a9b5f922042406e16958e8e4cc7fd2ba6e379e8d9ac7820e0cd05f6c01cb8d46

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
07/06/2024, 08:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a9b5f922042406e16958e8e4cc7fd2ba6e379e8d9ac7820e0cd05f6c01cb8d46.exe
Size

6.3MB
MD5

8f0aacbabb588a50b46b7d29ea9e51be
SHA1

bf3d6459400c150126c194f677928c222184e4ac
SHA256

a9b5f922042406e16958e8e4cc7fd2ba6e379e8d9ac7820e0cd05f6c01cb8d46
SHA512

7138818db291b61da6f9a4ac9fce154f89cb0057783541c60a92015f1e532657302ea1ec38873edea3accba060f099749846e643a0c6e898c077f47bcc48e37b
SSDEEP

98304:tQz23M+mf7sMby8K5tmLcvJqiZLhUTRm1r+nretjUTvs0eZyndr+ZmrImp+tQ2:4/by8etNR5hUTQ1ynytjUVdr+wi1

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	a9b5f922042406e16958e8e4cc7fd2ba6e379e8d9ac7820e0cd05f6c01cb8d46.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	LMIIgnition.exe

Executes dropped EXE 2 IoCs

pid	Process
3508	LMIIgnition.exe
3812	LMIGuardianSvc.exe

Loads dropped DLL 1 IoCs

pid	Process
3812	LMIGuardianSvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
8	PING.EXE
2284	PING.EXE
1500	PING.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	3508	LMIIgnition.exe
Token: SeCreateGlobalPrivilege	3508	LMIIgnition.exe
Token: SeCreateGlobalPrivilege	3812	LMIGuardianSvc.exe
Token: SeCreateGlobalPrivilege	3812	LMIGuardianSvc.exe
Token: SeCreateGlobalPrivilege	3508	LMIIgnition.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3508	LMIIgnition.exe
3508	LMIIgnition.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 504 wrote to memory of 3508	504	a9b5f922042406e16958e8e4cc7fd2ba6e379e8d9ac7820e0cd05f6c01cb8d46.exe	84
PID 504 wrote to memory of 3508	504	a9b5f922042406e16958e8e4cc7fd2ba6e379e8d9ac7820e0cd05f6c01cb8d46.exe	84
PID 504 wrote to memory of 3508	504	a9b5f922042406e16958e8e4cc7fd2ba6e379e8d9ac7820e0cd05f6c01cb8d46.exe	84
PID 504 wrote to memory of 4608	504	a9b5f922042406e16958e8e4cc7fd2ba6e379e8d9ac7820e0cd05f6c01cb8d46.exe	85
PID 504 wrote to memory of 4608	504	a9b5f922042406e16958e8e4cc7fd2ba6e379e8d9ac7820e0cd05f6c01cb8d46.exe	85
PID 504 wrote to memory of 4608	504	a9b5f922042406e16958e8e4cc7fd2ba6e379e8d9ac7820e0cd05f6c01cb8d46.exe	85
PID 4608 wrote to memory of 8	4608	cmd.exe	88
PID 4608 wrote to memory of 8	4608	cmd.exe	88
PID 4608 wrote to memory of 8	4608	cmd.exe	88
PID 3508 wrote to memory of 3812	3508	LMIIgnition.exe	87
PID 3508 wrote to memory of 3812	3508	LMIIgnition.exe	87
PID 3508 wrote to memory of 3812	3508	LMIIgnition.exe	87
PID 3508 wrote to memory of 1712	3508	LMIIgnition.exe	89
PID 3508 wrote to memory of 1712	3508	LMIIgnition.exe	89
PID 3508 wrote to memory of 1712	3508	LMIIgnition.exe	89
PID 3508 wrote to memory of 3484	3508	LMIIgnition.exe	91
PID 3508 wrote to memory of 3484	3508	LMIIgnition.exe	91
PID 3508 wrote to memory of 3484	3508	LMIIgnition.exe	91
PID 1712 wrote to memory of 2284	1712	cmd.exe	93
PID 1712 wrote to memory of 2284	1712	cmd.exe	93
PID 1712 wrote to memory of 2284	1712	cmd.exe	93
PID 3484 wrote to memory of 1500	3484	cmd.exe	94
PID 3484 wrote to memory of 1500	3484	cmd.exe	94
PID 3484 wrote to memory of 1500	3484	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\a9b5f922042406e16958e8e4cc7fd2ba6e379e8d9ac7820e0cd05f6c01cb8d46.exe
"C:\Users\Admin\AppData\Local\Temp\a9b5f922042406e16958e8e4cc7fd2ba6e379e8d9ac7820e0cd05f6c01cb8d46.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:504
- C:\Users\Admin\AppData\Local\Temp\Ign33B2.tmp\LMIIgnition.exe
  "C:\Users\Admin\AppData\Local\Temp\Ign33B2.tmp\LMIIgnition.exe" -install
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3508
- - C:\Users\Admin\AppData\Local\Temp\Ign33B2.tmp\LMIGuardianSvc.exe
    "C:\Users\Admin\AppData\Local\Temp\Ign33B2.tmp\LMIGuardianSvc.exe" /escort 3508
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:3812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ign3BC1.tmp.cmd" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1712
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 127.0.0.1
      4⤵
      Runs ping.exe
      PID:2284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ign3C1F.tmp.cmd" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3484
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 127.0.0.1
      4⤵
      Runs ping.exe
      PID:1500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ign33B2.tmp.cmd" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4608
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 2 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:8

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3E3E9689537B6B136ECF210088069D55_A925FAB5FFC3CEDB8E62B2DCCBBBB4F2

Filesize
727B

MD5
1d57fe888a08faf5d90175cbf4bda3c9

SHA1
68390ace526959ba141de514daa9d6e1ab6145c0

SHA256
822a5e1f10da72c021b0249ec3297cd364ebe7442dd275f759819c755097da8d

SHA512
0049f6cad99f04968d2ceb1f87018f42340f7d9444d8a86c7ed502f25a28cc9f8b314c13b2908bd34b0e3d9cc2588187c9ed2cf60ca552210e787393add3f296

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
456a3fbc38e97b61f6b2c929e1ab6d83

SHA1
1cb87def8ea24a89a52f58d33e7a7f32114c0c58

SHA256
97c953d75a583eea1312d945bc6484dbecb0f485aa678d1fc6f7de19d3312839

SHA512
11f5e6b5cc7b599011e628f5bad9b5f328362040b4ca3d0ecd66ce484e06b2d71f08260624fcfe31dd27786b8a701b7b5048bef96a6429958110af7124d40d85

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_325DC716E4289E0AE281439314ED4BFA

Filesize
727B

MD5
8482af08290e060fa761b6e981457e37

SHA1
6f1f818f5085ccfe169badb2ebe5b9d31e933e92

SHA256
d0b56ff3574c8f4d46c8a464fbb795be456e9e83d6f5df206eedd31bec3d0d68

SHA512
9aa4d8c823163eb318808215804327cbb75752f96e51a4d4c020df113329945d6e579ee91ce18585afd8f776917b1619ff9ec6da9483bac454de86e80526daf8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
72c6192089f9b15261522e27464582b9

SHA1
d0885da01362606a6e1684a6f9b0b6150cd6b3b4

SHA256
5684e9426aca2cc088a9e34d489880b3f9d6d415c320e8c2f9e814c418265f9f

SHA512
6a429542e05fb67c4f49c51da80971fdf473202566a4a5c31ac8d7989be2ce0131e3c1c5d608f3e743f4194f6c5d330228fa62c16ac7aa0ff5197ec819f4558c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_56DB209C155B5A05FCBF555DF7E6D1BB

Filesize
727B

MD5
decfed35d8581d96b88ef3f545093133

SHA1
5d4c65cfa67ab73ffe5c54386d6d1463b5cbdc83

SHA256
687d8e42f59f282120b688efbc486140dfb925d8cb6f98a897826fb0786e2199

SHA512
8a56c68252be8c04e0345874c3714f6db87e3c4f764f8b60738884cb100eefa3aba050677e4c508366200974a4bb4dbdd18c5e928a3024ec97fdd2056e5d1553

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3E3E9689537B6B136ECF210088069D55_A925FAB5FFC3CEDB8E62B2DCCBBBB4F2

