Overview
overview
7Static
static
7LEAP Insta... 1.exe
windows11-21h2-x64
7$PLUGINSDI...ls.dll
windows11-21h2-x64
3$PLUGINSDI...em.dll
windows11-21h2-x64
3$PLUGINSDIR/UAC.dll
windows11-21h2-x64
3$PLUGINSDI...ll.dll
windows11-21h2-x64
3LEAP.exe
windows11-21h2-x64
7LICENSES.c...m.html
windows11-21h2-x64
6d3dcompiler_47.dll
windows11-21h2-x64
3ffmpeg.dll
windows11-21h2-x64
1libEGL.dll
windows11-21h2-x64
1libGLESv2.dll
windows11-21h2-x64
3resources/...age.js
windows11-21h2-x64
3resources/...ies.js
windows11-21h2-x64
3resources/...ain.js
windows11-21h2-x64
3resources/...at.vbs
windows11-21h2-x64
3resources/...oad.js
windows11-21h2-x64
3resources/elevate.exe
windows11-21h2-x64
1resources/...url.py
windows11-21h2-x64
3resources/...ey.dll
windows11-21h2-x64
1resources/...ey.dll
windows11-21h2-x64
7service/le...ce.exe
windows11-21h2-x64
1service/nssm.exe
windows11-21h2-x64
1service/run-leap.bat
windows11-21h2-x64
3swiftshade...GL.dll
windows11-21h2-x64
1swiftshade...v2.dll
windows11-21h2-x64
1vk_swiftshader.dll
windows11-21h2-x64
3vulkan-1.dll
windows11-21h2-x64
3$PLUGINSDI...gs.dll
windows11-21h2-x64
3$PLUGINSDI...ec.dll
windows11-21h2-x64
3$PLUGINSDI...ss.dll
windows11-21h2-x64
3$PLUGINSDI...7z.dll
windows11-21h2-x64
3Uninstall LEAP.exe
windows11-21h2-x64
7Analysis
-
max time kernel
448s -
max time network
455s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
27-05-2024 12:02
Behavioral task
behavioral1
Sample
LEAP Installer-2.3.0 1.exe
Resource
win11-20240508-en
Behavioral task
behavioral2
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win11-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win11-20240426-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/UAC.dll
Resource
win11-20240426-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/WinShell.dll
Resource
win11-20240426-en
Behavioral task
behavioral6
Sample
LEAP.exe
Resource
win11-20240426-en
Behavioral task
behavioral7
Sample
LICENSES.chromium.html
Resource
win11-20240426-en
Behavioral task
behavioral8
Sample
d3dcompiler_47.dll
Resource
win11-20240508-en
Behavioral task
behavioral9
Sample
ffmpeg.dll
Resource
win11-20240419-en
Behavioral task
behavioral10
Sample
libEGL.dll
Resource
win11-20240508-en
Behavioral task
behavioral11
Sample
libGLESv2.dll
Resource
win11-20240508-en
Behavioral task
behavioral12
Sample
resources/app.asar.unpacked/node_modules/active-win/Package.js
Resource
win11-20240508-en
Behavioral task
behavioral13
Sample
resources/app.asar.unpacked/node_modules/active-win/Sources/active-win/Utilities.js
Resource
win11-20240426-en
Behavioral task
behavioral14
Sample
resources/app.asar.unpacked/node_modules/active-win/Sources/active-win/main.js
Resource
win11-20240426-en
Behavioral task
behavioral15
Sample
resources/assets/vbsFile/launch_bat.vbs
Resource
win11-20240508-en
Behavioral task
behavioral16
Sample
resources/assets/webview/preload.js
Resource
win11-20240508-en
Behavioral task
behavioral17
Sample
resources/elevate.exe
Resource
win11-20240508-en
Behavioral task
behavioral18
Sample
resources/platform/nix/get_url.py
Resource
win11-20240426-en
Behavioral task
behavioral19
Sample
resources/platform/win/ia32/AutoHotkey.dll
Resource
win11-20240426-en
Behavioral task
behavioral20
Sample
resources/platform/win/x64/AutoHotkey.dll
