Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
24-02-2024 23:14
Behavioral task
behavioral1
Sample
lkmh.exe
Resource
win7-20240221-en
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
lkmh.exe
Resource
win10v2004-20240221-en
4 signatures
150 seconds
General
-
Target
lkmh.exe
-
Size
93KB
-
MD5
b53512c1b7070a4dc49bb0f892c9b373
-
SHA1
a65167546e99e235eb8c312cf5cd9e7be844c7c6
-
SHA256
ac927442783fcbe76844b6690f6e80b0fe10c214fd540a40f94d56ab0fa93ff6
-
SHA512
d86a40909f9e8369f1c025cc13a3e9f7f9068da958ba22d9d47885885af5e9843cb2974724fe45fdc419f8617c9b7be336d3c8b29c3d31773ac78042462bae79
-
SSDEEP
768:FY3oyU3hWXxyFcxovUKUJuROprXtWN8eYhYbmXxrjEtCdnl2pi1Rz4Rk3GsGdpv3:oURWhIUKcuOJhPhBjEwzGi1dDiDvgS
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2076 netsh.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 64 lkmh.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 64 lkmh.exe Token: 33 64 lkmh.exe Token: SeIncBasePriorityPrivilege 64 lkmh.exe Token: 33 64 lkmh.exe Token: SeIncBasePriorityPrivilege 64 lkmh.exe Token: 33 64 lkmh.exe Token: SeIncBasePriorityPrivilege 64 lkmh.exe Token: 33 64 lkmh.exe Token: SeIncBasePriorityPrivilege 64 lkmh.exe Token: 33 64 lkmh.exe Token: SeIncBasePriorityPrivilege 64 lkmh.exe Token: 33 64 lkmh.exe Token: SeIncBasePriorityPrivilege 64 lkmh.exe Token: 33 64 lkmh.exe Token: SeIncBasePriorityPrivilege 64 lkmh.exe Token: 33 64 lkmh.exe Token: SeIncBasePriorityPrivilege 64 lkmh.exe Token: 33 64 lkmh.exe Token: SeIncBasePriorityPrivilege 64 lkmh.exe Token: 33 64 lkmh.exe Token: SeIncBasePriorityPrivilege 64 lkmh.exe Token: 33 64 lkmh.exe Token: SeIncBasePriorityPrivilege 64 lkmh.exe Token: 33 64 lkmh.exe Token: SeIncBasePriorityPrivilege 64 lkmh.exe Token: 33 64 lkmh.exe Token: SeIncBasePriorityPrivilege 64 lkmh.exe Token: 33 64 lkmh.exe Token: SeIncBasePriorityPrivilege 64 lkmh.exe Token: 33 64 lkmh.exe Token: SeIncBasePriorityPrivilege 64 lkmh.exe Token: 33 64 lkmh.exe Token: SeIncBasePriorityPrivilege 64 lkmh.exe Token: 33 64 lkmh.exe Token: SeIncBasePriorityPrivilege 64 lkmh.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 64 wrote to memory of 2076 64 lkmh.exe 85 PID 64 wrote to memory of 2076 64 lkmh.exe 85 PID 64 wrote to memory of 2076 64 lkmh.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\lkmh.exe"C:\Users\Admin\AppData\Local\Temp\lkmh.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:64 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\lkmh.exe" "lkmh.exe" ENABLE2⤵
- Modifies Windows Firewall
PID:2076
-