Overview

overview

8

Static

static

e5bbca000a...fe.exe

windows7-x64

8

e5bbca000a...fe.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-12-2022 06:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e5bbca000aa7578b071b0bccc07791e0e47c6076335eef3588ae79be1d3526fe.exe

  • Size

    942KB

  • MD5

    702897d3f7b44d7f72fa093be80cd93a

  • SHA1

    0ab447cdc25009f4fa9519f5c5c333eea499027d

  • SHA256

    e5bbca000aa7578b071b0bccc07791e0e47c6076335eef3588ae79be1d3526fe

  • SHA512

    a4c5d1761fa037069cffd770a1626b40cbb3f038649b4ac2d4c3ffa915d25a705f84d59585363201b4bfa962ba7ccc64c92295160b75431a603757d3263bb40a

  • SSDEEP

    24576:6rNb0aldVwHBBA5WXlo6sNWqdsFdZYviowhtjlON1tHE:Y08dVMBBRloafYvid6DE

Score
8/10
bootkitevasionpersistencetrojan

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Windows directory 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e5bbca000aa7578b071b0bccc07791e0e47c6076335eef3588ae79be1d3526fe.exe
    "C:\Users\Admin\AppData\Local\Temp\e5bbca000aa7578b071b0bccc07791e0e47c6076335eef3588ae79be1d3526fe.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:4572
    • C:\Windows\LMIB8D5.tmp\lmi_instantchat.exe
      "C:\Windows\LMIB8D5.tmp\lmi_instantchat.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Writes to the Master Boot Record (MBR)
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2276

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Bootkit

1
T1067

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\LMIB8D5.tmp\lmi_instantchat.exe
    Filesize

    1.7MB

    MD5

    c52eb58a5ea072346702d0ea5a364737

    SHA1

    fc424772c5a1acea8a60c815a3f7966052cdd698

    SHA256

    1c150a386f9d0942461b9cc700814964d5dfe1e74f9e9df6dcfa00a1861b3c00

    SHA512

    f12ea8b561c331806407d29b940400441eab920fa9e55b96c949a32599bfeb3fe2eca6ccb2f5a29783432f1694bfda0550b294dc39cad1cb432434b1b24b9682

    Download Submit
  • C:\Windows\LMIB8D5.tmp\lmi_instantchat.exe
    Filesize

    1.7MB

    MD5

    c52eb58a5ea072346702d0ea5a364737

    SHA1

    fc424772c5a1acea8a60c815a3f7966052cdd698

    SHA256

    1c150a386f9d0942461b9cc700814964d5dfe1e74f9e9df6dcfa00a1861b3c00

    SHA512

    f12ea8b561c331806407d29b940400441eab920fa9e55b96c949a32599bfeb3fe2eca6ccb2f5a29783432f1694bfda0550b294dc39cad1cb432434b1b24b9682

    Download Submit
  • C:\Windows\LMIB8D5.tmp\params.txt
    Filesize

    560B

    MD5

    a20c9d92aee63a980c42064fa01b4053

    SHA1

    7a409a89bb573d528e1f51e4b8696cf7e6b659bb

    SHA256

    47c870a2bc85d362fb733ecc6003b2c755f3369452be5121e16b0aa82ec681f6

    SHA512

    64cdb90727273d01b7dd6717f84a2760753e03d672b755dbb3d2d79dd57652710ac53f854c69787cf39f20a5586cb8e2db9c8022608a28c27a235d78258b0aa7

    Download Submit
  • C:\Windows\LMIB8D5.tmp\rahook.dll
    Filesize

    173KB

    MD5

    bf790824092803a6384371b3996d0143

    SHA1

    81a870b23b999817516a5a47f01b0bf1f862c223

    SHA256

    585234c1ed97e97bf46a11967e0d82c0118423835627ffdddf7343ebb92ca120

    SHA512

    46f6b2c3e5b930d8358933fcb9f5a24b5a666fd0567501563143763da9e14da7317da19bc26ae3d35716fd17807686519dc78921b7ff79fdbf60746398457d9e

    Download Submit
  • C:\Windows\LMIB8D5.tmp\rahook.dll
    Filesize

    173KB

    MD5

    bf790824092803a6384371b3996d0143

    SHA1

    81a870b23b999817516a5a47f01b0bf1f862c223

    SHA256

    585234c1ed97e97bf46a11967e0d82c0118423835627ffdddf7343ebb92ca120

    SHA512

    46f6b2c3e5b930d8358933fcb9f5a24b5a666fd0567501563143763da9e14da7317da19bc26ae3d35716fd17807686519dc78921b7ff79fdbf60746398457d9e

    Download Submit
  • C:\Windows\LMIB8D5.tmp\rescue.ico
    Filesize

    48KB

    MD5

    51fa8f4746f1a481c5ea25931e99ed77

    SHA1

    76a78677e527a0564533d90ed16fe5d7da8102e2

    SHA256

    ad3ec59a6f04578dc4dd9b85dbb2552019fb509201524c6cb8d06fea73da62d7

    SHA512

    c7a3a40ec447800297138c8ae35739c080388654f1afeb3a2c55080477615efbce94f05a3683f3f5528e9eb8e0ab5477be3f396a7b32e21cfd73b39e68197b29

    Download Submit
  • memory/2276-132-0x0000000000000000-mapping.dmp
    Download