e522a381dec8f166ed5c1f5817b21ddc76518f73b1da5a94324959ae7c283ce4

Analysis

max time kernel
448s
max time network
455s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
27-05-2024 12:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LEAP.exe
Size

104.7MB
MD5

2dce21796448469c197f383d0d9622ae
SHA1

4b33c8b801af1ee98ee5c1c470735734c961df5a
SHA256

b81ceb8bc593977311384ed03ad194bf392b25c640e47656cb99b12f5e162b29
SHA512

3d230747263459b9c0c9a6cb4dfadfd0bc4f47a002a483478af31815055bc05a8a27b2e1bdf8ee4c6dc28a6899f1f443b445757adc7eb2510a0f65fd97757312
SSDEEP

1572864:UKqxYPeXS8KTM9GUvTkbVn/HEuLyywaom8Wbw9vIqprmCOj6hXGX5WAtF4Kalz9C:HCnCREuLyywaoZ9EOrGpvT6rw

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 3 IoCs

Processes:

LEAP.exe

pid process

3084 LEAP.exe
3084 LEAP.exe
3084 LEAP.exe
Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

LEAP.exeLEAP.exeLEAP.exeLEAP.exe

pid process

3496 LEAP.exe
3496 LEAP.exe
3084 LEAP.exe
3084 LEAP.exe
4568 LEAP.exe
4568 LEAP.exe
1416 LEAP.exe
1416 LEAP.exe
1416 LEAP.exe
1416 LEAP.exe
Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

LEAP.exe

pid process

2124 LEAP.exe
2124 LEAP.exe
2124 LEAP.exe
2124 LEAP.exe
2124 LEAP.exe
2124 LEAP.exe
Suspicious use of SendNotifyMessage 5 IoCs

Processes:

LEAP.exe

pid process

2124 LEAP.exe
2124 LEAP.exe
2124 LEAP.exe
2124 LEAP.exe
2124 LEAP.exe

pid	process
3084	LEAP.exe
3084	LEAP.exe
3084	LEAP.exe

pid	process
3496	LEAP.exe
3496	LEAP.exe
3084	LEAP.exe
3084	LEAP.exe
4568	LEAP.exe
4568	LEAP.exe
1416	LEAP.exe
1416	LEAP.exe
1416	LEAP.exe
1416	LEAP.exe

pid	process
2124	LEAP.exe
2124	LEAP.exe
2124	LEAP.exe
2124	LEAP.exe
2124	LEAP.exe
2124	LEAP.exe

pid	process
2124	LEAP.exe
2124	LEAP.exe
2124	LEAP.exe
2124	LEAP.exe
2124	LEAP.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

LEAP.exe

description	pid	process	target process
PID 2124 wrote to memory of 3824	2124	LEAP.exe	LEAP.exe
PID 2124 wrote to memory of 3824	2124	LEAP.exe	LEAP.exe
PID 2124 wrote to memory of 3824	2124	LEAP.exe	LEAP.exe
PID 2124 wrote to memory of 3824	2124	LEAP.exe	LEAP.exe
PID 2124 wrote to memory of 3824	2124	LEAP.exe	LEAP.exe
PID 2124 wrote to memory of 3824	2124	LEAP.exe	LEAP.exe
PID 2124 wrote to memory of 3824	2124	LEAP.exe	LEAP.exe
PID 2124 wrote to memory of 3824	2124	LEAP.exe	LEAP.exe
PID 2124 wrote to memory of 3824	2124	LEAP.exe	LEAP.exe
PID 2124 wrote to memory of 3824	2124	LEAP.exe	LEAP.exe
PID 2124 wrote to memory of 3824	2124	LEAP.exe	LEAP.exe
PID 2124 wrote to memory of 3824	2124	LEAP.exe	LEAP.exe
PID 2124 wrote to memory of 3824	2124	LEAP.exe	LEAP.exe
PID 2124 wrote to memory of 3824	2124	LEAP.exe	LEAP.exe
PID 2124 wrote to memory of 3824	2124	LEAP.exe	LEAP.exe
PID 2124 wrote to memory of 3824	2124	LEAP.exe	LEAP.exe
PID 2124 wrote to memory of 3824	2124	LEAP.exe	LEAP.exe
PID 2124 wrote to memory of 3824	2124	LEAP.exe	LEAP.exe
PID 2124 wrote to memory of 3824	2124	LEAP.exe	LEAP.exe
PID 2124 wrote to memory of 3824	2124	LEAP.exe	LEAP.exe
PID 2124 wrote to memory of 3824	2124	LEAP.exe	LEAP.exe
PID 2124 wrote to memory of 3824	2124	LEAP.exe	LEAP.exe
PID 2124 wrote to memory of 3824	2124	LEAP.exe	LEAP.exe
PID 2124 wrote to memory of 3824	2124	LEAP.exe	LEAP.exe
PID 2124 wrote to memory of 3824	2124	LEAP.exe	LEAP.exe
PID 2124 wrote to memory of 3824	2124	LEAP.exe	LEAP.exe
PID 2124 wrote to memory of 3824	2124	LEAP.exe	LEAP.exe
PID 2124 wrote to memory of 3824	2124	LEAP.exe	LEAP.exe
PID 2124 wrote to memory of 3824	2124	LEAP.exe	LEAP.exe
PID 2124 wrote to memory of 3824	2124	LEAP.exe	LEAP.exe
PID 2124 wrote to memory of 3824	2124	LEAP.exe	LEAP.exe
PID 2124 wrote to memory of 3824	2124	LEAP.exe	LEAP.exe
PID 2124 wrote to memory of 3824	2124	LEAP.exe	LEAP.exe
PID 2124 wrote to memory of 3824	2124	LEAP.exe	LEAP.exe
PID 2124 wrote to memory of 3824	2124	LEAP.exe	LEAP.exe
PID 2124 wrote to memory of 3824	2124	LEAP.exe	LEAP.exe
PID 2124 wrote to memory of 3824	2124	LEAP.exe	LEAP.exe
PID 2124 wrote to memory of 3824	2124	LEAP.exe	LEAP.exe
PID 2124 wrote to memory of 3824	2124	LEAP.exe	LEAP.exe
PID 2124 wrote to memory of 3824	2124	LEAP.exe	LEAP.exe
PID 2124 wrote to memory of 3824	2124	LEAP.exe	LEAP.exe
PID 2124 wrote to memory of 3496	2124	LEAP.exe	LEAP.exe
PID 2124 wrote to memory of 3496	2124	LEAP.exe	LEAP.exe
PID 2124 wrote to memory of 3496	2124	LEAP.exe	LEAP.exe
PID 2124 wrote to memory of 3084	2124	LEAP.exe	LEAP.exe
PID 2124 wrote to memory of 3084	2124	LEAP.exe	LEAP.exe
PID 2124 wrote to memory of 3084	2124	LEAP.exe	LEAP.exe
PID 2124 wrote to memory of 4568	2124	LEAP.exe	LEAP.exe
PID 2124 wrote to memory of 4568	2124	LEAP.exe	LEAP.exe
PID 2124 wrote to memory of 4568	2124	LEAP.exe	LEAP.exe
PID 2124 wrote to memory of 1416	2124	LEAP.exe	LEAP.exe
PID 2124 wrote to memory of 1416	2124	LEAP.exe	LEAP.exe
PID 2124 wrote to memory of 1416	2124	LEAP.exe	LEAP.exe

C:\Users\Admin\AppData\Local\Temp\LEAP.exe
"C:\Users\Admin\AppData\Local\Temp\LEAP.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2124

C:\Users\Admin\AppData\Local\Temp\LEAP.exe
"C:\Users\Admin\AppData\Local\Temp\LEAP.exe" --type=gpu-process --field-trial-handle=1524,6340357284832362548,14585646383806443261,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1512 /prefetch:2
2⤵
PID:3824

C:\Users\Admin\AppData\Local\Temp\LEAP.exe
"C:\Users\Admin\AppData\Local\Temp\LEAP.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1524,6340357284832362548,14585646383806443261,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --ignore-certificate-errors=true --ignore-certificate-errors=true --mojo-platform-channel-handle=2012 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3496

C:\Users\Admin\AppData\Local\Temp\LEAP.exe
"C:\Users\Admin\AppData\Local\Temp\LEAP.exe" --type=renderer --field-trial-handle=1524,6340357284832362548,14585646383806443261,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --node-integration --webview-tag --no-sandbox --no-zygote --background-color=#fff --enable-spellcheck --enable-websql --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2304 /prefetch:1
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3084

C:\Users\Admin\AppData\Local\Temp\LEAP.exe
"C:\Users\Admin\AppData\Local\Temp\LEAP.exe" --type=renderer --field-trial-handle=1524,6340357284832362548,14585646383806443261,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --context-isolation --background-color=#fff --enable-spellcheck --enable-websql --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2788 /prefetch:1
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4568

