilege 220 LayetuFixed.exe Token: SeShutdownPrivilege 220 LayetuFixed.exe Token: SeCreatePagefilePrivilege 220 LayetuFixed.exe Token: SeShutdownPrivilege 220 LayetuFixed.exe Token: SeCreatePagefilePrivilege 220 LayetuFixed.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 220 wrote to memory of 4540 220 LayetuFixed.exe 75 PID 220 wrote to memory of 4540 220 LayetuFixed.exe 75 PID 4540 wrote to memory of 3284 4540 cmd.exe 77 PID 4540 wrote to memory of 3284 4540 cmd.exe 77 PID 220 wrote to memory of 4388 220 LayetuFixed.exe 78 PID 220 wrote to memory of 4388 220 LayetuFixed.exe 78 PID 4388 wrote to memory of 3360 4388 cmd.exe 80 PID 4388 wrote to memory of 3360 4388 cmd.exe 80 PID 220 wrote to memory of 3804 220 LayetuFixed.exe 81 PID 220 wrote to memory of 3804 220 LayetuFixed.exe 81 PID 220 wrote to memory of 4952 220 LayetuFixed.exe 83 PID 220 wrote to memory of 4952 220 LayetuFixed.exe 83 PID 220 wrote to memory of 2928 220 LayetuFixed.exe 84 PID 220 wrote to memory of 2928 220 LayetuFixed.exe 84 PID 220 wrote to memory of 2136 220 LayetuFixed.exe 85 PID 220 wrote to memory of 2136 220 LayetuFixed.exe 85 PID 220 wrote to memory of 4256 220 LayetuFixed.exe 89 PID 220 wrote to memory of 4256 220 LayetuFixed.exe 89 PID 220 wrote to memory of 4256 220 LayetuFixed.exe 89 PID 220 wrote to memory of 4256 220 LayetuFixed.exe 89 PID 220 wrote to memory of 4256 220 LayetuFixed.exe 89 PID 220 wrote to memory of 4256 220 LayetuFixed.exe 89 PID 220 wrote to memory of 4256 220 LayetuFixed.exe 89 PID 220 wrote to memory of 4256 220 LayetuFixed.exe 89 PID 220 wrote to memory of 4256 220 LayetuFixed.exe 89 PID 220 wrote to memory of 4256 220 LayetuFixed.exe 89 PID 220 wrote to memory of 4256 220 LayetuFixed.exe 89 PID 220 wrote to memory of 4256 220 LayetuFixed.exe 89 PID 220 wrote to memory of 4256 220 LayetuFixed.exe 89 PID 220 wrote to memory of 4256 220 LayetuFixed.exe 89 PID 220 wrote to memory of 4256 220 LayetuFixed.exe 89 PID 220 wrote to memory of 4256 220 LayetuFixed.exe 89 PID 220 wrote to memory of 4256 220 LayetuFixed.exe 89 PID 220 wrote to memory of 4256 220 LayetuFixed.exe 89 PID 220 wrote to memory of 4256 220 LayetuFixed.exe 89 PID 220 wrote to memory of 4256 220 LayetuFixed.exe 89 PID 220 wrote to memory of 4256 220 LayetuFixed.exe 89 PID 220 wrote to memory of 4256 220 LayetuFixed.exe 89 PID 220 wrote to memory of 4256 220 LayetuFixed.exe 89 PID 220 wrote to memory of 4256 220 LayetuFixed.exe 89 PID 220 wrote to memory of 4256 220 LayetuFixed.exe 89 PID 220 wrote to memory of 4256 220 LayetuFixed.exe 89 PID 220 wrote to memory of 4256 220 LayetuFixed.exe 89 PID 220 wrote to memory of 4256 220 LayetuFixed.exe 89 PID 220 wrote to memory of 4256 220 LayetuFixed.exe 89 PID 220 wrote to memory of 4256 220 LayetuFixed.exe 89 PID 220 wrote to memory of 4256 220 LayetuFixed.exe 89 PID 220 wrote to memory of 2772 220 LayetuFixed.exe 90 PID 220 wrote to memory of 2772 220 LayetuFixed.exe 90 PID 220 wrote to memory of 4900 220 LayetuFixed.exe 92 PID 220 wrote to memory of 4900 220 LayetuFixed.exe 92 PID 4900 wrote to memory of 3952 4900 cmd.exe 94 PID 4900 wrote to memory of 3952 4900 cmd.exe 94 PID 220 wrote to memory of 3992 220 LayetuFixed.exe 95 PID 220 wrote to memory of 3992 220 LayetuFixed.exe 95 PID 3992 wrote to memory of 4788 3992 cmd.exe 97 PID 3992 wrote to memory of 4788 3992 cmd.exe 97 PID 220 wrote to memory of 1188 220 LayetuFixed.exe 98 PID 220 wrote to memory of 1188 220 LayetuFixed.exe 98 PID 220 wrote to memory of 2132 220 LayetuFixed.exe 101 PID 220 wrote to memory of 2132 220 LayetuFixed.exe 101 PID 2132 wrote to memory of 4592 2132 cmd.exe 103 PID 2132 wrote to memory of 4592 2132 cmd.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\LayetuFixed.exe"C:\Users\Admin\AppData\Local\Temp\LayetuFixed.exe"1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "chcp"2⤵
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\system32\chcp.comchcp3⤵PID:3284
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "mshta "javascript:new ActiveXObject('WScript.Shell').Popup('An unknown error happened when trying to extract Unity engine files. Contact this app developers or try again later.', 0, 'UNITY_ENGINE_ERROR', 16);close()""2⤵
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\system32\mshta.exemshta "javascript:new ActiveXObject('WScript.Shell').Popup('An unknown error happened when trying to extract Unity engine files. Contact this app developers or try again later.', 0, 'UNITY_ENGINE_ERROR', 16);close()"3⤵PID:3360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "echo %COMPUTERNAME%.%USERDNSDOMAIN%"2⤵PID:3804
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4952
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2136
-
-
C:\Users\Admin\AppData\Local\Temp\LayetuFixed.exe"C:\Users\Admin\AppData\Local\Temp\LayetuFixed.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\LayetuFixed" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1808 --field-trial-handle=1812,i,8480906607993683325,9160004760859249656,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:22⤵PID:4256
-
-
C:\Users\Admin\AppData\Local\Temp\LayetuFixed.exe"C:\Users\Admin\AppData\Local\Temp\LayetuFixed.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\LayetuFixed" --mojo-platform-channel-handle=1976 --field-trial-handle=1812,i,8480906607993683325,9160004760859249656,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "findstr /C:"Detected boot environment" "%windir%\Panther\setupact.log""2⤵
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\system32\findstr.exefindstr /C:"Detected boot environment" "C:\Windows\Panther\setupact.log"3⤵PID:3952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "where /r . *.sqlite"2⤵
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\system32\where.exewhere /r . *.sqlite3⤵PID:4788
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:1188
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:656
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "where /r . cookies.sqlite"2⤵
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\system32\where.exewhere /r . cookies.sqlite3⤵PID:4592
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5900713b658f108100bb7aa144134dbca
SHA17a05dd4d5cd03542c5187c8a3036f30b9d79daf0
SHA256c59ad3c5b09e5adab5c6d20e70fc87edce830a1e696ea2b49b51fe99ae084da8
SHA51285a5b109a01035e1ac4dec839f6b84bd6a141c6938e51f78915748a9a593b011367f1d8c7c72060a986f993ca3206fde30929b18be8d51d60cc1525a73613f8d
-
Filesize
2KB
MD580ef418749393790b80930b9d1b1ed38
SHA1baae03cf53c24cb4b4e16618f69dd770e75b17f5
SHA256a9116390b696f61a4e6fb4887cc9e1cd896c2dbdc92693d247ccaa3ee590cfbb
SHA512935c42409d95d6e35082cdad292e85d938988c5957e05b81c7473ce7b149457b3d47047c1eeba985d4b1f87b240cdb426537989d4dbf2621143c2090df2abcd1
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
131KB
MD56e6099c2f4d4de15433e0dbcd349119d
SHA19fd012e75761793fc2fc23070d01d9720e8dc4c5
SHA256736dc58a84d1c80820f919f3300c8ef17f2cdabb13eeb6e4c5b4eec20b4f5aa5
SHA5128b09508bd24cf1d0c9c1f7873426cb583abd354833ec2c90faefc6b212c239b87e178cd40349706c9e4d8fce09e83f9def6d285f8848e8d0c5057fb4388f9ee3
-
Filesize
1.8MB
MD549cfd5c64849f5f0d83992136571fb22
SHA1ffc3272232f63c6bf20960de2edef97bfe8717ca
SHA2563a962d74ad8f54332c261d2a337881746ef9f6fe4c3675252ab11ae29a2b51fc
SHA512931c9fe564d943f51888238cc67e723d168da14a35bb4b13917d5e9f71276650f5774d0d430ba67dbc3e738634d1090b52c8f4e9a451321767c0ab1dcf1fa95e