Overview

overview

8

Static

static

f4fabd4387...dd.exe

windows7-x64

8

f4fabd4387...dd.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    154s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-10-2022 11:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f4fabd43871d0f069c80d27d735a486eecb9893a3ad4541a3b7924c896f7ccdd.exe

  • Size

    942KB

  • MD5

    6abbdb80f29a20074deffd1f29309590

  • SHA1

    3533e66007ad76ef969da9c8db8e9b0de4577100

  • SHA256

    f4fabd43871d0f069c80d27d735a486eecb9893a3ad4541a3b7924c896f7ccdd

  • SHA512

    7220633349de4bdd4ae2e144f0495025c3581afeca2b4c7907dd8a3d9e203d621640d7b2a729d570abf9aaf3843c3c53978c858fc9477380cc25a76988e43200

  • SSDEEP

    24576:orYb0aldVwHBBA5WXlo6sNWqdsFdZYviowhtjlON1tYY:P08dVMBBRloafYvid60Y

Score
8/10
bootkitevasionpersistencetrojan

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Windows directory 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f4fabd43871d0f069c80d27d735a486eecb9893a3ad4541a3b7924c896f7ccdd.exe
    "C:\Users\Admin\AppData\Local\Temp\f4fabd43871d0f069c80d27d735a486eecb9893a3ad4541a3b7924c896f7ccdd.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1664
    • C:\Windows\LMI83BB.tmp\lmi_instantchat.exe
      "C:\Windows\LMI83BB.tmp\lmi_instantchat.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Writes to the Master Boot Record (MBR)
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2976

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Bootkit

1
T1067

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\LMI83BB.tmp\lmi_instantchat.exe
    Filesize

    1.7MB

    MD5

    c52eb58a5ea072346702d0ea5a364737

    SHA1

    fc424772c5a1acea8a60c815a3f7966052cdd698

    SHA256

    1c150a386f9d0942461b9cc700814964d5dfe1e74f9e9df6dcfa00a1861b3c00

    SHA512

    f12ea8b561c331806407d29b940400441eab920fa9e55b96c949a32599bfeb3fe2eca6ccb2f5a29783432f1694bfda0550b294dc39cad1cb432434b1b24b9682

    Download Submit
  • C:\Windows\LMI83BB.tmp\lmi_instantchat.exe
    Filesize

    1.7MB

    MD5

    c52eb58a5ea072346702d0ea5a364737

    SHA1

    fc424772c5a1acea8a60c815a3f7966052cdd698

    SHA256

    1c150a386f9d0942461b9cc700814964d5dfe1e74f9e9df6dcfa00a1861b3c00

    SHA512

    f12ea8b561c331806407d29b940400441eab920fa9e55b96c949a32599bfeb3fe2eca6ccb2f5a29783432f1694bfda0550b294dc39cad1cb432434b1b24b9682

    Download Submit
  • C:\Windows\LMI83BB.tmp\params.txt
    Filesize

    561B

    MD5

    339613224f1c891e08650c6745ab52c2

    SHA1

    fc2d017025817c8766645e9bbdf663dd1736a1a7

    SHA256

    2b1c23e39a28a69e511564c24f4b89a4d6fc34b9e1d255621176d54c249383f3

    SHA512

    4890ad4fd038d74e6b1c868e1fbe1a78ce6990252f82f3d4907bd4baefc93fedb14956164c4b632694fd0689d2184c14a0ccf1d09ce8372d49255a36619ff1cb

    Download Submit
  • C:\Windows\LMI83BB.tmp\rahook.dll
    Filesize

    173KB

    MD5

    bf790824092803a6384371b3996d0143

    SHA1

    81a870b23b999817516a5a47f01b0bf1f862c223

    SHA256

    585234c1ed97e97bf46a11967e0d82c0118423835627ffdddf7343ebb92ca120

    SHA512

    46f6b2c3e5b930d8358933fcb9f5a24b5a666fd0567501563143763da9e14da7317da19bc26ae3d35716fd17807686519dc78921b7ff79fdbf60746398457d9e

    Download Submit
  • C:\Windows\LMI83BB.tmp\rahook.dll
    Filesize

    173KB

    MD5

    bf790824092803a6384371b3996d0143

    SHA1

    81a870b23b999817516a5a47f01b0bf1f862c223

    SHA256

    585234c1ed97e97bf46a11967e0d82c0118423835627ffdddf7343ebb92ca120

    SHA512

    46f6b2c3e5b930d8358933fcb9f5a24b5a666fd0567501563143763da9e14da7317da19bc26ae3d35716fd17807686519dc78921b7ff79fdbf60746398457d9e

    Download Submit
  • C:\Windows\LMI83BB.tmp\rescue.ico
    Filesize

    48KB

    MD5

    51fa8f4746f1a481c5ea25931e99ed77

    SHA1

    76a78677e527a0564533d90ed16fe5d7da8102e2

    SHA256

    ad3ec59a6f04578dc4dd9b85dbb2552019fb509201524c6cb8d06fea73da62d7

    SHA512

    c7a3a40ec447800297138c8ae35739c080388654f1afeb3a2c55080477615efbce94f05a3683f3f5528e9eb8e0ab5477be3f396a7b32e21cfd73b39e68197b29

    Download Submit
  • memory/2976-132-0x0000000000000000-mapping.dmp
    Download