d58144ddb0c778e5a7ed6b0c6777e0a3f97df41925f2edc13a4527f094be39d0

General

Target

549542bc60e388f28e77fc43197ce38b.exe
Size

26.5MB
MD5

549542bc60e388f28e77fc43197ce38b
SHA1

250343a5fbf5351150281d3028f2ca60fc7bb282
SHA256

d58144ddb0c778e5a7ed6b0c6777e0a3f97df41925f2edc13a4527f094be39d0
SHA512

bea0a3d2470ebc62eb2c96aa71664a1408ff63554c2ce2a3b7bf7ab745eb7f4d54fb1651f84de4e5016e1c4e41343f532f5c0cf4e0926552e5d8b999313cd350
SSDEEP

786432:ef/hfOfVfMfZfMfGfgfMfe/hfOfLVfMfZfMfGfgfz:ex29kxkuokq2pkxkuo7

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4680	lbmxlt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 18 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	lbmxlt.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	lbmxlt.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	lbmxlt.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	lbmxlt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	lbmxlt.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	lbmxlt.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	lbmxlt.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	lbmxlt.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	lbmxlt.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	lbmxlt.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	lbmxlt.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	lbmxlt.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	lbmxlt.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	lbmxlt.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	lbmxlt.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	lbmxlt.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	lbmxlt.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	lbmxlt.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1480	549542bc60e388f28e77fc43197ce38b.exe
1480	549542bc60e388f28e77fc43197ce38b.exe
1480	549542bc60e388f28e77fc43197ce38b.exe
1480	549542bc60e388f28e77fc43197ce38b.exe
4680	lbmxlt.exe
4680	lbmxlt.exe
4680	lbmxlt.exe
4680	lbmxlt.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4680	lbmxlt.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 4680	1480	549542bc60e388f28e77fc43197ce38b.exe	92
PID 1480 wrote to memory of 4680	1480	549542bc60e388f28e77fc43197ce38b.exe	92
PID 1480 wrote to memory of 4680	1480	549542bc60e388f28e77fc43197ce38b.exe	92

C:\Users\Admin\AppData\Local\Temp\549542bc60e388f28e77fc43197ce38b.exe
"C:\Users\Admin\AppData\Local\Temp\549542bc60e388f28e77fc43197ce38b.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Users\Admin\AppData\Local\Temp\lbmxlt.exe
  C:\Users\Admin\AppData\Local\Temp\lbmxlt.exe -run C:\Users\Admin\AppData\Local\Temp\549542bc60e388f28e77fc43197ce38b.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lbmxlt.exe

Filesize
3.1MB

MD5
6ee12a04d16ab8dfe767aafa5782f6d4

SHA1
a204d20a20ebff9c579f4d3ffad267de98855041

SHA256
0a84ca43d8774f8251a84a53e234da573565f6cc55de324d7fe9e6bc7a7a0cd5

SHA512
6d986ccf15ac7d0056ae9b404791d9b3777d4576d4887251daa9be21f044d48c8321375b28e0e820e0dcb5be8cbe1bd109c5e675e0471bbe7138c14aaeb0124b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lbmxlt.exe

Filesize
3.3MB

MD5
10da518ec4031e5455ee88b0c146dfdd

SHA1
65e3c9b38919ebc8f01cb47570a9bb61a63e9131

SHA256
bd7bc958f33d7769fe81fb32b07f462c836d2c0ee63ccd65e563160f816900c0

SHA512
f987cab365d64aad3831befaa57d032d06c563fc03dc753bc83ef658bdad0ad3804b1ff09e30c0916f09e1958a3a217b1ad272480300c1f1497ac9d435ef0d86

Download Submit
memory/1480-0-0x0000000000400000-0x00000000005C3000-memory.dmp

Filesize
1.8MB

Download
memory/1480-7-0x0000000000400000-0x00000000005C3000-memory.dmp

Filesize
1.8MB

Download
memory/4680-8-0x0000000000400000-0x00000000005C3000-memory.dmp

Filesize
1.8MB

Download
memory/4680-11-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/4680-12-0x0000000000400000-0x00000000005C3000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing