61dd5d6bb55760610c0bb9bd2a276f10bf9de7118d6991ba62b4246b5e8621f8

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
29-10-2022 20:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61dd5d6bb55760610c0bb9bd2a276f10bf9de7118d6991ba62b4246b5e8621f8.exe
Size

936KB
MD5

83886a33b7b682a23b68fff233edff50
SHA1

0e78ea3d1251da29ab9ce8184b39a7f0e080cc8c
SHA256

61dd5d6bb55760610c0bb9bd2a276f10bf9de7118d6991ba62b4246b5e8621f8
SHA512

49647b07742dc26058406723164a212f7d701421c9241ac1009c13b4e332476edf4acf762a1e00ffd4f1bd1c86d1148b469728f8eda9bbb5562ad7c8e9908171
SSDEEP

24576:Ps/Z9arRbSnCS/ZmExYaEsAGSTU9twGTdK8kUu1hLMP2:4CFbSCSIEiLsA+92udK8bK62

Score

8^/10

bootkit evasion persistence trojan

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
800	lmi_rescue.exe
1992	LMI_Rescue_srv.exe

Loads dropped DLL 1 IoCs

pid	Process
800	lmi_rescue.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	lmi_rescue.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*LogMeInRescue_4111620000 = "\"C:\\Windows\\LMIBE82.tmp\\lmi_rescue.exe\" -runonce reboot"	lmi_rescue.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lmi_rescue.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	LMI_Rescue_srv.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	lmi_rescue.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\LMIBE82.tmp\rahook.dll	61dd5d6bb55760610c0bb9bd2a276f10bf9de7118d6991ba62b4246b5e8621f8.exe
File created	C:\Windows\LMIBE82.tmp\LMI_Rescue_srv.exe	61dd5d6bb55760610c0bb9bd2a276f10bf9de7118d6991ba62b4246b5e8621f8.exe
File created	C:\Windows\LMIBE82.tmp\params.txt	61dd5d6bb55760610c0bb9bd2a276f10bf9de7118d6991ba62b4246b5e8621f8.exe
File opened for modification	C:\Windows\LMIBE82.tmp\params.txt	61dd5d6bb55760610c0bb9bd2a276f10bf9de7118d6991ba62b4246b5e8621f8.exe
File created	C:\Windows\LMIBE82.tmp\logo.bmp	61dd5d6bb55760610c0bb9bd2a276f10bf9de7118d6991ba62b4246b5e8621f8.exe
File opened for modification	C:\Windows\LMIBE82.tmp\rescue.log	lmi_rescue.exe
File opened for modification	C:\Windows\LMIBE82.tmp\params.txt	lmi_rescue.exe
File created	C:\Windows\LMIBE82.tmp\lmi_rescue.exe	61dd5d6bb55760610c0bb9bd2a276f10bf9de7118d6991ba62b4246b5e8621f8.exe
File opened for modification	C:\Windows\LMIBE82.tmp\params.txt	LMI_Rescue_srv.exe
File opened for modification	C:\Windows\LMIBE82.tmp\LMI_Rescue_srv.exe	61dd5d6bb55760610c0bb9bd2a276f10bf9de7118d6991ba62b4246b5e8621f8.exe
File created	C:\Windows\LMIBE82.tmp\rescue.ico	61dd5d6bb55760610c0bb9bd2a276f10bf9de7118d6991ba62b4246b5e8621f8.exe
File opened for modification	C:\Windows\LMIBE82.tmp\rescue.log	LMI_Rescue_srv.exe
File created	C:\Windows\LMIBE82.tmp\ra64app.exe	61dd5d6bb55760610c0bb9bd2a276f10bf9de7118d6991ba62b4246b5e8621f8.exe