C:\Users\Admin\AppData\Local\Temp\LEAP.exe
"C:\Users\Admin\AppData\Local\Temp\LEAP.exe" --type=gpu-process --field-trial-handle=1524,6340357284832362548,14585646383806443261,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=2556 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1416

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1200

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\48ac6c72-abd7-4f17-b230-bc60ea2d0364.tmp.node

Filesize
108KB

MD5
00e6fd71e843dfdac99c272d7cf943f9

SHA1
eb58764f9fd4fac59364c6d28168f1a6a9fb61f4

SHA256
ff548a01175a62a88ccaabc37a1ff6359116bb93bef9b63665bd0733d26da17b

SHA512
55a7885eecf1791afc86263bff948a8db2e9e88bae619efe9562a9094df787784291ad2fff9bfda1c0641b920703979245d4ec852ff91dc316505770dda152ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\c09410d6-046e-49d9-beb1-c8d2f15f028e.tmp.node

Filesize
109KB

MD5
e926dc654fa1cf08643f5092d13dde0b

SHA1
29b83f237c823f0352dc78cb4a5117da3aaeca8d

SHA256
8aa72a48ec4bea9a034d3c33245ec9a15c738fbc917ba311d4b2e64a819045c3

SHA512
e1a57102acc948a7776b2c3b239d46c2b9b7b73b73901f59ba60b1de0185decd910c001f4b7899ab99791199bdbf723e2199e3a060c380464fedd69ca18ba8bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\d324829e-b0da-478c-a078-23057ecd6eaf.tmp.node

Filesize
78KB

MD5
9783cd971dba3fb022185ade7a3d45d8

SHA1
c1a997a470ed03fc6f0160110420671602d38ac2

SHA256
d03cd6da9edca9644050674a815d93a75c449f5d6972254846b331aa36bacb92

SHA512
7be98263fd79293279addf38630b1b85ae16cf4e0a9f55a7cb24a8445e1d788d96da112feb254d296454a9aff135821c774488755e515c460d7cbaab749cf494

Download Submit
C:\Users\Admin\AppData\Roaming\LEAP\Network Persistent State

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\LEAP\Network Persistent State

Filesize
186B

MD5
a5a4f1f4b2a5ce07898bd5b98eb0ce99

SHA1
7deecc11e0784fca89be7a1a9db1b96bc90cd28b

SHA256
72b3952aa66a75db842111dbad64e001a9be0e12b327c82f6311b849cba92256

SHA512
9c0eb9a776bccc94538d4aaec813ca3a760cdfe5d4e8442c659f14b01e21852bd93a052737cc472c6b4a73f51007401c7341b2fb4a05e19f7b4738b0398c78a7

Download Submit
C:\Users\Admin\AppData\Roaming\LEAP\Partitions\electron\Code Cache\js\index-dir\temp-index

Filesize
48B

MD5
131349b1b8f1b3a3bcb98f74489a84f3

SHA1
03208215eda93cc72bd70fdaaec2e23b2a13c93e

SHA256
0d2e14c1ab776c25e5388cc7e3bcc63ff37b02a65c33afc7f0a6494eae038a0d

SHA512
304f8947aa93141ced70d6efae273d33c62a3029a5113821f0c60efb20e9b23789c7429bbcc95bf6dcd55133258e84d85d417413ee147a92d16672715202d47a

Download Submit
C:\Users\Admin\AppData\Roaming\LEAP\Partitions\electron\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\LEAP\config.json

Filesize
25B

MD5
2c92fb2b56bf9875088c69166667d362

SHA1
783674a533acfa8be34fe399de6178ac080aec96

SHA256
73557824b6e1452084e3fffcb6bbe83c6c96913bd1d3af6f04f37229e8abf1ed

SHA512
769a7fb925c52247543fb3c7461d6a998c008641eee3f5431b0425ec58e85ed7491cf932fb1ca2b2920b6e70a989fb60519ab8d8b2d4ceff209b57978f604092

Download Submit
C:\Users\Admin\AppData\Roaming\LEAP\config.json.tmp-68120850771f4090

Filesize
44B

MD5
02d9a4c0c1d54714f19d243a34e6ac98

SHA1
f8f0da2d1e4b59e1725359118b6ab5937661cba5

SHA256
5a87c9aaceccc1ed769b56cf07e55a0fc8165e192e057f33cf349154324139fe

SHA512
646d536fb78e34bec05f8cd32112f98ea147b315e3d074a6181c12f857d86eb466adae8aec91520f204e7105017bf5e69bd51df186280ae6258fbc5ea9061e6e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit