Malware Analysis Report

2025-01-03 09:27

Sample ID 240605-aez2hagg74
Target 1b5a630bc353017a43a4f2451142c360_NeikiAnalytics.exe
SHA256 8de6fca3a579c6f03570d809acddb735c8645c8b456e2c77bb1b6473dfba6f13
Tags
bootkit evasion persistence trojan
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

8de6fca3a579c6f03570d809acddb735c8645c8b456e2c77bb1b6473dfba6f13

Threat Level: Shows suspicious behavior

The file 1b5a630bc353017a43a4f2451142c360_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit evasion persistence trojan

Writes to the Master Boot Record (MBR)

Adds Run key to start application

Checks whether UAC is enabled

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-05 00:08

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-05 00:08

Reported

2024-06-05 00:10

Platform

win7-20240508-en

Max time kernel

150s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1b5a630bc353017a43a4f2451142c360_NeikiAnalytics.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*LogMeInRescue_1679365303 = "\"C:\\Users\\Admin\\AppData\\Local\\LogMeIn Rescue Applet\\LMIR001F4001.tmp\\LMI_Rescue.exe\" -runonce -reboot" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F4001.tmp\LMI_Rescue_srv.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F4001.tmp\LMI_Rescue_srv.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F4001.tmp\LMI_Rescue_srv.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Applications\LMI_Rescue.exe C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F4001.tmp\LMI_Rescue.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Applications C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F4001.tmp\LMI_Rescue.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Applications\LMI_Rescue.exe\IsHostApp C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F4001.tmp\LMI_Rescue.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F4001.tmp\LMI_Rescue_srv.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F4001.tmp\LMI_Rescue_srv.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F4001.tmp\LMI_Rescue.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F4001.tmp\LMI_Rescue_srv.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F4001.tmp\LMI_Rescue.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1244 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\1b5a630bc353017a43a4f2451142c360_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F4001.tmp\LMI_Rescue.exe
PID 1244 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\1b5a630bc353017a43a4f2451142c360_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F4001.tmp\LMI_Rescue.exe
PID 1244 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\1b5a630bc353017a43a4f2451142c360_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F4001.tmp\LMI_Rescue.exe
PID 1244 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\1b5a630bc353017a43a4f2451142c360_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F4001.tmp\LMI_Rescue.exe
PID 2460 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F4001.tmp\LMI_Rescue.exe C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F4001.tmp\LMI_Rescue_srv.exe
PID 2460 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F4001.tmp\LMI_Rescue.exe C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F4001.tmp\LMI_Rescue_srv.exe
PID 2460 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F4001.tmp\LMI_Rescue.exe C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F4001.tmp\LMI_Rescue_srv.exe
PID 2460 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F4001.tmp\LMI_Rescue.exe C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F4001.tmp\LMI_Rescue_srv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1b5a630bc353017a43a4f2451142c360_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\1b5a630bc353017a43a4f2451142c360_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F4001.tmp\LMI_Rescue.exe

"C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F4001.tmp\LMI_Rescue.exe"

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F4001.tmp\LMI_Rescue_srv.exe

"C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F4001.tmp\LMI_Rescue_srv.exe" -wd "C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F4001.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rescue-data-center.logmein-gateway.com udp
US 8.8.8.8:53 rescue-list.23.logmein-gateway.com udp
US 8.8.8.8:53 control.rsc-app23-05.logmeinrescue.com udp
GB 158.120.18.93:443 control.rsc-app23-05.logmeinrescue.com tcp

Files

\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F4001.tmp\LMI_Rescue.exe

MD5 adbd7b4c358ab53de29003b5a6975a3c
SHA1 e65a2498f965dd109f2683ccadc58b2f4a7d1578
SHA256 3b0dad646ef6a74ad83e7199731ed121eaeac932b3cd0557390660657a2c0a18
SHA512 556200b7a6d1f2129e6793d4a70f158e9180bb960cfddfabe084d5c6c91529f6bbedc94014235d3984b55442ec94b265406569939758eb761c4821a7d4b64b72

