Overview
overview
7Static
static
3LayetuFixedd.exe
windows7-x64
7LayetuFixedd.exe
windows10-2004-x64
7$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/UAC.dll
windows7-x64
3$PLUGINSDIR/UAC.dll
windows10-2004-x64
3Installer.exe
windows7-x64
1Installer.exe
windows10-2004-x64
7LICENSES.c...m.html
windows7-x64
3LICENSES.c...m.html
windows10-2004-x64
3d3dcompiler_47.dll
windows10-2004-x64
1ffmpeg.dll
windows7-x64
1ffmpeg.dll
windows10-2004-x64
1libEGL.dll
windows7-x64
1libEGL.dll
windows10-2004-x64
1libGLESv2.dll
windows7-x64
1libGLESv2.dll
windows10-2004-x64
1locales/af.ps1
windows7-x64
3locales/af.ps1
windows10-2004-x64
3locales/uk.ps1
windows7-x64
3locales/uk.ps1
windows10-2004-x64
3resources/elevate.exe
windows7-x64
3resources/elevate.exe
windows10-2004-x64
3vk_swiftshader.dll
windows7-x64
1vk_swiftshader.dll
windows10-2004-x64
1vulkan-1.dll
windows7-x64
1vulkan-1.dll
windows10-2004-x64
1$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3Analysis
-
max time kernel
151s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02/09/2024, 01:27
Static task
static1
Behavioral task
behavioral1
Sample
LayetuFixedd.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral2
Sample
LayetuFixedd.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$PLUGINSDIR/UAC.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral8
Sample
$PLUGINSDIR/UAC.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
Installer.exe
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral10
Sample
Installer.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
LICENSES.chromium.html
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral12
Sample
LICENSES.chromium.html
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
d3dcompiler_47.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral14
Sample
ffmpeg.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral15
Sample
ffmpeg.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral16
Sample
libEGL.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral17
Sample
libEGL.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral18
Sample
libGLESv2.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral19
Sample
libGLESv2.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral20
Sample
locales/af.ps1
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral21
Sample
locales/af.ps1
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral22
Sample
locales/uk.ps1
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral23
Sample
locales/uk.ps1
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral24
Sample
resources/elevate.exe
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral25
Sample
resources/elevate.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral26
Sample
vk_swiftshader.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral27
Sample
vk_swiftshader.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral28
Sample
vulkan-1.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral29
Sample
vulkan-1.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral30
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral31
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral32
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240729-en
windows7-x64
General
-
Target
Installer.exe
-
Size
152.8MB
-
MD5
04381c4cf5aec314ce1d6a1a38590ade
-
SHA1
a78a0e9bc8f002d4fc53428e5b2c6ec346fa3dac
-
SHA256
6428aeaf90c857ce6c77f39f2c5c2186e7d54a5909657bcf953ffd1b344e501b
-
SHA512
2f29d7e76550f1e284cae7acd660b108495c6456e2abb398a49d036ac50399dc734bcff096f79abcc06002b5a01aff508c8239e843aefcdfca3e700a35933aec
