32e191494cff56cda80e73beb14a412b1a7623b2dcefb51ea07c5fc8b2861020

Analysis

max time kernel
82s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
03/06/2024, 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32e191494cff56cda80e73beb14a412b1a7623b2dcefb51ea07c5fc8b2861020.exe
Size

76KB
MD5

8f7141c14542d9d446c0b164d4546b22
SHA1

548f95ce309af2c92c63c28aadbfdff2eeb65754
SHA256

32e191494cff56cda80e73beb14a412b1a7623b2dcefb51ea07c5fc8b2861020
SHA512

b3b68fdb8d4edfbda399fea18a58af6193810f65817b3748b55ce0f7b1ffb752e4485f4339fe89e178e929e40a43e024e0ed896a5fe25e0d4ac82a48ad64df2c
SSDEEP

768:94IrCa3GJE5q/e6+xOF4/i/BEYkp7P6lweQDhDmpU5GFrrEzWsdSE0d8pUHIkI0d:9VEJE5qGxO+2G40OIkaBy

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	levoh.exe

Executes dropped EXE 1 IoCs

pid	Process
2620	levoh.exe

Loads dropped DLL 2 IoCs

pid	Process
2180	32e191494cff56cda80e73beb14a412b1a7623b2dcefb51ea07c5fc8b2861020.exe
2180	32e191494cff56cda80e73beb14a412b1a7623b2dcefb51ea07c5fc8b2861020.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\levoh = "C:\\Users\\Admin\\levoh.exe"	levoh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe
2620	levoh.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2180	32e191494cff56cda80e73beb14a412b1a7623b2dcefb51ea07c5fc8b2861020.exe
2620	levoh.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2620	2180	32e191494cff56cda80e73beb14a412b1a7623b2dcefb51ea07c5fc8b2861020.exe	29
PID 2180 wrote to memory of 2620	2180	32e191494cff56cda80e73beb14a412b1a7623b2dcefb51ea07c5fc8b2861020.exe	29
PID 2180 wrote to memory of 2620	2180	32e191494cff56cda80e73beb14a412b1a7623b2dcefb51ea07c5fc8b2861020.exe	29
PID 2180 wrote to memory of 2620	2180	32e191494cff56cda80e73beb14a412b1a7623b2dcefb51ea07c5fc8b2861020.exe	29

C:\Users\Admin\AppData\Local\Temp\32e191494cff56cda80e73beb14a412b1a7623b2dcefb51ea07c5fc8b2861020.exe
"C:\Users\Admin\AppData\Local\Temp\32e191494cff56cda80e73beb14a412b1a7623b2dcefb51ea07c5fc8b2861020.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Users\Admin\levoh.exe
  "C:\Users\Admin\levoh.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\levoh.exe

Filesize
76KB

MD5
075b3cc72a35bdab6e558fc094175291

SHA1
dca09badd4ba8d8cb11c8aaa433ac4784063e63c

SHA256
be0e99068f390a74af326c45073e97ba1343dc69fb0a930b5822fc53c4998556

SHA512
53f757357d9ee9d7ee494f4ae56aad5b7944a20fff87ec03c7f08927d05373f5ef5df3d3d77d7575204ae4b8ab2adb64876cbf1d651d090ebb1573b234a0316c

Download Submit