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F4001.tmp\params.txt

MD5 cfa9cacf0717c302b6d0a8fe6f2fdd9a
SHA1 d88a8ee9933dee0b5b4bda7f58eca8c83ae22f91
SHA256 b22e3c2e47698474596b7e204cf7b62e76a826e1ce31c57e186a497c9d78e474
SHA512 181c0d43bcd6c6a79c894d8d4291229271396cf0fe415d088e3027b89a4d2b7ae0acce9188320a3d6faa3da7b62989d261057249d6aceaacb8933bc8e3ac7a93

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F4001.tmp\session.log

MD5 f3cbdd5eca809e3d41ffec507df74fe1
SHA1 161b508d19a5073042483f0dc0beb77d957feca6
SHA256 9302e3874db6c88515fa593007138f822f173e2bd1bd684a4c3a7b2a571352ed
SHA512 a504501edae2c5c4e3132ee1778b8034e3c700e33ea0f61c6a7b3eee83ad8f87c56cdcb78b541e3673cb67fe32eaecdc9fb179821ce91089ed9ae3368913dc87

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F4001.tmp\rahook.dll

MD5 2076ba2fe7dd3f79a04aec8e6ec346df
SHA1 737bf7a98a5d7bbf92376607701d176b4d5f03da
SHA256 6e12a888387209cb1e1e8b12ce96a00dff438bb28e2a4e28e048cbbad2d0f607
SHA512 cff2da2244f8339f4c55152f50f8f10e996d00555afbb240bf1a53c116d8491c020be0a8447e5d91cf0bb74adcbc504864fb9b8de0cc5315bafbdafa8b16e3c1

memory/2460-28-0x00000000001E0000-0x0000000000502000-memory.dmp

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F4001.tmp\rescue.ico

MD5 de0f0ec7ec752b143fa7cedff430e944
SHA1 8634df0467431031f45d02d45bcbcaff35861394
SHA256 b4d18c2a89884c191b58f72215880af4af584b0bc715aeeb4413e5fc4f6a41ef
SHA512 6eb677ff83c375075645e78ca7c9091801d6a24d39c9c40a0e66f01a107122b140244b5e805bb98f692daf7b856d0b373ddd321b3a95b4431cc93b9eecb4620c

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F4001.tmp\RescueWinRTLib.dll

MD5 5967205baa79840f416e59b2e7288be3
SHA1 7c03fc2e5e93ad666db3ba1b4c66a5fa331d63d1
SHA256 d3bd3a8fa26c771ca698b57d775095fda43d29d3c40cb158d8030d693f469f6b
SHA512 566b0064bd2fead17e071a14e8c9156862aa74ba12c07361a1cbf7a4f9d668e6bea381afbefe5f5939534fcab638b705a1aed2f7d627e1205ce978efebd49d21

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F4001.tmp\logo.bmp

MD5 41168e826b2975703bbe264918b52102
SHA1 1231277b74b5408900f466b51f279d8ed13b1bd7
SHA256 fec8f8514aac434cd7cdac3846700c5e1a962489e58a051adbcf9a673afe37b8
SHA512 6d2a4ebfd7ba21f48ffb9b918284bf50a01b499d41d859c24eeccf6878a04ae6e16030dd4ff57320db18af2988d1ec1d90cb89f30ff29d9afd4e06b4a2a903fc

\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F4001.tmp\Lmi_Rescue_srv.exe

MD5 ae7a775d3d39377cf12c052cc6e54b0c
SHA1 d7a95f570f55f4217f5efb8e235fd9d98e3eedf0
SHA256 c31616d13df62144e0e4aa36b4b02922693e1d34e655ed13cbcee251e46c601f
SHA512 54d2ecac4364d0a4c81131bc9e52ebedb30c807bf2ddfc90b0eedf357c57690dc30a6d88a6ea01de9f928588042a3b79674eadfda95934e3e8c991ec5d90f940

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F4001.tmp\rescue.info

MD5 c9566bc70fb7153ca646fa5e5fe037fa
SHA1 9fa749f1188340fd587164e2a70009d9652e0f40
SHA256 89d1cc81d213beb88a7bdfc67dc4c541ac19912acacd0c2195b213ce915344a3
SHA512 50e5d8f93867cbad4471485606121fce0c0889836434540b3c403cf53a505eddb193d2b829c519edb626794db7a1e67d23ba22527dcacd4db64c96742fe9ce5d