-
SSDEEP
1572864:CLBZB52nvuZ7wVuMbgR7Sp6kYdEctmhoLsPagBsgkx52HYhwj+vfIBUdoJnP9Dj0:CypCmJctBjj2+Jv
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
pid Process 60 Installer.exe 60 Installer.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 22 ipinfo.io 25 ipinfo.io -
pid Process 3696 powershell.exe 472 powershell.exe 5048 powershell.exe -
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz Installer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString Installer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 Installer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Installer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Installer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Installer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 Installer.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 3696 powershell.exe 472 powershell.exe 472 powershell.exe 3008 Installer.exe 3008 Installer.exe 472 powershell.exe 5048 powershell.exe 5048 powershell.exe 3696 powershell.exe 3696 powershell.exe 5048 powershell.exe 1512 Installer.exe 1512 Installer.exe 1512 Installer.exe 1512 Installer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 60 Installer.exe Token: SeCreatePagefilePrivilege 60 Installer.exe Token: SeDebugPrivilege 3696 powershell.exe Token: SeDebugPrivilege 472 powershell.exe Token: SeDebugPrivilege 5048 powershell.exe Token: SeIncreaseQuotaPrivilege 472 powershell.exe Token: SeSecurityPrivilege 472 powershell.exe Token: SeTakeOwnershipPrivilege 472 powershell.exe Token: SeLoadDriverPrivilege 472 powershell.exe Token: SeSystemProfilePrivilege 472 powershell.exe Token: SeSystemtimePrivilege 472 powershell.exe Token: SeProfSingleProcessPrivilege 472 powershell.exe Token: SeIncBasePriorityPrivilege 472 powershell.exe Token: SeCreatePagefilePrivilege 472 powershell.exe Token: SeBackupPrivilege 472 powershell.exe Token: SeRestorePrivilege 472 powershell.exe Token: SeShutdownPrivilege 472 powershell.exe Token: SeDebugPrivilege 472 powershell.exe Token: SeSystemEnvironmentPrivilege 472 powershell.exe Token: SeRemoteShutdownPrivilege 472 powershell.exe Token: SeUndockPrivilege 472 powershell.exe Token: SeManageVolumePrivilege 472 powershell.exe Token: 33 472 powershell.exe Token: 34 472 powershell.exe Token: 35 472 powershell.exe Token: 36 472 powershell.exe Token: SeShutdownPrivilege 60 Installer.exe Token: SeCreatePagefilePrivilege 60 Installer.exe Token: SeIncreaseQuotaPrivilege 5048 powershell.exe Token: SeSecurityPrivilege 5048 powershell.exe Token: SeTakeOwnershipPrivilege 5048 powershell.exe Token: SeLoadDriverPrivilege 5048 powershell.exe Token: SeSystemProfilePrivilege 5048 powershell.exe Token: SeSystemtimePrivilege 5048 powershell.exe Token: SeProfSingleProcessPrivilege 5048 powershell.exe Token: SeIncBasePriorityPrivilege 5048 powershell.exe Token: SeCreatePagefilePrivilege 5048 powershell.exe Token: SeBackupPrivilege 5048 powershell.exe Token: SeRestorePrivilege 5048 powershell.exe Token: SeShutdownPrivilege 5048 powershell.exe Token: SeDebugPrivilege 5048 powershell.exe Token: SeSystemEnvironmentPrivilege 5048 powershell.exe Token: SeRemoteShutdownPrivilege 5048 powershell.exe Token: SeUndockPrivilege 5048 powershell.exe Token: SeManageVolumePrivilege 5048 powershell.exe Token: 33 5048 powershell.exe Token: 34 5048 powershell.exe Token: 35 5048 powershell.exe Token: 36 5048 powershell.exe Token: SeShutdownPrivilege 60 Installer.exe Token: SeCreatePagefilePrivilege 60 Installer.exe Token: SeShutdownPrivilege 60 Installer.exe Token: SeCreatePagefilePrivilege 60 Installer.exe Token: SeShutdownPrivilege 60 Installer.exe Token: SeCreatePagefilePrivilege 60 Installer.exe Token: SeShutdownPrivilege 60 Installer.exe Token: SeCreatePagefilePrivilege 60 Installer.exe Token: SeShutdownPrivilege 60 Installer.exe Token: SeCreatePagefilePrivilege 60 Installer.exe Token: SeShutdownPrivilege 60 Installer.exe Token: SeCreatePagefilePrivilege 60 Installer.exe Token: SeShutdownPrivilege 60 Installer.exe Token: SeCreatePagefilePrivilege 60 Installer.exe Token: SeShutdownPrivilege 60 Installer.exe -
Suspicious use of WriteProcessMemory 55 IoCs
description pid Process procid_target PID 60 wrote to memory of 4340 60 Installer.exe 85 PID 60 wrote to memory of 4340 60 Installer.exe 85 PID 4340 wrote to memory of 2632 4340 cmd.exe 87 PID 4340 wrote to memory of 2632 4340 cmd.exe 87 PID 60 wrote to memory of 3452 60 Installer.exe 88 PID 60 wrote to memory of 3452 60 Installer.exe 88 PID 3452 wrote to memory of 3344 3452 cmd.exe 90 PID 3452 wrote to memory of 3344 3452 cmd.exe 90 PID 60 wrote to memory of 2088 60 Installer.exe 99 PID 60 wrote to memory of 2088 60 Installer.exe 99 PID 60 wrote to memory of 5048 60 Installer.exe 101 PID 60 wrote to memory of 5048 60 Installer.exe 101 PID 60 wrote to memory of 472 60 Installer.exe 102 PID 60 wrote to memory of 472 60 Installer.exe 102 PID 60 wrote to memory of 3696 60 Installer.exe 103 PID 60 wrote to memory of 3696 60 Installer.exe 103 PID 60 wrote to memory of 1648 60 Installer.exe 106 PID 60 wrote to memory of 1648 60 Installer.exe 106 PID 60 wrote to memory of 1648 60 Installer.exe 106 PID 60 wrote to memory of 1648 60 Installer.exe 106 PID 60 wrote to memory of 1648 60 Installer.exe 106 PID 60 wrote to memory of 1648 60 Installer.exe 106 PID 60 wrote to memory of 1648 60 Installer.exe 106 PID 60 wrote to memory of 1648 60 Installer.exe 106 PID 60 wrote to memory of 1648 60 Installer.exe 106 PID 60 wrote to memory of 1648 60 Installer.exe 106 PID 60 wrote to memory of 1648 60 Installer.exe 106 PID 60 wrote to memory of 1648 60 Installer.exe 106 PID 60 wrote to memory of 1648 60 Installer.exe 106 PID 60 wrote to memory of 1648 60 Installer.exe 106 PID 60 wrote to memory of 1648 60 Installer.exe 106 PID 60 wrote to memory of 1648 60 Installer.exe 106 PID 60 wrote to memory of 1648 60 Installer.exe 106 PID 60 wrote to memory of 1648 60 Installer.exe 106 PID 60 wrote to memory of 1648 60 Installer.exe 106 PID 60 wrote to memory of 1648 60 Installer.exe 106 PID 60 wrote to memory of 1648 60 Installer.exe 106 PID 60 wrote to memory of 1648 60 Installer.exe 106 PID 60 wrote to memory of 1648 60 Installer.exe 106 PID 60 wrote to memory of 1648 60 Installer.exe 106 PID 60 wrote to memory of 1648 60 Installer.exe 106 PID 60 wrote to memory of 1648 60 Installer.exe 106 PID 60 wrote to memory of 1648 60 Installer.exe 106 PID 60 wrote to memory of 1648 60 Installer.exe 106 PID 60 wrote to memory of 1648 60 Installer.exe 106 PID 60 wrote to memory of 1648 60 Installer.exe 106 PID 60 wrote to memory of 1648 60 Installer.exe 106 PID 60 wrote to memory of 3008 60 Installer.exe 108 PID 60 wrote to memory of 3008 60 Installer.exe 108 PID 60 wrote to memory of 5112 60 Installer.exe 109 PID 60 wrote to memory of 5112 60 Installer.exe 109 PID 5112 wrote to memory of 2584 5112 cmd.exe 111 PID 5112 wrote to memory of 2584 5112 cmd.exe 111 PID 60 wrote to memory of 1512 60 Installer.exe 117 PID 60 wrote to memory of 1512 60 Installer.exe 117
Processes
-
C:\Users\Admin\AppData\Local\Temp\Installer.exe"C:\Users\Admin\AppData\Local\Temp\Installer.exe"1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "chcp"2⤵
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Windows\system32\chcp.comchcp3⤵PID:2632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "mshta "javascript:new ActiveXObject('WScript.Shell').Popup('An unknown error happened when trying to extract Unity engine files. Contact this app developers or try again later.', 0, 'UNITY_ENGINE_ERROR', 16);close()""2⤵
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Windows\system32\mshta.exemshta "javascript:new ActiveXObject('WScript.Shell').Popup('An unknown error happened when trying to extract Unity engine files. Contact this app developers or try again later.', 0, 'UNITY_ENGINE_ERROR', 16);close()"3⤵PID:3344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "echo %COMPUTERNAME%.%USERDNSDOMAIN%"2⤵PID:2088
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5048
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:472
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3696
-
-
C:\Users\Admin\AppData\Local\Temp\Installer.exe"C:\Users\Admin\AppData\Local\Temp\Installer.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\program" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1848 --field-trial-handle=1856,i,3225541525393591325,8688339381216336143,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:22⤵PID:1648
-
-
C:\Users\Admin\AppData\Local\Temp\Installer.exe"C:\Users\Admin\AppData\Local\Temp\Installer.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\program" --mojo-platform-channel-handle=2100 --field-trial-handle=1856,i,3225541525393591325,8688339381216336143,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "findstr /C:"Detected boot environment" "%windir%\Panther\setupact.log""2⤵
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\system32\findstr.exefindstr /C:"Detected boot environment" "C:\Windows\Panther\setupact.log"3⤵PID:2584
-
-
-
C:\Users\Admin\AppData\Local\Temp\Installer.exe"C:\Users\Admin\AppData\Local\Temp\Installer.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\program" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1864 --field-trial-handle=1856,i,3225541525393591325,8688339381216336143,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1512
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD550c591ec2a1e49297738ea9f28e3ad23
SHA1137e36b4c7c40900138a6bcf8cf5a3cce4d142af
SHA2567648d785bda8cef95176c70711418cf3f18e065f7710f2ef467884b4887d8447
SHA51233b5fa32501855c2617a822a4e1a2c9b71f2cf27e1b896cf6e5a28473cfd5e6d126840ca1aa1f59ef32b0d0a82a2a95c94a9cc8b845367b61e65ec70d456deec
-
Filesize
2KB
MD52f87410b0d834a14ceff69e18946d066
SHA1f2ec80550202d493db61806693439a57b76634f3
SHA2565422bc17b852ad463110de0db9b59ffa4219e065d3e2843618d6ebbd14273c65
SHA512a313702f22450ceff0a1d7f890b0c16cf667dbcd668dbafa6dbecd0791236c0bc68e834d12113cc75352365c2a2b6cfcf30b6ef7c97ea53ed135da50de389db4
-
Filesize
131KB
MD56bb8eb9880d403dd79b4a564ffd48f09
SHA16877ae3a556d4c1fdd0078c7af4f18de5a426e71
SHA256b6680b7f9a87029acd0bd491083536dbc834771e75043c4028b5a5c69d7092d5
SHA5128eaac18a4beb1575a15dd88307c2cc93b1c652c2b23fdc71054877a61ef5ea5402dce5a53800c3ea4bafb28bd27cacaa7e9be7bbf5f07f77890236f823bb795f
-
Filesize
1.8MB
MD56677ab02a53163228e8dc51b58ee0b93
SHA1f4a682fb2ac8009f79d42d777bbbf23b9c102070
SHA256fabb00e1881b8ec07c33e2f08c0cbb0a2c9e61d8f03a6a25913a2829d0f3b6f0
SHA512bc85811c908cf04f5846c61b59b62e5e386777db1c2b2b773eee97f79c629e7efdb945b043850dda6deec4cbf7519fd459b8d10645a219715fca677990ff88e7
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82