Modifies boot configuration data using bcdedit 1 IoCs

pid	Process
3948	bcdedit.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	LMI_Rescue_srv.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\LocalServer32	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\TypeLib\ = "{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}"	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ProxyStubClsid	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\HELPDIR\ = "C:\\Windows\\LMIBE82.tmp"	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib\Version = "1.0"	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\TypeLib	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\TypeLib\Version = "1.0"	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}\ = "LMI_Rescue_srv.exe"	LMI_Rescue_srv.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib\ = "{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}"	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\TypeLib	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\ = "Rescue Com library"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib\Version = "1.0"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ = "IRescueUser"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ProxyStubClsid32	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\TypeLib\ = "{0C4DD08C-169A-4ae8-BBD4-AA8D5A398D56}"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\RunAs = "Interactive User"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\0\win32\ = "C:\\Windows\\LMIBE82.tmp\\LMI_Rescue.exe"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ = "IRescueSvc"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\ = "LMI_Rescue.exe"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\LMI_Rescue.exe\AppID = "{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ = "IRescueUser"	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\TypeLib	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	LMI_Rescue_srv.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\0	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid32	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid32	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ProxyStubClsid32	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\0\win32	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\TypeLib\Version = "1.0"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}\LocalService = "LMIRescue_c0704696-a1b3-47ad-8a7e-0c8ed7e06c1c"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\LocalServer32\ = "C:\\Windows\\LMIBE82.tmp\\LMI_Rescue.exe"	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\HELPDIR	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}\ = "LogMeIn Rescue Service"	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\FLAGS	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ = "IRescueSvc"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}\AppID = "{359471F8-E218-4b08-8D1E-8DFBF2F0F700}"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\ = "LogMeIn Rescue GUI"	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\TypeLib\ = "{0C4DD08C-169A-4ae8-BBD4-AA8D5A398D56}"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib\ = "{0C4DD08C-169A-4ae8-BBD4-AA8D5A398D56}"	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\LMI_Rescue_srv.exe	LMI_Rescue_srv.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\LMI_Rescue_srv.exe	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\LMI_Rescue.exe	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\FLAGS\ = "0"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\LocalServer32 = "LMI_Rescue.exe"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\TypeLib\ = "{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}"	LMI_Rescue_srv.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
800	lmi_rescue.exe
800	lmi_rescue.exe
1992	LMI_Rescue_srv.exe
1992	LMI_Rescue_srv.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	800	lmi_rescue.exe
Token: SeCreateGlobalPrivilege	1992	LMI_Rescue_srv.exe
Token: SeCreateGlobalPrivilege	1992	LMI_Rescue_srv.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
800	lmi_rescue.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4012 wrote to memory of 800	4012	61dd5d6bb55760610c0bb9bd2a276f10bf9de7118d6991ba62b4246b5e8621f8.exe	82
PID 4012 wrote to memory of 800	4012	61dd5d6bb55760610c0bb9bd2a276f10bf9de7118d6991ba62b4246b5e8621f8.exe	82
PID 4012 wrote to memory of 800	4012	61dd5d6bb55760610c0bb9bd2a276f10bf9de7118d6991ba62b4246b5e8621f8.exe	82
PID 1992 wrote to memory of 3948	1992	LMI_Rescue_srv.exe	85
PID 1992 wrote to memory of 3948	1992	LMI_Rescue_srv.exe	85

C:\Users\Admin\AppData\Local\Temp\61dd5d6bb55760610c0bb9bd2a276f10bf9de7118d6991ba62b4246b5e8621f8.exe
"C:\Users\Admin\AppData\Local\Temp\61dd5d6bb55760610c0bb9bd2a276f10bf9de7118d6991ba62b4246b5e8621f8.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4012
- C:\Windows\LMIBE82.tmp\lmi_rescue.exe
  "C:\Windows\LMIBE82.tmp\lmi_rescue.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Writes to the Master Boot Record (MBR)
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:800

C:\Windows\LMIBE82.tmp\LMI_Rescue_srv.exe
"C:\Windows\LMIBE82.tmp\LMI_Rescue_srv.exe" -service -sid c0704696-a1b3-47ad-8a7e-0c8ed7e06c1c
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\system32\bcdedit.exe
  C:\Windows\system32\bcdedit.exe /deletevalue safeboot
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:3948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\LMIBE82.tmp\LMI_Rescue_srv.exe

