Analysis
-
max time kernel
177s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
02-10-2022 23:11
General
-
Target
f99b7e79cb5352202f3a68f84dc84621583c9cfcdb3bbbe8f17c8764cd4300bb.exe
-
Size
830KB
-
MD5
66836690b5cc87384b240ba0bafca359
-
SHA1
cbed8b1e8f5b5626b3036486841ffcb5f3669ee5
-
SHA256
f99b7e79cb5352202f3a68f84dc84621583c9cfcdb3bbbe8f17c8764cd4300bb
-
SHA512
45bcd1da1d108bacf01a5b989d36a1f77cc7a4f1eaef03e2381bcf63ab8410d68a363aaaf3144f62adecb7242371e40aa6d80719f7a214d571c9382fbf30200f
-
SSDEEP
12288:zZhyOvPw8Ze6S9PFW/GVcGXxSJYxwvtCOMCQthGeknvg386wSe5/YBtdhW63LYP:z/eyMxAYOvtnahGpvvVSU/Y/TW64
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in Windows directory 8 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f99b7e79cb5352202f3a68f84dc84621583c9cfcdb3bbbe8f17c8764cd4300bb.exe"C:\Users\Admin\AppData\Local\Temp\f99b7e79cb5352202f3a68f84dc84621583c9cfcdb3bbbe8f17c8764cd4300bb.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\LMI3DE4.tmp\lmi_rescue.exe"C:\Windows\LMI3DE4.tmp\lmi_rescue.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\LMI3DE4.tmp\lmi_rescue.exeFilesize
1.5MB
MD51662aad588013cd0fc06b2d2c44110bd
SHA1bd5dbefbc1e7973d84df1b58ab1c9d4301f753e8
SHA2566e428acc024324150c2804c78782802b09b32f13e8219a0bd4b3ba24284e8c91
SHA5128d51494ace28135d6cbfca845c425f750d1565752bb0c1fc35c1e27c4004d59e58b06f9736a624d6f2773cc56a0ea72bca05971e57bb2897c9af849198898c6d
-
C:\Windows\LMI3DE4.tmp\lmi_rescue.exeFilesize
1.5MB
MD51662aad588013cd0fc06b2d2c44110bd
SHA1bd5dbefbc1e7973d84df1b58ab1c9d4301f753e8
SHA2566e428acc024324150c2804c78782802b09b32f13e8219a0bd4b3ba24284e8c91
SHA5128d51494ace28135d6cbfca845c425f750d1565752bb0c1fc35c1e27c4004d59e58b06f9736a624d6f2773cc56a0ea72bca05971e57bb2897c9af849198898c6d
-
C:\Windows\LMI3DE4.tmp\params.txtFilesize
116B
MD5032a886a276a04ce8e4791417d8f088c
SHA10bcf292ebd6997e2501704aacdc97dc3fc62c5ee
SHA2568f67fcf6e9b43dfed1bf27877305079fc41a5d677556eb8390a4474e492bb9db
SHA5123a131a393ec99ad5a22a1d1691c2aeafeaa55e21887f41c699704285c06175346aa605200186212257ec3e4441588b28a25a1d56e9c1f839f5ee8f7a9cefbe81
-
C:\Windows\LMI3DE4.tmp\rahook.dllFilesize
173KB
MD5ce86842a27368666f9c13a23b8910241
SHA16a5e4a8dbb3d9633d78f68685d18e47c966a6844
SHA256440cdcb5fa455551e25bf31320c134c622ade5b6fdf21290fd7e114d7f64a72b
SHA5128c0f846106817e746f44e9eb717bf22f8c719f733f24ff5246dfbc4a1daf0949be072cd63c8998e7dfe80246a02e9e8cfd7e4fdc1c6150b085ce0eeef5a44bd8
-
C:\Windows\LMI3DE4.tmp\rahook.dllFilesize
173KB
MD5ce86842a27368666f9c13a23b8910241
SHA16a5e4a8dbb3d9633d78f68685d18e47c966a6844
SHA256440cdcb5fa455551e25bf31320c134c622ade5b6fdf21290fd7e114d7f64a72b
SHA5128c0f846106817e746f44e9eb717bf22f8c719f733f24ff5246dfbc4a1daf0949be072cd63c8998e7dfe80246a02e9e8cfd7e4fdc1c6150b085ce0eeef5a44bd8
-
memory/228-132-0x0000000000000000-mapping.dmp