Resource
win11-20240508-en
Behavioral task
behavioral21
Sample
service/leap-service.exe
Resource
win11-20240508-en
Behavioral task
behavioral22
Sample
service/nssm.exe
Resource
win11-20240426-en
Behavioral task
behavioral23
Sample
service/run-leap.bat
Resource
win11-20240508-en
Behavioral task
behavioral24
Sample
swiftshader/libEGL.dll
Resource
win11-20240508-en
Behavioral task
behavioral25
Sample
swiftshader/libGLESv2.dll
Resource
win11-20240419-en
Behavioral task
behavioral26
Sample
vk_swiftshader.dll
Resource
win11-20240426-en
Behavioral task
behavioral27
Sample
vulkan-1.dll
Resource
win11-20240426-en
Behavioral task
behavioral28
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win11-20240508-en
Behavioral task
behavioral29
Sample
$PLUGINSDIR/nsExec.dll
Resource
win11-20240426-en
Behavioral task
behavioral30
Sample
$PLUGINSDIR/nsProcess.dll
Resource
win11-20240508-en
Behavioral task
behavioral31
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win11-20240508-en
Behavioral task
behavioral32
Sample
Uninstall LEAP.exe
Resource
win11-20240508-en
General
-
Target
LEAP.exe
-
Size
104.7MB
-
MD5
2dce21796448469c197f383d0d9622ae
-
SHA1
4b33c8b801af1ee98ee5c1c470735734c961df5a
-
SHA256
b81ceb8bc593977311384ed03ad194bf392b25c640e47656cb99b12f5e162b29
-
SHA512
3d230747263459b9c0c9a6cb4dfadfd0bc4f47a002a483478af31815055bc05a8a27b2e1bdf8ee4c6dc28a6899f1f443b445757adc7eb2510a0f65fd97757312
-
SSDEEP
1572864:UKqxYPeXS8KTM9GUvTkbVn/HEuLyywaom8Wbw9vIqprmCOj6hXGX5WAtF4Kalz9C:HCnCREuLyywaoZ9EOrGpvT6rw
Malware Config
Signatures
-
Loads dropped DLL 3 IoCs
Processes:
LEAP.exepid process 3084 LEAP.exe 3084 LEAP.exe 3084 LEAP.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
LEAP.exeLEAP.exeLEAP.exeLEAP.exepid process 3496 LEAP.exe 3496 LEAP.exe 3084 LEAP.exe 3084 LEAP.exe 4568 LEAP.exe 4568 LEAP.exe 1416 LEAP.exe 1416 LEAP.exe 1416 LEAP.exe 1416 LEAP.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
LEAP.exepid process 2124 LEAP.exe 2124 LEAP.exe 2124 LEAP.exe 2124 LEAP.exe 2124 LEAP.exe 2124 LEAP.exe -
Suspicious use of SendNotifyMessage 5 IoCs
Processes:
LEAP.exepid process 2124 LEAP.exe 2124 LEAP.exe 2124 LEAP.exe 2124 LEAP.exe 2124 LEAP.exe -
Suspicious use of WriteProcessMemory 53 IoCs
Processes:
LEAP.exedescription pid process target process PID 2124 wrote to memory of 3824 2124 LEAP.exe LEAP.exe PID 2124 wrote to memory of 3824 2124 LEAP.exe LEAP.exe PID 2124 wrote to memory of 3824 2124 LEAP.exe LEAP.exe PID 2124 wrote to memory of 3824 2124 LEAP.exe LEAP.exe PID 2124 wrote to memory of 3824 2124 LEAP.exe LEAP.exe PID 2124 wrote to memory of 3824 2124 LEAP.exe LEAP.exe PID 2124 wrote to memory of 3824 2124 LEAP.exe LEAP.exe PID 2124 wrote to memory of 3824 2124 LEAP.exe LEAP.exe PID 2124 wrote to memory of 3824 2124 LEAP.exe LEAP.exe PID 2124 wrote to memory of 3824 2124 LEAP.exe LEAP.exe PID 2124 wrote to memory of 3824 2124 LEAP.exe LEAP.exe PID 2124 wrote to memory of 3824 2124 LEAP.exe LEAP.exe PID 2124 wrote to memory of 3824 2124 LEAP.exe LEAP.exe PID 2124 wrote to memory of 3824 2124 LEAP.exe LEAP.exe PID 2124 wrote to memory of 3824 2124 LEAP.exe LEAP.exe PID 2124 wrote to memory of 3824 2124 LEAP.exe LEAP.exe PID 2124 wrote to memory of 3824 2124 LEAP.exe LEAP.exe PID 2124 wrote to memory of 3824 2124 LEAP.exe LEAP.exe PID 2124 wrote to memory of 3824 2124 LEAP.exe LEAP.exe PID 2124 wrote to memory of 3824 2124 LEAP.exe LEAP.exe PID 2124 wrote to memory of 3824 2124 LEAP.exe LEAP.exe PID 2124 wrote to memory of 3824 2124 LEAP.exe LEAP.exe PID 2124 wrote to memory of 3824 2124 LEAP.exe LEAP.exe PID 2124 wrote to memory of 3824 2124 LEAP.exe LEAP.exe PID 2124 wrote to memory of 3824 2124 LEAP.exe LEAP.exe PID 2124 wrote to memory of 3824 2124 LEAP.exe LEAP.exe PID 2124 wrote to memory of 3824 2124 LEAP.exe LEAP.exe PID 2124 wrote to memory of 3824 2124 LEAP.exe LEAP.exe PID 2124 wrote to memory of 3824 2124 LEAP.exe LEAP.exe PID 2124 wrote to memory of 3824 2124 LEAP.exe LEAP.exe PID 2124 wrote to memory of 3824 2124 LEAP.exe LEAP.exe PID 2124 wrote to memory of 3824 2124 LEAP.exe LEAP.exe PID 2124 wrote to memory of 3824 2124 LEAP.exe LEAP.exe PID 2124 wrote to memory of 3824 2124 LEAP.exe LEAP.exe PID 2124 wrote to memory of 3824 2124 LEAP.exe LEAP.exe PID 2124 wrote to memory of 3824 2124 LEAP.exe LEAP.exe PID 2124 wrote to memory of 3824 2124 LEAP.exe LEAP.exe PID 2124 wrote to memory of 3824 2124 LEAP.exe LEAP.exe PID 2124 wrote to memory of 3824 2124 LEAP.exe LEAP.exe PID 2124 wrote to memory of 3824 2124 LEAP.exe LEAP.exe PID 2124 wrote to memory of 3824 2124 LEAP.exe LEAP.exe PID 2124 wrote to memory of 3496 2124 LEAP.exe LEAP.exe PID 2124 wrote to memory of 3496 2124 LEAP.exe LEAP.exe PID 2124 wrote to memory of 3496 2124 LEAP.exe LEAP.exe PID 2124 wrote to memory of 3084 2124 LEAP.exe LEAP.exe PID 2124 wrote to memory of 3084 2124 LEAP.exe LEAP.exe PID 2124 wrote to memory of 3084 2124 LEAP.exe LEAP.exe PID 2124 wrote to memory of 4568 2124 LEAP.exe LEAP.exe PID 2124 wrote to memory of 4568 2124 LEAP.exe LEAP.exe PID 2124 wrote to memory of 4568 2124 LEAP.exe LEAP.exe PID 2124 wrote to memory of 1416 2124 LEAP.exe LEAP.exe PID 2124 wrote to memory of 1416 2124 LEAP.exe LEAP.exe PID 2124 wrote to memory of 1416 2124 LEAP.exe LEAP.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\LEAP.exe"C:\Users\Admin\AppData\Local\Temp\LEAP.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Users\Admin\AppData\Local\Temp\LEAP.exe"C:\Users\Admin\AppData\Local\Temp\LEAP.exe" --type=gpu-process --field-trial-handle=1524,6340357284832362548,14585646383806443261,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1512 /prefetch:22⤵PID:3824
-
C:\Users\Admin\AppData\Local\Temp\LEAP.exe"C:\Users\Admin\AppData\Local\Temp\LEAP.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1524,6340357284832362548,14585646383806443261,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --ignore-certificate-errors=true --ignore-certificate-errors=true --mojo-platform-channel-handle=2012 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3496 -
C:\Users\Admin\AppData\Local\Temp\LEAP.exe"C:\Users\Admin\AppData\Local\Temp\LEAP.exe" --type=renderer --field-trial-handle=1524,6340357284832362548,14585646383806443261,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --node-integration --webview-tag --no-sandbox --no-zygote --background-color=#fff --enable-spellcheck --enable-websql --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2304 /prefetch:12⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3084 -