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F4001.tmp\rescue.log

MD5 f8374eb8acc425c90f5f00271804d3bc
SHA1 e27087367c98a2b709da75d983138bcfb26fbb9a
SHA256 fa6abad7657583b2d0e47502527badce008e5e343cd5e9b74e8cb18a1c2c3871
SHA512 5e37874b4fb5ca7a9f5b413e31c7281ed1c4aeb6ce055b8f50bf174202fa151278ee1bb0043a69d2735b390439f1352cc88acbc3f7b6592e0fdd75e71f9ecfcf

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F4001.tmp\session.log

MD5 c52ab15ab275d39b81da2f65bc98299b
SHA1 d1e91074989605932f9fb9f9cefcccb46171660c
SHA256 ac07a5527e3c257f04915bb2474ef27d43445e8b4e4ce2e960a28428c4f684cf
SHA512 7bf24cefc0bd2c1795cd40e7099ff50add0b88972edf96aa5a48cfac501b78c938fed214241fca0c36ce501c808d827332ea5530badf3738ad5bf1a1b9205170

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F4001.tmp\rescue.log

MD5 53a4d40df1c73537a954df5f1d6ab31b
SHA1 f220ff5d3a4daa6b6eb46912c6719a339352e5c5
SHA256 6ac8f6bd3d5192072f621402b75583771ec3415171cb3e15c3e5e58f415f6e7f
SHA512 9bca5df9ea47c06bf1f2222165430ed3982ca85c2ac74c6e546ba2f5da998377024b23faee83571eda60308956418730f85d9e869c89b593a1f02cb18d8e1287

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F4001.tmp\chatlog.dat

MD5 c80803da2e9cd16153ff974c337553bc
SHA1 dd05f383aa15d9e596ccf83806e166308ce4a593
SHA256 5db32d458772f57db271c48062fb0de75ed749022b2514084f5303eb9e28aa60
SHA512 25f22a28fad2ed2fd2f3c07c43b3bcef1da1accbfcf2b561bd20b52c10a746e2fe7fd8b5815d3027f2d6f7f02494dad18880e8a9617872c00ef6129ac3ec1d5e

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F4001.tmp\nvdaControllerClient32.dll

MD5 05acd0592f0d72b78b3f0c2aec7b83c8
SHA1 0096eec8dc24a55207fceed5d1996245c7620d43
SHA256 c74a95fd875afd00d84765aad6315ffe2d50f521c8a9ea2cbe1aa61e74215a9b
SHA512 ad63d6242635478bc4d95652bb656058b8562c2a623c42cd9532069e1892f53d8164ebb5411ec9083cc7d8e7d8e50fe3bea6a43e6bb129d1f5843b364b2ea1b6

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F4001.tmp\rescue.log

MD5 a88c41ee197aa0d9b6bb54402794ff2f
SHA1 57a44fe33c4c9072e0b80a304ae3faa905888034
SHA256 df1da812112291f5750e184ac8ffe1702804be12d38232e9fb152389c9c22d30
SHA512 7b93952fe40ea63bbc2ab0ae196bdbb1507b35b0986324f1512fe28432deefc7402a681980020c8f59f8092c793468c065e4a4568d4afa7ea338604bcfcd3843

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F4001.tmp\rescue.log

MD5 9f9c457e745922fa4b438148c5b50469
SHA1 7d2d7e790f899b64a2782482391d93268dc96f0f
SHA256 ba43d01ecc5fe717071a99a853250c463de65576f76759915bee9194d31f34b2
SHA512 00a0104bcc8dda6fe7d3cdfb0f8f72b7fa5523d0c46facee8b27b3a1368fc81b0017ab0a6d81e257cd247857d02d56a068bc591183e0019bf2bd59178e9cca6f

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F4001.tmp\rescue.log

MD5 7c9ba4219bdf2f741c4af8d229dcf6f8
SHA1 80dc9ebadae323ba1304820e30658ffbc88fa1b3
SHA256 5d448f8d002602fa7ea61b851ae66e28a685ff7d0773b51678ae3b97c3f235be
SHA512 f4210fbfaf6a90729f024a36eed7d7e72f32cba3588d8aabdcc54448c87e27fd9f70df37418644d7af978b92edd4f172cd45e375ec1ac7fe8b43ea03137422fb

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F4001.tmp\rescue.log

MD5 b5aa862c8ddd0bf2a4fcb130bc53edbf
SHA1 3038173873817b670713a629696c2a3885d0f676
SHA256 06bf1653a7956c0081b031f61817b9b188e74bc749fe4a31df677bd2223f7f4a
SHA512 9a45a2c8ca4f6fb38b818c90a873b2459cab87871951ec28c33ab1d1b8bd44bce933305988121dd70cc4f32d6976c42d86a181e76669f6aea1d987e91a647925

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F4001.tmp\rescue.log

MD5 5c69d6b00c36616065d7f592ee4d0c2b
SHA1 5f44826a9ca028620efbd45bba11524d92eb1d2c
SHA256 5c64824537153c8f6ff074b61f209c298a4aac72b2089e30742444f48b198e65
SHA512 35b6410dac90e9f6b4903d1b7bd27cdc4fd22d39077b472ab1e45efa5aac54dff7b4b397fc324c4b1f4814fe6a6b1dd745baf2e5367a53f654a36893f909facb

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F4001.tmp\rescue.log

MD5 e9f0f67a79c925392821296505f54241
SHA1 1b34607fa43f9f27f14e24feb85847aa70882fd8
SHA256 8932a82e0756cdc1073f38aa5cfb3ccd96afde084a2af8dd03f0ed38187a90cc
SHA512 44ac15ab9e0f3bb09434195f4c1f0c2d56726476eaf0b57e9d9c332df62ed9d6bb3fc09dc2f394a7a901393ac547d0bd8dd0759073be35696602f4e14a2c3daf

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F4001.tmp\rescue.log

MD5 4564ca008211c343c4789c575900a4bc
SHA1 0038e365a33bd770f5f28ab1b009214a88af6368
SHA256 566559784f50c58dd1c045675e4fe0a04faa9022d9c09be2294de3d96e4446a9
SHA512 8812a309e76dbcb58cf2971f4e318bf89ea4744771d999c2c373aa818ffb9e3b86c5df5bcc6d197555f4041c59a275f1332e843895702d3cd6451cae7223b3fe

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F4001.tmp\chatlog.dat

MD5 b11c101ab55041da4df2e534212fb945
SHA1 7e0247ffc3bf8839d7ebb05ee0b4448dff8ea02d
SHA256 3115d9664e1b085ba35c37c8dbad30e4f37f94627306770b96fc4a7670c8a637
SHA512 ba57d03cfb495686d1b620e7779506395744709a5827d1177f1889d33d291950214984bd1c95608a02fdcf6ad062a428e2ea59b50b0c5edd280ba6aeee5afd4d

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F4001.tmp\rescue.log

MD5 a322d33292101ea83aeb9a4863a3ff0e
SHA1 117b8721cabd23d6cb5bb65f942653fc86790d1f
SHA256 62c221d427b50389c4d6e90059810885a1fad518c15e2361c0a336c9e3b2d4ce
SHA512 f7c9b657ac3b5ffdab712d7b41fb1b8d83937a13432a02895f4184234a135e1d8dece3ffa2946e097f3fd0467d15b58c0edcf0fc976ca4a8c7dfbfc82e6d407b

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F4001.tmp\rescue.log

MD5 579c1f95a14aac64b3457797dcd6cecd
SHA1 cf76449142777140cf0316852a571b5a04c95bf2
SHA256 c9a1eb734c9801033927840bf5e260f93128a8f1c08ef2a62e7dd02fe631dc32
SHA512 5319be3f4f5585b731c730cd9212fa2a519e4e1da34efd33dab3578d2b9e45b6f5e67fff60a49588ff75b6851a545478b472d23ba563a8c5e1aa225b7f982495

memory/2460-113-0x00000000001E0000-0x0000000000502000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-05 00:08

Reported

2024-06-05 00:10

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1b5a630bc353017a43a4f2451142c360_NeikiAnalytics.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*LogMeInRescue_1679365303 = "\"C:\\Users\\Admin\\AppData\\Local\\LogMeIn Rescue Applet\\LMIR001F8001.tmp\\LMI_Rescue.exe\" -runonce -reboot" C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F8001.tmp\LMI_Rescue_srv.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F8001.tmp\LMI_Rescue_srv.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F8001.tmp\LMI_Rescue_srv.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F8001.tmp\LMI_Rescue.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F8001.tmp\LMI_Rescue_srv.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F8001.tmp\LMI_Rescue.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1b5a630bc353017a43a4f2451142c360_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\1b5a630bc353017a43a4f2451142c360_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F8001.tmp\LMI_Rescue.exe

"C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F8001.tmp\LMI_Rescue.exe"

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F8001.tmp\LMI_Rescue_srv.exe

"C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F8001.tmp\LMI_Rescue_srv.exe" -wd "C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F8001.tmp"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3376 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 rescue-data-center.logmein-gateway.com udp
US 8.8.8.8:53 rescue-list.23.logmein-gateway.com udp
US 8.8.8.8:53 control.rsc-app23-02.logmeinrescue.com udp
GB 158.120.18.191:443 control.rsc-app23-02.logmeinrescue.com tcp
US 8.8.8.8:53 191.18.120.158.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.94.73.104.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.200.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 10.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 214.143.182.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F8001.tmp\LMI_Rescue.exe

MD5 adbd7b4c358ab53de29003b5a6975a3c
SHA1 e65a2498f965dd109f2683ccadc58b2f4a7d1578
SHA256 3b0dad646ef6a74ad83e7199731ed121eaeac932b3cd0557390660657a2c0a18
SHA512 556200b7a6d1f2129e6793d4a70f158e9180bb960cfddfabe084d5c6c91529f6bbedc94014235d3984b55442ec94b265406569939758eb761c4821a7d4b64b72

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F8001.tmp\params.txt

MD5 cfa9cacf0717c302b6d0a8fe6f2fdd9a
SHA1 d88a8ee9933dee0b5b4bda7f58eca8c83ae22f91
SHA256 b22e3c2e47698474596b7e204cf7b62e76a826e1ce31c57e186a497c9d78e474
SHA512 181c0d43bcd6c6a79c894d8d4291229271396cf0fe415d088e3027b89a4d2b7ae0acce9188320a3d6faa3da7b62989d261057249d6aceaacb8933bc8e3ac7a93

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F8001.tmp\session.log

MD5 0e5059583dffe621ea2e76010d3e89a6
SHA1 89c95a7ddf6670d64e5b900fd355c0c7a89b1116
SHA256 13eb0c0362aaead556975f84e789e0a04abf3f0e894c5623e4bb503fb0797203
SHA512 9ef62c5b2f1b927a05e9242cf24944bdc464f4621e22ae3903397d401f1a91d4406c5736bddd8a120f947fbac7afe2b8ef5969a665fbb353190270060e7848b6

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F8001.tmp\rahook.dll

MD5 2076ba2fe7dd3f79a04aec8e6ec346df
SHA1 737bf7a98a5d7bbf92376607701d176b4d5f03da
SHA256 6e12a888387209cb1e1e8b12ce96a00dff438bb28e2a4e28e048cbbad2d0f607
SHA512 cff2da2244f8339f4c55152f50f8f10e996d00555afbb240bf1a53c116d8491c020be0a8447e5d91cf0bb74adcbc504864fb9b8de0cc5315bafbdafa8b16e3c1

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F8001.tmp\rescue.ico

MD5 de0f0ec7ec752b143fa7cedff430e944
SHA1 8634df0467431031f45d02d45bcbcaff35861394
SHA256 b4d18c2a89884c191b58f72215880af4af584b0bc715aeeb4413e5fc4f6a41ef
SHA512 6eb677ff83c375075645e78ca7c9091801d6a24d39c9c40a0e66f01a107122b140244b5e805bb98f692daf7b856d0b373ddd321b3a95b4431cc93b9eecb4620c

