faf65515e7d8ab1be66ac53079f50482740a0cdcb623ec9e65ace573bedceb8a

Analysis

max time kernel
137s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/03/2024, 04:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

faf65515e7d8ab1be66ac53079f50482740a0cdcb623ec9e65ace573bedceb8a.exe
Size

459KB
MD5

2e868ea1b1207b4c88944e6ca968e5c0
SHA1

a458ea640c02944ed604af9105ee626d7ccbf450
SHA256

faf65515e7d8ab1be66ac53079f50482740a0cdcb623ec9e65ace573bedceb8a
SHA512

604f59fb1d1d7b4356817a402415c68815d61886460e20799ff74907dc61fb4ccf9bba513800a472e95981925d86a504225dc1bb7803a2d5e2e6b2534eb1d5d6
SSDEEP

12288:l0klQ4GUW7sa0dX50I9h8MWQ6hV2jMB4pky:+43W7sa0dX50I9h16hV2jBv

Score

7^/10

bootkit discovery persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
212	lzlh.exe
3092	lzlh.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	lzlh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
3092	lzlh.exe
3092	lzlh.exe
3092	lzlh.exe
3092	lzlh.exe
3092	lzlh.exe
3092	lzlh.exe
3092	lzlh.exe
3092	lzlh.exe
3092	lzlh.exe
3092	lzlh.exe
3092	lzlh.exe
3092	lzlh.exe
3092	lzlh.exe
3092	lzlh.exe
3092	lzlh.exe
3092	lzlh.exe
3092	lzlh.exe
3092	lzlh.exe
3092	lzlh.exe
3092	lzlh.exe
3092	lzlh.exe
3092	lzlh.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
212	lzlh.exe
212	lzlh.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4732 wrote to memory of 212	4732	faf65515e7d8ab1be66ac53079f50482740a0cdcb623ec9e65ace573bedceb8a.exe	88
PID 4732 wrote to memory of 212	4732	faf65515e7d8ab1be66ac53079f50482740a0cdcb623ec9e65ace573bedceb8a.exe	88
PID 4732 wrote to memory of 212	4732	faf65515e7d8ab1be66ac53079f50482740a0cdcb623ec9e65ace573bedceb8a.exe	88
PID 4732 wrote to memory of 3092	4732	faf65515e7d8ab1be66ac53079f50482740a0cdcb623ec9e65ace573bedceb8a.exe	89
PID 4732 wrote to memory of 3092	4732	faf65515e7d8ab1be66ac53079f50482740a0cdcb623ec9e65ace573bedceb8a.exe	89
PID 4732 wrote to memory of 3092	4732	faf65515e7d8ab1be66ac53079f50482740a0cdcb623ec9e65ace573bedceb8a.exe	89

C:\Users\Admin\AppData\Local\Temp\faf65515e7d8ab1be66ac53079f50482740a0cdcb623ec9e65ace573bedceb8a.exe
"C:\Users\Admin\AppData\Local\Temp\faf65515e7d8ab1be66ac53079f50482740a0cdcb623ec9e65ace573bedceb8a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4732
- C:\Users\Admin\AppData\Roaming\37\lzlh\lzlh.exe
  "C:\Users\Admin\AppData\Roaming\37\lzlh\lzlh.exe" /autorun /setuprun
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:212
- C:\Users\Admin\AppData\Roaming\37\lzlh\lzlh.exe
  "C:\Users\Admin\AppData\Roaming\37\lzlh\lzlh.exe" /setupsucc
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious behavior: EnumeratesProcesses
  PID:3092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\37\lzlh\Lander.ini

Filesize
479B

MD5
8f0d62d681ff9f945a73e22798fa2c56

SHA1
b04feed1425860cc71d75652ce778b6aad0e1a86

SHA256
a876ce468df1dcff7de419cb447fd131c6d35702dbb7bc056ab24f0c3d0faf30

SHA512
4a9066c2ff732bbb888040544634e9506f9909b12fde43d2787719c94c623c4b24bc24c41f67fc5205ee30defc4f3a9af581efdff0bdbfc8df2cdcded5f2f88e

Download Submit
C:\Users\Admin\AppData\Roaming\37\lzlh\Lander.ini

Filesize
511B

MD5
34d59efd8bc00e46c1cadeb07d6cc0a2

SHA1
f46db0d7a75daf52aa4f192b77af17173dcc948b

SHA256
aee7e7a0e63acc7d3c0cb1494427cfb08e4681cf8adc19dc7e0f51f0fce2bdaa

SHA512
55db92553dc858b61d013d094f041bc14e745e257310eedabe10821ab415153a759f467ace392bef371b94cd084b4ee9db2c834a706011cd1445d114fa39cc77

Download Submit
C:\Users\Admin\AppData\Roaming\37\lzlh\lander.ini

Filesize
448B

MD5
aa7c341421b68f61ce2182aaa30d7335

SHA1
15d30cbe49f3abd925d4700e9499600124b102a9

SHA256
c1093f965e41b147a206333ab41edd24e5e3e75fa8c2ff4df3be02106f4dab05

SHA512
ecf3c85f588ae9e555b981062df077d3857e61f7c1ba7aa3bb2539c975343257bf5ee7cae29360f1195251b3323a31c8d111384046a9cf3325f8c7ab699a9a81

Download Submit
C:\Users\Admin\AppData\Roaming\37\lzlh\lzlh.exe

Filesize
1.9MB

MD5
5ba2235bb9de7b23016a9f64fd07e9f1

SHA1
48830f67f6821985a933e1e5f96d2e3cf5c10391

SHA256
fb479e97fad7d4f50c9ff18cb3fd3b76b6c31f1d3cfacf14acaa7fb1578b2927

SHA512
e3412fbcfc9ed86afcddb4331b07e60689c097457f8c9d99baf851c6ac266949866d83c4a6bb37e0f4a2f65ba8627d166b49005e58bb383a118333c297d45772

Download Submit
memory/212-41-0x0000000000E00000-0x0000000000E01000-memory.dmp

Filesize
4KB

Download
memory/212-49-0x0000000000E00000-0x0000000000E01000-memory.dmp

Filesize
4KB

Download