aeb23837ecbd020ff30a2ce773766711748156114f24372412b984d318e2b858

General

Target

aeb23837ecbd020ff30a2ce773766711748156114f24372412b984d318e2b858.exe
Size

835KB
MD5

d93cb300a57d4e1e9b675ed33fe7b6bd
SHA1

9c5e33c88c6eebd0a0d647c5342b8d11f9bd7d79
SHA256

aeb23837ecbd020ff30a2ce773766711748156114f24372412b984d318e2b858
SHA512

747dc83642444589a1147eda3e6b6224b872915ee896cbfd04a5a120e0d5760383fcc68f40673f1256210a64e80c5a35dd9fd6123aae39f3ca014e6a4b6816fa
SSDEEP

12288:RTw0pQSSJuwO5iJp3fqucoSNvpA43P9p9IqQcNW2+stiAZUQCqHBF:RLpQtJunSwtHNBBlIRtG/Z1Cqb

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1256	lmi_rescue.exe

Loads dropped DLL 2 IoCs

pid	Process
1216	aeb23837ecbd020ff30a2ce773766711748156114f24372412b984d318e2b858.exe
1256	lmi_rescue.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	lmi_rescue.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*LogMeInRescue_3951780443 = "\"C:\\Windows\\LMI7FAC.tmp\\lmi_rescue.exe\" -runonce reboot"	lmi_rescue.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lmi_rescue.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	lmi_rescue.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\LMI7FAC.tmp\rescue.log	lmi_rescue.exe
File opened for modification	C:\Windows\LMI7FAC.tmp\params.txt	lmi_rescue.exe
File created	C:\Windows\LMI7FAC.tmp\lmi_rescue.exe	aeb23837ecbd020ff30a2ce773766711748156114f24372412b984d318e2b858.exe
File created	C:\Windows\LMI7FAC.tmp\rahook.dll	aeb23837ecbd020ff30a2ce773766711748156114f24372412b984d318e2b858.exe
File created	C:\Windows\LMI7FAC.tmp\ra64app.exe	aeb23837ecbd020ff30a2ce773766711748156114f24372412b984d318e2b858.exe
File created	C:\Windows\LMI7FAC.tmp\params.txt	aeb23837ecbd020ff30a2ce773766711748156114f24372412b984d318e2b858.exe
File created	C:\Windows\LMI7FAC.tmp\logo.bmp	aeb23837ecbd020ff30a2ce773766711748156114f24372412b984d318e2b858.exe
File created	C:\Windows\LMI7FAC.tmp\rescue.ico	aeb23837ecbd020ff30a2ce773766711748156114f24372412b984d318e2b858.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1256	lmi_rescue.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1256	lmi_rescue.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1216 wrote to memory of 1256	1216	aeb23837ecbd020ff30a2ce773766711748156114f24372412b984d318e2b858.exe	28
PID 1216 wrote to memory of 1256	1216	aeb23837ecbd020ff30a2ce773766711748156114f24372412b984d318e2b858.exe	28
PID 1216 wrote to memory of 1256	1216	aeb23837ecbd020ff30a2ce773766711748156114f24372412b984d318e2b858.exe	28
PID 1216 wrote to memory of 1256	1216	aeb23837ecbd020ff30a2ce773766711748156114f24372412b984d318e2b858.exe	28

C:\Users\Admin\AppData\Local\Temp\aeb23837ecbd020ff30a2ce773766711748156114f24372412b984d318e2b858.exe
"C:\Users\Admin\AppData\Local\Temp\aeb23837ecbd020ff30a2ce773766711748156114f24372412b984d318e2b858.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Windows\LMI7FAC.tmp\lmi_rescue.exe
  "C:\Windows\LMI7FAC.tmp\lmi_rescue.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Writes to the Master Boot Record (MBR)
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1256

