5aaf93ceb670984d4e6e9c069d88de682b098e42c6fe6ce5ed48c0bcf3aada69

Analysis

max time kernel
120s
max time network
134s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
27/05/2024, 04:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LayetuFixed.exe
Size

152.7MB
MD5

ca69a17342334f059af9870f71e11d92
SHA1

0578b9de979115dc86a3240b971a02ae23ced048
SHA256

3315d6c9d1b61def96442441dcb5f85bb850423da0edbe58c8d82ccf375382d6
SHA512

e4933a0703a94690dfcf6ae5a212cefb1c1021b9584b10f82ca7437625b0b30f57e6ff08e9e7a47fb8f656b84a7ca92f56f47040e522a4f07f81599fe3157c3e
SSDEEP

1572864:qLBZB52nvuZ7wVuMbgR7Sp6kYdEctmhoLsPagBsgkx52HYhwj+vfIBUdoJnP9Dj0:qypCmJctBjj2+Jv

Score

7^/10

execution spyware stealer

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
220	LayetuFixed.exe
220	LayetuFixed.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ipinfo.io
3	ipinfo.io

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4952	powershell.exe
2136	powershell.exe
2928	powershell.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	LayetuFixed.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	LayetuFixed.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	LayetuFixed.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	LayetuFixed.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	LayetuFixed.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	LayetuFixed.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	LayetuFixed.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
656	tasklist.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
4952	powershell.exe
2136	powershell.exe
2928	powershell.exe
2928	powershell.exe
2136	powershell.exe
4952	powershell.exe
2772	LayetuFixed.exe
2772	LayetuFixed.exe
2928	powershell.exe
2136	powershell.exe
4952	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	220	LayetuFixed.exe
Token: SeCreatePagefilePrivilege	220	LayetuFixed.exe
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	4952	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeShutdownPrivilege	220	LayetuFixed.exe
Token: SeCreatePagefilePrivilege	220	LayetuFixed.exe
Token: SeIncreaseQuotaPrivilege	2928	powershell.exe
Token: SeSecurityPrivilege	2928	powershell.exe
Token: SeTakeOwnershipPrivilege	2928	powershell.exe
Token: SeLoadDriverPrivilege	2928	powershell.exe
Token: SeSystemProfilePrivilege	2928	powershell.exe
Token: SeSystemtimePrivilege	2928	powershell.exe
Token: SeProfSingleProcessPrivilege	2928	powershell.exe
Token: SeIncBasePriorityPrivilege	2928	powershell.exe
Token: SeCreatePagefilePrivilege	2928	powershell.exe
Token: SeBackupPrivilege	2928	powershell.exe
Token: SeRestorePrivilege	2928	powershell.exe
Token: SeShutdownPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeSystemEnvironmentPrivilege	2928	powershell.exe
Token: SeRemoteShutdownPrivilege	2928	powershell.exe
Token: SeUndockPrivilege	2928	powershell.exe
Token: SeManageVolumePrivilege	2928	powershell.exe
Token: 33	2928	powershell.exe
Token: 34	2928	powershell.exe
Token: 35	2928	powershell.exe
Token: 36	2928	powershell.exe
Token: SeIncreaseQuotaPrivilege	4952	powershell.exe
Token: SeSecurityPrivilege	4952	powershell.exe
Token: SeTakeOwnershipPrivilege	4952	powershell.exe
Token: SeLoadDriverPrivilege	4952	powershell.exe
Token: SeSystemProfilePrivilege	4952	powershell.exe
Token: SeSystemtimePrivilege	4952	powershell.exe
Token: SeProfSingleProcessPrivilege	4952	powershell.exe
Token: SeIncBasePriorityPrivilege	4952	powershell.exe
Token: SeCreatePagefilePrivilege	4952	powershell.exe
Token: SeBackupPrivilege	4952	powershell.exe
Token: SeRestorePrivilege	4952	powershell.exe
Token: SeShutdownPrivilege	4952	powershell.exe
Token: SeDebugPrivilege	4952	powershell.exe
Token: SeSystemEnvironmentPrivilege	4952	powershell.exe
Token: SeRemoteShutdownPrivilege	4952	powershell.exe
Token: SeUndockPrivilege	4952	powershell.exe
Token: SeManageVolumePrivilege	4952	powershell.exe
Token: 33	4952	powershell.exe
Token: 34	4952	powershell.exe
Token: 35	4952	powershell.exe
Token: 36	4952	powershell.exe
Token: SeShutdownPrivilege	220	LayetuFixed.exe
Token: SeCreatePagefilePrivilege	220	LayetuFixed.exe
Token: SeShutdownPrivilege	220	LayetuFixed.exe
Token: SeCreatePagefilePrivilege	220	LayetuFixed.exe
Token: SeDebugPrivilege	656	tasklist.exe
Token: SeShutdownPrivilege	220	LayetuFixed.exe
Token: SeCreatePagefilePrivilege	220	LayetuFixed.exe
Token: SeShutdownPrivilege	220	LayetuFixed.exe
Token: SeCreatePagefilePrivilege	220	LayetuFixed.exe
Token: SeShutdownPrivilege	220	LayetuFixed.exe
Token: SeCreatePagefilePrivilege	220	LayetuFixed.exe
Token: SeShutdownPrivilege	220	LayetuFixed.exe
Token: SeCreatePagefilePrivilege	220	LayetuFixed.exe
Token: SeShutdownPrivilege	220	LayetuFixed.exe
Token: SeCreatePagefilePrivilege	220	LayetuFixed.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 220 wrote to memory of 4540	220	LayetuFixed.exe	75
PID 220 wrote to memory of 4540	220	LayetuFixed.exe	75
PID 4540 wrote to memory of 3284	4540	cmd.exe	77
PID 4540 wrote to memory of 3284	4540	cmd.exe	77
PID 220 wrote to memory of 4388	220	LayetuFixed.exe	78
PID 220 wrote to memory of 4388	220	LayetuFixed.exe	78
PID 4388 wrote to memory of 3360	4388	cmd.exe	80
PID 4388 wrote to memory of 3360	4388	cmd.exe	80
PID 220 wrote to memory of 3804	220	LayetuFixed.exe	81
PID 220 wrote to memory of 3804	220	LayetuFixed.exe	81
PID 220 wrote to memory of 4952	220	LayetuFixed.exe	83
PID 220 wrote to memory of 4952	220	LayetuFixed.exe	83
PID 220 wrote to memory of 2928	220	LayetuFixed.exe	84
PID 220 wrote to memory of 2928	220	LayetuFixed.exe	84
PID 220 wrote to memory of 2136	220	LayetuFixed.exe	85
PID 220 wrote to memory of 2136	220	LayetuFixed.exe	85
PID 220 wrote to memory of 4256	220	LayetuFixed.exe	89
PID 220 wrote to memory of 4256	220	LayetuFixed.exe	89
PID 220 wrote to memory of 4256	220	LayetuFixed.exe	89
PID 220 wrote to memory of 4256	220	LayetuFixed.exe	89
PID 220 wrote to memory of 4256	220	LayetuFixed.exe	89
PID 220 wrote to memory of 4256	220	LayetuFixed.exe	89
PID 220 wrote to memory of 4256	220	LayetuFixed.exe	89
PID 220 wrote to memory of 4256	220	LayetuFixed.exe	89
PID 220 wrote to memory of 4256	220	LayetuFixed.exe	89
PID 220 wrote to memory of 4256	220	LayetuFixed.exe	89
PID 220 wrote to memory of 4256	220	LayetuFixed.exe	89
PID 220 wrote to memory of 4256	220	LayetuFixed.exe	89
PID 220 wrote to memory of 4256	220	LayetuFixed.exe	89
PID 220 wrote to memory of 4256	220	LayetuFixed.exe	89
PID 220 wrote to memory of 4256	220	LayetuFixed.exe	89
PID 220 wrote to memory of 4256	220	LayetuFixed.exe	89
PID 220 wrote to memory of 4256	220	LayetuFixed.exe	89
PID 220 wrote to memory of 4256	220	LayetuFixed.exe	89
PID 220 wrote to memory of 4256	220	LayetuFixed.exe	89
PID 220 wrote to memory of 4256	220	LayetuFixed.exe	89
PID 220 wrote to memory of 4256	220	LayetuFixed.exe	89
PID 220 wrote to memory of 4256	220	LayetuFixed.exe	89
PID 220 wrote to memory of 4256	220	LayetuFixed.exe	89
PID 220 wrote to memory of 4256	220	LayetuFixed.exe	89
PID 220 wrote to memory of 4256	220	LayetuFixed.exe	89
PID 220 wrote to memory of 4256	220	LayetuFixed.exe	89
PID 220 wrote to memory of 4256	220	LayetuFixed.exe	89
PID 220 wrote to memory of 4256	220	LayetuFixed.exe	89
PID 220 wrote to memory of 4256	220	LayetuFixed.exe	89
PID 220 wrote to memory of 4256	220	LayetuFixed.exe	89
PID 220 wrote to memory of 4256	220	LayetuFixed.exe	89
PID 220 wrote to memory of 2772	220	LayetuFixed.exe	90
PID 220 wrote to memory of 2772	220	LayetuFixed.exe	90
PID 220 wrote to memory of 4900	220	LayetuFixed.exe	92
PID 220 wrote to memory of 4900	220	LayetuFixed.exe	92
PID 4900 wrote to memory of 3952	4900	cmd.exe	94
PID 4900 wrote to memory of 3952	4900	cmd.exe	94
PID 220 wrote to memory of 3992	220	LayetuFixed.exe	95
PID 220 wrote to memory of 3992	220	LayetuFixed.exe	95
PID 3992 wrote to memory of 4788	3992	cmd.exe	97
PID 3992 wrote to memory of 4788	3992	cmd.exe	97
PID 220 wrote to memory of 1188	220	LayetuFixed.exe	98
PID 220 wrote to memory of 1188	220	LayetuFixed.exe	98
PID 220 wrote to memory of 2132	220	LayetuFixed.exe	101
PID 220 wrote to memory of 2132	220	LayetuFixed.exe	101
PID 2132 wrote to memory of 4592	2132	cmd.exe	103
PID 2132 wrote to memory of 4592	2132	cmd.exe	103

C:\Users\Admin\AppData\Local\Temp\LayetuFixed.exe
"C:\Users\Admin\AppData\Local\Temp\LayetuFixed.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "chcp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4540
- - C:\Windows\system32\chcp.com
    chcp
    3⤵
    PID:3284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "mshta "javascript:new ActiveXObject('WScript.Shell').Popup('An unknown error happened when trying to extract Unity engine files. Contact this app developers or try again later.', 0, 'UNITY_ENGINE_ERROR', 16);close()""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4388
- - C:\Windows\system32\mshta.exe
    mshta "javascript:new ActiveXObject('WScript.Shell').Popup('An unknown error happened when trying to extract Unity engine files. Contact this app developers or try again later.', 0, 'UNITY_ENGINE_ERROR', 16);close()"
    3⤵
    PID:3360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "echo %COMPUTERNAME%.%USERDNSDOMAIN%"
  2⤵
  PID:3804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2136
- C:\Users\Admin\AppData\Local\Temp\LayetuFixed.exe
  "C:\Users\Admin\AppData\Local\Temp\LayetuFixed.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\LayetuFixed" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1808 --field-trial-handle=1812,i,8480906607993683325,9160004760859249656,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:4256
- C:\Users\Admin\AppData\Local\Temp\LayetuFixed.exe
  "C:\Users\Admin\AppData\Local\Temp\LayetuFixed.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\LayetuFixed" --mojo-platform-channel-handle=1976 --field-trial-handle=1812,i,8480906607993683325,9160004760859249656,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "findstr /C:"Detected boot environment" "%windir%\Panther\setupact.log""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4900
- - C:\Windows\system32\findstr.exe
    findstr /C:"Detected boot environment" "C:\Windows\Panther\setupact.log"
    3⤵
    PID:3952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "where /r . *.sqlite"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3992
- - C:\Windows\system32\where.exe
    where /r . *.sqlite
    3⤵
    PID:4788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1188
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "where /r . cookies.sqlite"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Windows\system32\where.exe
    where /r . cookies.sqlite
    3⤵
    PID:4592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
900713b658f108100bb7aa144134dbca

SHA1
7a05dd4d5cd03542c5187c8a3036f30b9d79daf0

SHA256
c59ad3c5b09e5adab5c6d20e70fc87edce830a1e696ea2b49b51fe99ae084da8

SHA512
85a5b109a01035e1ac4dec839f6b84bd6a141c6938e51f78915748a9a593b011367f1d8c7c72060a986f993ca3206fde30929b18be8d51d60cc1525a73613f8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
80ef418749393790b80930b9d1b1ed38

SHA1
baae03cf53c24cb4b4e16618f69dd770e75b17f5

SHA256
a9116390b696f61a4e6fb4887cc9e1cd896c2dbdc92693d247ccaa3ee590cfbb

SHA512
935c42409d95d6e35082cdad292e85d938988c5957e05b81c7473ce7b149457b3d47047c1eeba985d4b1f87b240cdb426537989d4dbf2621143c2090df2abcd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jsk4ak3k.tto.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\Users\Admin\AppData\Local\Temp\2d30fa9b-8f63-42ef-838e-d8bcbec643a1.tmp.node

Filesize
131KB

MD5
6e6099c2f4d4de15433e0dbcd349119d

SHA1
9fd012e75761793fc2fc23070d01d9720e8dc4c5

SHA256
736dc58a84d1c80820f919f3300c8ef17f2cdabb13eeb6e4c5b4eec20b4f5aa5

SHA512
8b09508bd24cf1d0c9c1f7873426cb583abd354833ec2c90faefc6b212c239b87e178cd40349706c9e4d8fce09e83f9def6d285f8848e8d0c5057fb4388f9ee3

Download Submit
\Users\Admin\AppData\Local\Temp\deeae670-7b3e-402b-bd1a-e6d5f0b28f6e.tmp.node

Filesize
1.8MB

MD5
49cfd5c64849f5f0d83992136571fb22

SHA1
ffc3272232f63c6bf20960de2edef97bfe8717ca

SHA256
3a962d74ad8f54332c261d2a337881746ef9f6fe4c3675252ab11ae29a2b51fc

SHA512
931c9fe564d943f51888238cc67e723d168da14a35bb4b13917d5e9f71276650f5774d0d430ba67dbc3e738634d1090b52c8f4e9a451321767c0ab1dcf1fa95e

Download Submit
memory/2136-34-0x00000220735F0000-0x0000022073612000-memory.dmp

Filesize
136KB

Download
memory/2136-88-0x0000022073550000-0x000002207358C000-memory.dmp

Filesize
240KB

Download
memory/2928-149-0x000001EC718A0000-0x000001EC71916000-memory.dmp

Filesize
472KB

Download
memory/2928-378-0x000001EC715C0000-0x000001EC715E2000-memory.dmp

Filesize
136KB

Download
memory/2928-349-0x000001EC715C0000-0x000001EC715EA000-memory.dmp

Filesize
168KB

Download