Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
06/08/2024, 00:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3319c07a67f330acac1d221408fec4d0N.exe
Resource
win7-20240705-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
3319c07a67f330acac1d221408fec4d0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
3319c07a67f330acac1d221408fec4d0N.exe
-
Size
268KB
-
MD5
3319c07a67f330acac1d221408fec4d0
-
SHA1
f262046dea8d1a2da68acafa7a73f3ec4a322cd5
-
SHA256
dbf0df58ddd70dc4b8ac732dfb88928bc5fb5b881271af703960de4b179c3246
-
SHA512
069304aa67a2f27a18bfae25370e82224e1b63e6c9d0a719b327f9a7fccbd7973e688fcafa1d47c3ea2f5b502ad34bed3b43eaf12c02e3df995deb38910b1fa8
-
SSDEEP
3072:9sSQrIhmyNDY1zuBvLen8DlZniqBXv7yOsWvgbsmIHX0WRIh:9CMsyy1qFy8xZnisyOs2tHEWRe
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 3319c07a67f330acac1d221408fec4d0N.exe Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" leocam.exe -
Executes dropped EXE 1 IoCs
pid Process 2508 leocam.exe -
Loads dropped DLL 2 IoCs
pid Process 2412 3319c07a67f330acac1d221408fec4d0N.exe 2412 3319c07a67f330acac1d221408fec4d0N.exe -
Adds Run key to start application 2 TTPs 27 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\leocam = "C:\\Users\\Admin\\leocam.exe /e" leocam.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\leocam = "C:\\Users\\Admin\\leocam.exe /g" leocam.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\leocam = "C:\\Users\\Admin\\leocam.exe /t" 3319c07a67f330acac1d221408fec4d0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\leocam = "C:\\Users\\Admin\\leocam.exe /h" leocam.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\leocam = "C:\\Users\\Admin\\leocam.exe /q" leocam.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\leocam = "C:\\Users\\Admin\\leocam.exe /j" leocam.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\leocam = "C:\\Users\\Admin\\leocam.exe /p" leocam.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\leocam = "C:\\Users\\Admin\\leocam.exe /z" leocam.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\leocam = "C:\\Users\\Admin\\leocam.exe /y" leocam.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\leocam = "C:\\Users\\Admin\\leocam.exe /n" leocam.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\leocam = "C:\\Users\\Admin\\leocam.exe /r" leocam.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\leocam = "C:\\Users\\Admin\\leocam.exe /u" leocam.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\leocam = "C:\\Users\\Admin\\leocam.exe /f" leocam.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\leocam = "C:\\Users\\Admin\\leocam.exe /m" leocam.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\leocam = "C:\\Users\\Admin\\leocam.exe /o" leocam.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\leocam = "C:\\Users\\Admin\\leocam.exe /v" leocam.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\leocam = "C:\\Users\\Admin\\leocam.exe /k" leocam.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\leocam = "C:\\Users\\Admin\\leocam.exe /i" leocam.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\leocam = "C:\\Users\\Admin\\leocam.exe /w" leocam.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\leocam = "C:\\Users\\Admin\\leocam.exe /c" leocam.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\leocam = "C:\\Users\\Admin\\leocam.exe /b" leocam.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\leocam = "C:\\Users\\Admin\\leocam.exe /s" leocam.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\leocam = "C:\\Users\\Admin\\leocam.exe /x" leocam.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\leocam = "C:\\Users\\Admin\\leocam.exe /a" leocam.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\leocam = "C:\\Users\\Admin\\leocam.exe /d" leocam.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\leocam = "C:\\Users\\Admin\\leocam.exe /l" leocam.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\leocam = "C:\\Users\\Admin\\leocam.exe /t" leocam.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3319c07a67f330acac1d221408fec4d0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language leocam.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2412 3319c07a67f330acac1d221408fec4d0N.exe 2508 leocam.exe 2508 leocam.exe 2508 leocam.exe 2508 leocam.exe 2508 leocam.exe 2508 leocam.exe 2508 leocam.exe 2508 leocam.exe 2508 leocam.exe 2508 leocam.exe 2508 leocam.exe 2508 leocam.exe 2508 leocam.exe 2508 leocam.exe 2508 leocam.exe 2508 leocam.exe 2508 leocam.exe 2508 leocam.exe 2508 leocam.exe 2508 leocam.exe 2508 leocam.exe 2508 leocam.exe 2508 leocam.exe 2508 leocam.exe 2508 leocam.exe 2508 leocam.exe 2508 leocam.exe 2508 leocam.exe 2508 leocam.exe 2508 leocam.exe 2508 leocam.exe 2508 leocam.exe 2508 leocam.exe 2508 leocam.exe 2508 leocam.exe 2508 leocam.exe 2508 leocam.exe 2508 leocam.exe 2508 leocam.exe 2508 leocam.exe 2508 leocam.exe 2508 leocam.exe 2508 leocam.exe 2508 leocam.exe 2508 leocam.exe 2508 leocam.exe 2508 leocam.exe 2508 leocam.exe 2508 leocam.exe 2508 leocam.exe 2508 leocam.exe 2508 leocam.exe 2508 leocam.exe 2508 leocam.exe 2508 leocam.exe 2508 leocam.exe 2508 leocam.exe 2508 leocam.exe 2508 leocam.exe 2508 leocam.exe 2508 leocam.exe 2508 leocam.exe 2508 leocam.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2412 3319c07a67f330acac1d221408fec4d0N.exe 2508 leocam.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2412 wrote to memory of 2508 2412 3319c07a67f330acac1d221408fec4d0N.exe 30 PID 2412 wrote to memory of 2508 2412 3319c07a67f330acac1d221408fec4d0N.exe 30 PID 2412 wrote to memory of 2508 2412 3319c07a67f330acac1d221408fec4d0N.exe 30 PID 2412 wrote to memory of 2508 2412 3319c07a67f330acac1d221408fec4d0N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\3319c07a67f330acac1d221408fec4d0N.exe"C:\Users\Admin\AppData\Local\Temp\3319c07a67f330acac1d221408fec4d0N.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Users\Admin\leocam.exe"C:\Users\Admin\leocam.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2508
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
268KB
MD5ab42e058f30993aa8b966e1a55560268
SHA1038c6908c1808e1367a43189937fd37c1d8feb9c
SHA2566386b5fa6df5cd359a23fad302312771b0f71d9e01acbaaed1e9465ea9c0fe3a
SHA5129030392b92bbe046d174abadd3e8346fd95f0f800b9e5c4125865b9d92f70cbae1c83495abc84879c246966e8731a3ffcc54f06a3daf2c75b12f504a95d7becf