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\LMI7FAC.tmp\lmi_rescue.exe

Filesize
1.6MB

MD5
091181b2f29c1c7c510b291ad908bc23

SHA1
aacb448cea0e6771dbda08fe78aac2d62e977d40

SHA256
91af7d382914b63229db2e6b3eabe0980af94fb7e22931c09a949c437e45bb75

SHA512
e0d2f60d34811b32c37ffdc8f3e4490e5c6daa7cda3c829a5e21913573e46e8ab0c40dd0406ae8a527f40505b39fcf22c871716193a02162c7686fd5bef093ab

Download Submit
C:\Windows\LMI7FAC.tmp\logo.bmp

Filesize
7KB

MD5
d982e8a060540086a3732069a29f453e

SHA1
616c3ec71577045c945fb8c82304bc820cbdc28f

SHA256
35213ded23a27928e3141847012d1f7ca608087c96964b0b05876c6a1a5690d5

SHA512
2cdf13152997031daccc4ca3598a1e644890b68f4c50a4802a313f87290ad42523f348aaaa0d15257ab39d0ef5f1118b46eb4eadadd836279f98920b3b62e47f

Download Submit
C:\Windows\LMI7FAC.tmp\params.txt

Filesize
126B

MD5
28bcba0a0642add163e3915226c5462c

SHA1
6aa40fb72fd7d9cb840f56ac1bcce867e8fe261c

SHA256
f818709aa17a523a3a0603db9984105abac574ff1b0861557fc083d5ae94a251

SHA512
8980d09ad32e73a5c245a375d4382ed28a28cca605cf247be3e84f9579d87d34ddd85022282493b950dc4994e9d01479748f5b439783d55163c21f423d49e5ec

Download Submit
C:\Windows\LMI7FAC.tmp\rahook.dll

Filesize
173KB

MD5
d93540d74f0c59ac67e4daa085d38cbc

SHA1
904921f4521058eab2dfa3041d5393f8b069f4cc

SHA256
af1513934a0465c146ccbb652e6cae92071c7ebaa96ab2717b6e6d011b1cbb6f

SHA512
40277ec4bf526c1d7e7a229e040ca2e8abdba43ff6b5c38c947bf50302690df1d3742fb3faa608fad512f839b4170de69c03221f1d14a6620b9ebb089de68fff

Download Submit
C:\Windows\LMI7FAC.tmp\rescue.ico

Filesize
27KB

MD5
abbcf1281e680d20a2c1afa4fdaf77dd

SHA1
c5408de4a847c7be39cf9682f30c68858d63f3c3

SHA256
8ed42266386b840c9e10ea0ea55b2f8107fb48fb7fe0ea6767d79cbd82ec3eb8

SHA512
0ae52141e0be8c968dbd2407dc5c4bbf0f213efea223bf7e9ae03ddc19072f93dcec28c60efec45785cdc9095f8b34b972e57a32c2564dc4534f5b845f2b45fc

Download Submit
\Windows\LMI7FAC.tmp\lmi_rescue.exe

Filesize
1.6MB

MD5
091181b2f29c1c7c510b291ad908bc23

SHA1
aacb448cea0e6771dbda08fe78aac2d62e977d40

SHA256
91af7d382914b63229db2e6b3eabe0980af94fb7e22931c09a949c437e45bb75

SHA512
e0d2f60d34811b32c37ffdc8f3e4490e5c6daa7cda3c829a5e21913573e46e8ab0c40dd0406ae8a527f40505b39fcf22c871716193a02162c7686fd5bef093ab

Download Submit
\Windows\LMI7FAC.tmp\rahook.dll

Filesize
173KB

MD5
d93540d74f0c59ac67e4daa085d38cbc

SHA1
904921f4521058eab2dfa3041d5393f8b069f4cc

SHA256
af1513934a0465c146ccbb652e6cae92071c7ebaa96ab2717b6e6d011b1cbb6f

SHA512
40277ec4bf526c1d7e7a229e040ca2e8abdba43ff6b5c38c947bf50302690df1d3742fb3faa608fad512f839b4170de69c03221f1d14a6620b9ebb089de68fff

Download Submit
memory/1256-57-0x0000000075881000-0x0000000075883000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing