lmutil[.]exe | Triage

Resubmissions

10/03/2023, 08:49

230310-kq5q8scd68 1

10/03/2023, 08:02

230310-jxf6sacc56 1

Sharing

Copy URL Twitter E-mail

General

Target

lmutil.exe
Size

1.9MB
MD5

70d30fcdf03b975f7708e80108efb301
SHA1

f76edb0270a4be9f1863a7c735ccf198dbb86de6
SHA256

c51265691c4140ad566f3235dbabbf42deb85ec3c107ecf5b2cdc560b8629c9f
SHA512

eea60ed3b190220a3a860127dfdc34f876ea61c3ed71c9b5b280b3b46d2596784aee99051c49fc942b364ca33d8f80dcb9e05cf059f3f194bbcce0e3c6e092eb
SSDEEP

24576:1G8zj59pjkvhAA6J3tcEnB0TYjZlwBfvdn1k0HjL2a/7SZz+6yN2svoFv0EI+u3y:59povhlejeTcZlyjLt/WZzEv8xrmy

Score

1^/10

Malware Config

Signatures

Files

lmutil.exe
.exe windows x64

d51dc22c45096cc57df796a347f97ee6

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

1f:b1:c2:47:5f:e9:0b:2b:6f:c6:df:84:00:db:d3:d1
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

30/09/2011, 00:00

Not After

29/09/2014, 23:59

Subject

CN=Flexera Software LLC,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Flexera Software LLC,L=Schaumburg,ST=Illinois,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

ff:64:7b:c9:0c:8c:3d:98:96:d1:5f:81:b9:a9:0e:1f:ce:7b:54:16
Signer

Actual PE Digest

ff:64:7b:c9:0c:8c:3d:98:96:d1:5f:81:b9:a9:0e:1f:ce:7b:54:16

Digest Algorithm

sha1

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Flexera Software LLC,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Flexera Software LLC,L=Schaumburg,ST=Illinois,C=US

03/07/2013, 12:35
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

FlsSetValue
TlsFree
FlsFree
SetLastError
GetCurrentThreadId
TlsSetValue
FlsAlloc
HeapSetInformation
HeapCreate
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
LeaveCriticalSection
EnterCriticalSection
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
IsDebuggerPresent
RtlCaptureContext
FreeLibrary
LoadLibraryA
InitializeCriticalSection
TlsAlloc
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
HeapSize
MultiByteToWideChar
GetLocaleInfoA
HeapReAlloc
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
RtlVirtualUnwind
RtlLookupFunctionEntry
GetTimeZoneInformation
CompareStringA
CompareStringW
SetEnvironmentVariableA
FlsGetValue
DeleteCriticalSection
GetStartupInfoA
GetFileType
SetHandleCount
GetEnvironmentStringsW
GetLastError
WideCharToMultiByte
lstrcmpA
SystemTimeToTzSpecificLocalTime
FreeEnvironmentStringsW
GetEnvironmentStrings
FreeEnvironmentStringsA
RtlUnwindEx
GetModuleFileNameA
GetStdHandle
WriteFile
ExitProcess
GetModuleHandleA
GetProcAddress
SetUnhandledExceptionFilter
GetProcessHeap
HeapAlloc
GetVersionExA
HeapFree
Sleep
WriteConsoleW
GetCommandLineW
GetEnvironmentVariableA
GetEnvironmentVariableW
GetSystemDirectoryA
lstrlenA
GetWindowsDirectoryA
GetVersion
SetErrorMode
SetHandleInformation
FormatMessageA
CloseHandle
ReleaseMutex
WaitForSingleObject
CreateMutexA
GetLocalTime
GetProcessTimes
FindFirstFileW
FindFirstFileA
FindNextFileW
FindNextFileA
FindClose
ResetEvent
CreateEventA
SetEvent
GetVolumeInformationA
GetDriveTypeA
LocalFree
DeviceIoControl
CreateFileA
LocalAlloc
TlsGetValue
SystemTimeToFileTime
GetSystemTime
FileTimeToSystemTime
ReadFile
GetFileSize
SearchPathA
CreateSemaphoreA
OpenSemaphoreA
ReleaseSemaphore
FileTimeToLocalFileTime
GetFileInformationByHandle
PeekNamedPipe
CreateFileW
GetDriveTypeW
MoveFileA
MoveFileW
GetFileAttributesW
DeleteFileA
DeleteFileW
ExitThread
ResumeThread
CreateThread
CreateProcessA
DuplicateHandle
GetConsoleCP
GetConsoleMode
FlushFileBuffers
SetStdHandle
SetFilePointer
SetEndOfFile
GetFullPathNameA
GetCurrentDirectoryA
GetFullPathNameW
SetEnvironmentVariableW
GetFileAttributesA
CreatePipe
WriteConsoleA
GetConsoleOutputCP
GetCommandLineA

