d60c30dc0ac1933eb3a28a42b8c9aa8b381816d64217393adc2f06e3deddae39

Resubmissions

13-01-2025 00:12

250113-ahff9synck 8

15-08-2024 13:01

240815-p89v5asfla 10

Analysis

max time kernel
892s
max time network
847s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
13-01-2025 00:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[Leakcloud.fun] Link Skipper.exe
Size

523.0MB
MD5

b928c8e9fbdea0d3d904df7a09955640
SHA1

3caec7a61590a0287d2c350da8439cf977f3ab7a
SHA256

1f1407140a7a550335d170429646438cef0d37ec51a6378ac08c132e9e7d8420
SHA512

7627815855b32eec15e358246f2764b517790afb7bdac6ada17ec3184c96397248f1ce1150d3efe54f779f0e290bb2d03b6124a6c6df2dd2c7cfadc0138a627a
SSDEEP

49152:XJED040Mm05vldXLyY4huQNuZo+rGlYnqRK7xPNH6Yjs1hm0zydRtmSH07JS44iE:XCX5soNvqRK7dqSdzmy4JMdaP67

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2900	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe
772	[Leakcloud.fun] Link Skipper.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
772	[Leakcloud.fun] Link Skipper.exe
2900	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2900	powershell.exe
Token: SeDebugPrivilege	772	[Leakcloud.fun] Link Skipper.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 772 wrote to memory of 2320	772	[Leakcloud.fun] Link Skipper.exe	31
PID 772 wrote to memory of 2320	772	[Leakcloud.fun] Link Skipper.exe	31
PID 772 wrote to memory of 2320	772	[Leakcloud.fun] Link Skipper.exe	31
PID 2320 wrote to memory of 2900	2320	cmd.exe	33
PID 2320 wrote to memory of 2900	2320	cmd.exe	33
PID 2320 wrote to memory of 2900	2320	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\[Leakcloud.fun] Link Skipper.exe
"C:\Users\Admin\AppData\Local\Temp\[Leakcloud.fun] Link Skipper.exe" cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:772
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C powershell Add-MpPreference -ExclusionPath C:\
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Add-MpPreference -ExclusionPath C:\
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/772-0-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-1-0x000007FFFFBD0000-0x000007FFFFFA1000-memory.dmp

Filesize
3.8MB

Download
memory/772-3-0x0000000077B00000-0x0000000077B10000-memory.dmp

Filesize
64KB

Download
memory/772-4-0x000007FEF5D13000-0x000007FEF5D14000-memory.dmp

Filesize
4KB

Download
memory/772-2-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-5-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-6-0x0000000002F80000-0x0000000002FC4000-memory.dmp

Filesize
272KB

Download
memory/772-13-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/772-14-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-15-0x000007FFFFBD0000-0x000007FFFFFA1000-memory.dmp

Filesize
3.8MB

Download
memory/772-17-0x000007FEF5D13000-0x000007FEF5D14000-memory.dmp

Filesize
4KB

Download
memory/772-16-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-18-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/772-19-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-20-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-21-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-22-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-23-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-24-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-25-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-26-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-27-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-28-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-29-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-30-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-31-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-32-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-33-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-34-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-35-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-36-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-37-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-39-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-40-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-41-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-42-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-43-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-44-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-45-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-46-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-47-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-48-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-49-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-50-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-51-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-52-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-53-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-54-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-55-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-56-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-58-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-59-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-60-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-62-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-63-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-64-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-65-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-66-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-67-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-68-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-69-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-70-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-71-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-72-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-73-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-74-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-75-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-76-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-77-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-78-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/772-80-0x000000013FAC0000-0x000000014098C000-memory.dmp

Filesize
14.8MB

Download
memory/2900-11-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/2900-12-0x0000000001D20000-0x0000000001D28000-memory.dmp

Filesize
32KB

Download