C:\Users\Admin\AppData\Local\Temp\LEAP.exe"C:\Users\Admin\AppData\Local\Temp\LEAP.exe" --type=renderer --field-trial-handle=1524,6340357284832362548,14585646383806443261,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --context-isolation --background-color=#fff --enable-spellcheck --enable-websql --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2788 /prefetch:12⤵
- Suspicious behavior: EnumeratesProcesses
PID:4568 -
C:\Users\Admin\AppData\Local\Temp\LEAP.exe"C:\Users\Admin\AppData\Local\Temp\LEAP.exe" --type=gpu-process --field-trial-handle=1524,6340357284832362548,14585646383806443261,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=2556 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1416
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1200
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
108KB
MD500e6fd71e843dfdac99c272d7cf943f9
SHA1eb58764f9fd4fac59364c6d28168f1a6a9fb61f4
SHA256ff548a01175a62a88ccaabc37a1ff6359116bb93bef9b63665bd0733d26da17b
SHA51255a7885eecf1791afc86263bff948a8db2e9e88bae619efe9562a9094df787784291ad2fff9bfda1c0641b920703979245d4ec852ff91dc316505770dda152ec
-
Filesize
109KB
MD5e926dc654fa1cf08643f5092d13dde0b
SHA129b83f237c823f0352dc78cb4a5117da3aaeca8d
SHA2568aa72a48ec4bea9a034d3c33245ec9a15c738fbc917ba311d4b2e64a819045c3
SHA512e1a57102acc948a7776b2c3b239d46c2b9b7b73b73901f59ba60b1de0185decd910c001f4b7899ab99791199bdbf723e2199e3a060c380464fedd69ca18ba8bb
-
Filesize
78KB
MD59783cd971dba3fb022185ade7a3d45d8
SHA1c1a997a470ed03fc6f0160110420671602d38ac2
SHA256d03cd6da9edca9644050674a815d93a75c449f5d6972254846b331aa36bacb92
SHA5127be98263fd79293279addf38630b1b85ae16cf4e0a9f55a7cb24a8445e1d788d96da112feb254d296454a9aff135821c774488755e515c460d7cbaab749cf494
-
Filesize
59B
MD52800881c775077e1c4b6e06bf4676de4
SHA12873631068c8b3b9495638c865915be822442c8b
SHA256226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b
-
Filesize
186B
MD5a5a4f1f4b2a5ce07898bd5b98eb0ce99
SHA17deecc11e0784fca89be7a1a9db1b96bc90cd28b
SHA25672b3952aa66a75db842111dbad64e001a9be0e12b327c82f6311b849cba92256
SHA5129c0eb9a776bccc94538d4aaec813ca3a760cdfe5d4e8442c659f14b01e21852bd93a052737cc472c6b4a73f51007401c7341b2fb4a05e19f7b4738b0398c78a7
-
Filesize
48B
MD5131349b1b8f1b3a3bcb98f74489a84f3
SHA103208215eda93cc72bd70fdaaec2e23b2a13c93e
SHA2560d2e14c1ab776c25e5388cc7e3bcc63ff37b02a65c33afc7f0a6494eae038a0d
SHA512304f8947aa93141ced70d6efae273d33c62a3029a5113821f0c60efb20e9b23789c7429bbcc95bf6dcd55133258e84d85d417413ee147a92d16672715202d47a
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
25B
MD52c92fb2b56bf9875088c69166667d362
SHA1783674a533acfa8be34fe399de6178ac080aec96
SHA25673557824b6e1452084e3fffcb6bbe83c6c96913bd1d3af6f04f37229e8abf1ed
SHA512769a7fb925c52247543fb3c7461d6a998c008641eee3f5431b0425ec58e85ed7491cf932fb1ca2b2920b6e70a989fb60519ab8d8b2d4ceff209b57978f604092
-
Filesize
44B
MD502d9a4c0c1d54714f19d243a34e6ac98
SHA1f8f0da2d1e4b59e1725359118b6ab5937661cba5
SHA2565a87c9aaceccc1ed769b56cf07e55a0fc8165e192e057f33cf349154324139fe
SHA512646d536fb78e34bec05f8cd32112f98ea147b315e3d074a6181c12f857d86eb466adae8aec91520f204e7105017bf5e69bd51df186280ae6258fbc5ea9061e6e
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84