wsock32

socket
connect
select
closesocket
recv
__WSAFDIsSet
ntohs
WSASetLastError
inet_addr
send
inet_ntoa
setsockopt
gethostname
WSACleanup
WSAStartup
getsockname
htonl
getservbyname
htons
ioctlsocket
WSAGetLastError
gethostbyname
getservbyport
gethostbyaddr
getsockopt
ntohl

user32

SetDlgItemTextA
GetDlgItemTextW
GetDlgItemTextA
EndDialog
GetParent
GetFocus
SetFocus
SetWindowTextA
MessageBeep
MoveWindow
ScreenToClient
GetClientRect
wsprintfA
CreateDialogIndirectParamA
DialogBoxIndirectParamA
MessageBoxA
GetWindowLongA
SendMessageA
GetDlgItem
GetWindowRect
EnableWindow
GetActiveWindow
GetSystemMetrics
ShowWindow

advapi32

RegCloseKey
RegEnumValueA
RegOpenKeyExA
RegDeleteValueA
RegQueryValueExA
RegQueryValueExW
RegSetValueExA
RegSetValueExW
GetUserNameA
GetUserNameW
RegCreateKeyExA
RegEnumKeyExA
RegQueryInfoKeyA

netapi32

Netbios

comctl32

ord17

comdlg32

GetOpenFileNameA

oleaut32

SysStringLen
VariantClear
SysFreeString
SysAllocStringLen
SysAllocString
VariantInit

ole32

CoCreateInstance
CoSetProxyBlanket
CoUninitialize
CoInitializeSecurity
CoInitializeEx

wintrust

WinVerifyTrust

crypt32

CryptMsgClose
CertCloseStore
CertFreeCertificateContext
CertFindCertificateInStore
CryptMsgGetParam
CryptQueryObject
CertGetNameStringA
CryptDecodeObject

Sections

.text
Size: 412KB - Virtual size: 412KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.textidx
Size: 1.2MB - Virtual size: 1.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 101KB - Virtual size: 100KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 175KB - Virtual size: 407KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 45KB - Virtual size: 45KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.fnp_dir
Size: 512B - Virtual size: 120B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.fnp_mar
Size: 512B - Virtual size: 1B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Resubmissions

Sharing

General

Malware Config

Signatures

Files

d51dc22c45096cc57df796a347f97ee6

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

1f:b1:c2:47:5f:e9:0b:2b:6f:c6:df:84:00:db:d3:d1Certificate

Extended Key Usages

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

ff:64:7b:c9:0c:8c:3d:98:96:d1:5f:81:b9:a9:0e:1f:ce:7b:54:16Signer

Signature Validations

Verification

03/07/2013, 12:35 Valid: false

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

wsock32

user32

advapi32

netapi32

comctl32

comdlg32

oleaut32

ole32

wintrust

crypt32

Sections

.text Size: 412KB - Virtual size: 412KB

.textidx Size: 1.2MB - Virtual size: 1.2MB

.rdata Size: 101KB - Virtual size: 100KB

.data Size: 175KB - Virtual size: 407KB

.pdata Size: 45KB - Virtual size: 45KB

.fnp_dir Size: 512B - Virtual size: 120B

.fnp_mar Size: 512B - Virtual size: 1B

.rsrc Size: 2KB - Virtual size: 1KB

.reloc Size: 8KB - Virtual size: 7KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

1f:b1:c2:47:5f:e9:0b:2b:6f:c6:df:84:00:db:d3:d1
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

ff:64:7b:c9:0c:8c:3d:98:96:d1:5f:81:b9:a9:0e:1f:ce:7b:54:16
Signer

03/07/2013, 12:35
Valid: false

.text
Size: 412KB - Virtual size: 412KB

.textidx
Size: 1.2MB - Virtual size: 1.2MB

.rdata
Size: 101KB - Virtual size: 100KB

.data
Size: 175KB - Virtual size: 407KB

.pdata
Size: 45KB - Virtual size: 45KB

.fnp_dir
Size: 512B - Virtual size: 120B

.fnp_mar
Size: 512B - Virtual size: 1B

.rsrc
Size: 2KB - Virtual size: 1KB

.reloc
Size: 8KB - Virtual size: 7KB