Filesize
1.8MB

MD5
41e774079ab1a967aacf265e505985de

SHA1
1524d82a7c46bac90e6f89f8b71a1dcd67a383f2

SHA256
0ca7b8d017a00edf2920bb9c29a86a70fa2c197b2af0c5c8cac264e5d3962228

SHA512
4fd5fdd9720af6cf317bf49bd1adb766b315ce6b6b6b2af0e3d915770601fb75e38ac60fc870a1de97d35bf5346eb035a73db5c65f4addb5647a4b1e1ef1f178

Download Submit
C:\Windows\LMIBE82.tmp\LMI_Rescue_srv.exe

Filesize
1.8MB

MD5
41e774079ab1a967aacf265e505985de

SHA1
1524d82a7c46bac90e6f89f8b71a1dcd67a383f2

SHA256
0ca7b8d017a00edf2920bb9c29a86a70fa2c197b2af0c5c8cac264e5d3962228

SHA512
4fd5fdd9720af6cf317bf49bd1adb766b315ce6b6b6b2af0e3d915770601fb75e38ac60fc870a1de97d35bf5346eb035a73db5c65f4addb5647a4b1e1ef1f178

Download Submit
C:\Windows\LMIBE82.tmp\lmi_rescue.exe

Filesize
1.8MB

MD5
41e774079ab1a967aacf265e505985de

SHA1
1524d82a7c46bac90e6f89f8b71a1dcd67a383f2

SHA256
0ca7b8d017a00edf2920bb9c29a86a70fa2c197b2af0c5c8cac264e5d3962228

SHA512
4fd5fdd9720af6cf317bf49bd1adb766b315ce6b6b6b2af0e3d915770601fb75e38ac60fc870a1de97d35bf5346eb035a73db5c65f4addb5647a4b1e1ef1f178

Download Submit
C:\Windows\LMIBE82.tmp\lmi_rescue.exe

Filesize
1.8MB

MD5
41e774079ab1a967aacf265e505985de

SHA1
1524d82a7c46bac90e6f89f8b71a1dcd67a383f2

SHA256
0ca7b8d017a00edf2920bb9c29a86a70fa2c197b2af0c5c8cac264e5d3962228

SHA512
4fd5fdd9720af6cf317bf49bd1adb766b315ce6b6b6b2af0e3d915770601fb75e38ac60fc870a1de97d35bf5346eb035a73db5c65f4addb5647a4b1e1ef1f178

Download Submit
C:\Windows\LMIBE82.tmp\logo.bmp

Filesize
3KB

MD5
afbfcdb13124bc087501dfdb0b3d2d3d

SHA1
197bd2df5aa8d4987c0db8de46c624881cf49aee

SHA256
4fb876a42bbdbd6aae4d8a38960369183923a5654849b42677f1c0b04afa7da9

SHA512
55966b77998de857f06975b2cd2d33768e538aa463df406f3c73a9ef49ff26fcc4221fab924232be379d773c857499cb88565d9d3b699efd0fbe48fe7fb69404

Download Submit
C:\Windows\LMIBE82.tmp\params.txt

Filesize
242B

MD5
3cbca6ee1aa7700b2c1b5ae15a800bb3

SHA1
3898e19c19e0f6d4e40ebcb5d0d4d6d393e3b31f

SHA256
6d88439028bde17f406712fe7491d50bdfb8a17ee080417b151acf3ce7083002

SHA512
f089a6068fcd9658e00dba8aeb9c7a04222e35d466aec98af06814df3c60ccd3d3f2d76d1966cc052943030068e61c7b9d171693138697b135f4ed839ded6bc4

Download Submit
C:\Windows\LMIBE82.tmp\params.txt

Filesize
297B

MD5
0a122d26b605e2df514d9bf9ee8a2bf7

SHA1
ba32e9740e3db91dab2a23a578cf8923e277103f

SHA256
106cf37990d7cd66edf4064e8342436ace7ad144f7e756fd8e4af32e707d9f49

SHA512
752711fbef54fac4f7dff8d1a76c8b012986ea731ff3334a18dbd2eff10fd26b8b0d3a987202a3b6d8426f4462599632038132772c7db45dbd5d0efdd4a8bd7b

Download Submit
C:\Windows\LMIBE82.tmp\ra64app.exe

Filesize
208KB

MD5
68df4da2cb339832b713d45bf4f2dec1

SHA1
13ea77ad5724e5c6edc44a0e872d85c3a93ea593

SHA256
636e0e368a66049eb2b1e688549f50e93258664f9a85f0477d5e1192242c25a8

SHA512
80d81ca71bc5c8d570b6cca8f8f815cfa6d8cd7a3dabd8d9da46656efc8f6a68be2f5e1ca14378a250e3f2886acb116309960b7fce26ed2ed33bd6d9006167ef

Download Submit
C:\Windows\LMIBE82.tmp\rahook.dll

Filesize
173KB

MD5
a74e732e69462a88ab84963abe26e055

SHA1
67ed07198a8d95e10e4e2c1c31f065c229d62e7b

SHA256
d079268ff103765a4fdab0e4ad44f1b6b5fe00d1aad9931eef63fd682818396f

SHA512
fed6cea867b41c5a0ffc875b7b80dc2b5ce9f15b4fbefc2d7d3ff03f7f5f0278c4c933f0a2e26c9938b9426aff9763300be143f2fde42a9533c93b797aca7927

Download Submit
C:\Windows\LMIBE82.tmp\rahook.dll

Filesize
173KB

MD5
a74e732e69462a88ab84963abe26e055

SHA1
67ed07198a8d95e10e4e2c1c31f065c229d62e7b

SHA256
d079268ff103765a4fdab0e4ad44f1b6b5fe00d1aad9931eef63fd682818396f

SHA512
fed6cea867b41c5a0ffc875b7b80dc2b5ce9f15b4fbefc2d7d3ff03f7f5f0278c4c933f0a2e26c9938b9426aff9763300be143f2fde42a9533c93b797aca7927

Download Submit
C:\Windows\LMIBE82.tmp\rescue.ico

Filesize
1KB

MD5
3ea098064b51c0798caa341a1bd0dd66

SHA1
ac4e762994a6946c7b614fe7ef1b82ce76fa4ece

SHA256
81672c20b4a515cc5af55ec8526bad540b92aba41d2e3e106415471c59c17a23

SHA512
757a2ff128f24620bafdae37c6c4a9657e2fa0ef3e21f5ddcad665284e6288a4df53a47948fb16ba62e8860c5ec7c04a37d608c62702608bde08e0ddd28cbd41

Download Submit
C:\Windows\LMIBE82.tmp\rescue.log

Filesize
3KB

MD5
6a89942ec75e7126307faf496983cf14

SHA1
579f3449adf8d44175bc3faf9a8d7ef2eefc13cc

SHA256
cbf42eddb55b6c032d9f1984289acbd781cf64a43a95524f6187a4b4412f2ede

SHA512
198a0f98e1ba051d9e517055a71e04bcd563d869c9804bf48ded31e60c9f3e9e08a66bef04e912407bd0495de561d7fb076bde124bf242beb965037d68aed8cc

Download Submit
C:\Windows\LMIBE82.tmp\rescue.log

Filesize
4KB

MD5
cfa62a2e5a764ecce6bf6723415279e2

SHA1
3acb6adcd6e00026abee0d1bafa6371f5ca54949

SHA256
a51a9f6a401def5f7c38a6e4ea250f7ca9445f0742ef7e2220cba40d2df9a01f

SHA512
bc578fb3049047007299874f99aca61d75e3307ec16c9410e15f452c5c3e835d29aa605009c4ccbdd99ca19e44e49d74b8a2a28aa39339ae75ef1880edd5ea55