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F8001.tmp\RescueWinRTLib.dll

MD5 5967205baa79840f416e59b2e7288be3
SHA1 7c03fc2e5e93ad666db3ba1b4c66a5fa331d63d1
SHA256 d3bd3a8fa26c771ca698b57d775095fda43d29d3c40cb158d8030d693f469f6b
SHA512 566b0064bd2fead17e071a14e8c9156862aa74ba12c07361a1cbf7a4f9d668e6bea381afbefe5f5939534fcab638b705a1aed2f7d627e1205ce978efebd49d21

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F8001.tmp\logo.bmp

MD5 41168e826b2975703bbe264918b52102
SHA1 1231277b74b5408900f466b51f279d8ed13b1bd7
SHA256 fec8f8514aac434cd7cdac3846700c5e1a962489e58a051adbcf9a673afe37b8
SHA512 6d2a4ebfd7ba21f48ffb9b918284bf50a01b499d41d859c24eeccf6878a04ae6e16030dd4ff57320db18af2988d1ec1d90cb89f30ff29d9afd4e06b4a2a903fc

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F8001.tmp\Lmi_Rescue_srv.exe

MD5 ae7a775d3d39377cf12c052cc6e54b0c
SHA1 d7a95f570f55f4217f5efb8e235fd9d98e3eedf0
SHA256 c31616d13df62144e0e4aa36b4b02922693e1d34e655ed13cbcee251e46c601f
SHA512 54d2ecac4364d0a4c81131bc9e52ebedb30c807bf2ddfc90b0eedf357c57690dc30a6d88a6ea01de9f928588042a3b79674eadfda95934e3e8c991ec5d90f940

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F8001.tmp\rescue.info

MD5 5fb38871f9a87029fb3560c7edcd92cb
SHA1 e8e4ef9f012301a11fe561f2c9e24dfdfbe7e8e9
SHA256 fde483aae13a2bc3939e80f61d0106f870714e05d89fc3f48b96256d234350fc
SHA512 ab7672a090fbc57a1f5b6fba16f6dc4ca52f0a1a4ce012d3d9033d8e7dd2000e2f511e6f640f8bc616e869425dbea7e6c6ea0a927592f7cddcece1fd628562a2

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F8001.tmp\rescue.log

MD5 b12c7a0118452557e4996c188c8d2ef6
SHA1 0da25611ccb352b1aaa4fa637c8750187c42267d
SHA256 d9c9a8c4e9bbaea51d2b72f6ece155f04b334a09bbc718c1b8a7a90d8a84902c
SHA512 da0ee1fbf8fff2115143dde17e0db60079d8e1f368f9c244f42af13c731eb86d4e07777a51f143a9b8329f983a7717e95f16c68890494dbd84548bccb142e301

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F8001.tmp\session.log

MD5 d260a598cab7e330b6ff75b5d40a3ffc
SHA1 e95b1802b34ddeeef085b0e991254024a0c96635
SHA256 03dc6de97fedd334c88b4574a6f021485421f2499900a9d37bf3de2b3a863474
SHA512 a5b7c2b9511cd70cb1f38d939af7d56816006d756b3b3c1839e895cc80b053a9c925d80c36d36e8c8744a32b53cc68d54bc3a430d198af3f5ee0989089881e1e

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F8001.tmp\rescue.log

MD5 10aea5b36deaee76514c65c1e9d8319f
SHA1 329332dc2855d845a1a3fc2505c35710f99e3208
SHA256 de01f2f61bbc07f1db04d6918110160a4f10b47a7062cede3df2f64e08a67d5d
SHA512 98dae97cd0de1250c2519e1572797b27cec8f19ba2e7160fceadf4f1aecd7ecfc432ec654aae024adc55c3507c37e397d91d497e9eb8c403e79ea2d5a927b446

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F8001.tmp\chatlog.dat

MD5 22ce59abeb1a152dc0fb015d2d66c78d
SHA1 46929c0f29b842fbfb98c3692a1ec74b0587e2f7
SHA256 2b4e24d26987f6081b2547b564e71d840b5a2b2068bab66ab3c07673b1465a7b
SHA512 c92a47c9bb9940d7f9deba7a81943354d2642242603695dafb4ca84519938e107a153f7ddd951ba365938e5d85f2b44aff80480f5e8c2b4a4f5d1b6373924d07

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F8001.tmp\nvdaControllerClient32.dll

MD5 05acd0592f0d72b78b3f0c2aec7b83c8
SHA1 0096eec8dc24a55207fceed5d1996245c7620d43
SHA256 c74a95fd875afd00d84765aad6315ffe2d50f521c8a9ea2cbe1aa61e74215a9b
SHA512 ad63d6242635478bc4d95652bb656058b8562c2a623c42cd9532069e1892f53d8164ebb5411ec9083cc7d8e7d8e50fe3bea6a43e6bb129d1f5843b364b2ea1b6

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F8001.tmp\chatlog.dat

MD5 bcd65741b30254ab4e3f8fe17f132cf8
SHA1 f02a1cebf20073518160df894d1b8311e125c83b
SHA256 8c8880b8bbd419516ab9149efe85abe7e485269703020ceee28d89bfb5fbf483
SHA512 94882c6d3bc8385925bc9a9328a6985ae3472f35f9bd1feaac5b7e27de972eee275372ac3db88e79feeff608e325c43bc103b80c4433aebae6bd2c2adcb5a275

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F8001.tmp\rescue.log

MD5 57cf1bd2150b5782aa312fd568348d62
SHA1 6b166bd3deed917a3ef6c7355a364ce5849e1155
SHA256 0b4db2e43760f4bd1efac3980eee68b8f55a90ec5114218d5dde1c47be4bf5ef
SHA512 86f0217a227b0e6553be19cffeba045d315bf87e93e47013f68d6be3ea1aa4d95ada1fee9edd5d1372a34ee29244ebb6e572724eb75291c0139551fa5e773107

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F8001.tmp\rescue.log

MD5 bcc776452bfb68afe204271838037d61
SHA1 cfc82f984bb6c2e000024b6c7d30161eba5a34ec
SHA256 a07065dba569379fd2f0482e661b00fca7984fe1da5e2432c7f7da2c7321522d
SHA512 230363fe9c4358d4a685aef24a4bfd597102a5f152f8a3620e3a855a26165a15376ae2ca95c6629c277b2464f29a19a508503b3ede46ff02771388792541bfc9

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F8001.tmp\rescue.log

MD5 6b7379c20fed504906f827a6c19b14ef
SHA1 61aa226d35dfbf64e38316e4e05ca56d1cf86304
SHA256 3b0f2cc88613f570f06dd17280306a685cb71c7bdce7b2c7838346aea3e38363
SHA512 ee8390e88ce368e4c7d06d2a724303c5679376fcc40f68e4a3ee6926a27838b4669baed971acd2cfd2f6c0e6aa58093e069b3ca4d1d9e1fa0c224b92042d19bd

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F8001.tmp\rescue.log

MD5 339b1602bf8ca5b800be8c363b5da5a5
SHA1 fca6ed2e838c0a285a99b48399e2266017544e27
SHA256 d148247495b120ed45ab6af8c38180d4a4598bd7e7f2caa4de7b75dc76ec4a49
SHA512 48a09d1780a230d233a24651c5cca010c8c3156a6fe66084ee80de2e00dea03202ef941a5a97c88651817058374dad3c30fc046972d8d85869b43f3d522967a7

C:\Users\Admin\AppData\Local\LogMeIn Rescue Applet\LMIR001F8001.tmp\rescue.log

MD5 29d57609fcfb6632a738616c9c2dca7d
SHA1 c7d1f476d848250f29b628efefa2c550dff91166
SHA256 e7f970ac5c62ab8962a12a9bb911a001e925712d7bcf96ea63d8bcfc5bd2846c
SHA512 e680aaaf5027ceed547fa21db7ad8af1230d69cae93d998332a5cbdc1a0698d97168325dfb6c0b7ddc58d2d24d4fae3a1f363fa9dc140ef26ab92373848f3b3f