Download Submit
C:\Windows\LMIBE82.tmp\rescue.log

Filesize
4KB

MD5
a88bfd570e7b75f6d90ecaa00482e574

SHA1
755d3f62831dfb1dd84346fad150dd0004e4f5dd

SHA256
60a9ded4c87b5fc8ea2e59ef9a61c7935b27a4673a781d8588fadb7a46130307

SHA512
ccfe2d98a4f5b82f9f4da217f23031460b3382d1f1ce039ee19514d3f89a660007e48a412d373ea3f24b2e58de56e62bd991a2b5ce3a85f9df25ab4b40adfd59

Download Submit
C:\Windows\LMIBE82.tmp\rescue.log

Filesize
9KB

MD5
1037b9874906794ecb501a15f66e9152

SHA1
22188b08df25bc1def8a49a3dc29bf1f0c2ff60a

SHA256
7480c00ecdd847d9b5021cde1523148e81ea0c3198e71ce3a97e1a5a8b97418b

SHA512
809e58e87106a1f9ccb8ba04ac53614e51ae7b7be1df9a11a42e0c0b5c806b9bb1cfb0079d263857736851a37778237067eaa3a99de14feee5a31b4950a49545

Download Submit
C:\Windows\LMIBE82.tmp\rescue.log

Filesize
9KB

MD5
0d7386127bcaa2f33b38c9b4e6600dbf

SHA1
01929725e155665c401d4064a60cf16626c87bda

SHA256
73244803cd54f490f0e43ff993a3ae86bf3c3c89b740b8300576465e17ddc7d2

SHA512
e22c2d6352eba537a629b6ed7faabb7c36eaf140bbbe7be7ef0aeaabe3d778daaed9b15c19ea3e8ab3163ce5809253f48ca7165b4ec1870365aa9074ab468cae

Download Submit
C:\Windows\LMIBE82.tmp\rescue.log

Filesize
9KB

MD5
f907e8312015eb1e4db3acb561698ce0

SHA1
80439833dc42c1588a2aaa234682284a6266c687

SHA256
cf1dbb065ef16e94e3b1da81c8ac5a2296dd106b3a7390f1eeed7710a0cf8a06

SHA512
c10fc4ab44521245ba7113678c92ea15c00cc1fe06878c66b4f64a1cd30d5143e1082fc2bf2ebd821d94591c3366bd3e03aa460b4880ca4255885dfa4399caa9

Download Submit
C:\Windows\LMIBE82.tmp\rescue.log

Filesize
10KB

MD5
e71eac46c2e10c9da57c712fbd065c7e

SHA1
fc8d4b017b87d5f2aead613e70941332f6718e33

SHA256
78e32c7b0ab72ee24e0ae3ff9f6af2549cf6eded02350e45ccdf34e43519859f

SHA512
fa511e16e082c186edb784e8a4398c6f9c2cfda5a15419e901fb2ec1008f5cfbd31bec56cd11f87bbeca65108e980e0e5fc64226b4d5a82672b0e5d2604c98b7

Download Submit
C:\Windows\LMIBE82.tmp\rescue.log

Filesize
10KB

MD5
b3a0ae86fc0e36213400bd3c1a935728

SHA1
d414d15e872f8b311ba91cae2a7cc13516b5d359

SHA256
194028e0f1736e67d131233156e5d84192d46bd2c6420737c3bda0b65efc48df

SHA512
5e05182d6729d250d6ef25e1dc950f3fffc523eeb71af01922551def745fe56da386aeab8d3eb3618d12e27cdf30f7ddd6abbbf09bb4d4ba5c0c8e4ad413d19f

Download Submit
C:\Windows\LMIBE82.tmp\rescue.log

Filesize
11KB

MD5
ff59f0e3ed09e55400e02d4ddb08f46b

SHA1
8b8839e7c9474cee3bf8a3733677c105bc78deeb

SHA256
ee9a723437049eb9431321a91550de93a8e47f4e58db83918e9cf30aad671669

SHA512
1db22ddea773252fd72599bfd8c30f76e18ae3bf8a5626f70d6cd7b1c1691da2465506c6e82a0b8c92a3a6520a20dac1442d75296d15248194e9a8d99ba6d81d

Download Submit