Filesize
404B

MD5
14716110e71056effec772bd07183737

SHA1
8dcb6b8f20d6ce104dceb0999a83d423d3be8735

SHA256
ebe1b7606266f75823bb9c64fba7558cf6a4b5f3a0f1a5c6af10dc2434d4eef3

SHA512
5404977b905fd9d18f580e495f3dbd7880a2077f91992a2df0301690a156d7b8a9c36b7adbb22b1906ee89097010390c3da9538b8b9f54799962badcaf2dd9f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
f2906e8513f2a2d43d5abb9df415207b

SHA1
420cb1c4771e82751509f12ea91c1c96ff0618b8

SHA256
3d370cefbdbc1355dee5db9a9d2d7a77fcef67173da683d9b0fcf31217fde5b4

SHA512
917a1e6ea6d3750a7daa56f3e63bef501542988120c4ae87d373d7d52440b2badbfe97697b6476e7bc6f1fb81469abc8f967085be3ce8caf87b3b3562b7cc3c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_325DC716E4289E0AE281439314ED4BFA

Filesize
408B

MD5
c068f5c70ea5dbf155e58c79c369fbe7

SHA1
7480442886525a8b653f8ef76a43305cf20e1fce

SHA256
3270885c6806a5727653b2cfe35196829b82b5c26b231789f77164464918e379

SHA512
c346a020aa3cc1bcec930376a3fd95db9997c48cde7f155d7a382e927146a6745d194fe80b8ec0fcccc8492d7c34174761ef8d214ea0666bdb723e7564de89b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
e6a3c578bb347a2574d49bb13d168434

SHA1
428bbf0431679adb0d00ecbb606b812c31a0fd21

SHA256
c072c731d4ce59424fc6765b381e3a24502a7bdee7c007b51c71ab9169eaee64

SHA512
8477a4fe812868187a01e9177037ac1681837e3f2ea0c5d407171a1c9d8c5efd1dc39ed0fd8ac7e95cc7d54182d5ff4de17f6fc430319f889903c6a8e44030c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_56DB209C155B5A05FCBF555DF7E6D1BB

Filesize
412B

MD5
41f67cea8e9dcf85a82540c31d2f3603

SHA1
2c10fa842aa268812d90d3d8afa25fefdf5ecdee

SHA256
5d5e43d9e55033ddf2f164bf323316d8ae56fe03c8619a1dc32d4f9053af14a7

SHA512
63c99204fd66ec3ecb73952114bab792e8adfa131347469efc9b6dcadcdbd639ab726caa85d3f0da6d9e8aedad105c3797c32fdd2ba90bc23065eb77528ca212

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ign33B2.tmp.cmd

Filesize
333B

MD5
332794bc23274cff727180c47b51bc21

SHA1
5164ea3a712f981813012234525181134f6fac87

SHA256
9a3bea42213e8777acc4c6dccc356cda2117c15059ebab6f5c9bf05089faf646

SHA512
af146fd40a92fbc89fe465ef905e41fa2c121c70058b7ea68e503adc3042b04b78c0c5c0680d7d9d72e7032c021b523a4172fb193e2d86f88b9297ecf1435351

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ign33B2.tmp\LMIGuardianDll.dll

Filesize
1.8MB

MD5
3927bb634871eef922dc98d60a8e8449

SHA1
be9e767d862a4a51cff89bf09e63bd17172885f3

SHA256
a746050d2f5fffe6c0bed3384e18c53b7001fe390e92fe1586c8bd81bad35ba6

SHA512
c8d32a283b1d01d700ac6c55b5589a4e15764bb176682b26dfeeda80ee2f3c5f7fa6709d472a72d475ed117bd90efcb2fedb772193fc8a585369b8bfb800156b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ign33B2.tmp\LMIGuardianEvt.dll

Filesize
309KB

MD5
67679291e54fc11d5175e16485bec006

SHA1
ce72f3950c1c7417e8f8556818614acb19822ea8

SHA256
3143a048c2c2caa1d6871856d1f1bc73a315dc4c22ed163328e7d500b89bdde5

SHA512
abf5dbd3405ae868c1619eddd7cbd666d171a61b9cb0a530a55bf364bf0f1a6de658b84297e81e023ce069a9711fdcbb72f8ad5a342081cc5f562be4b57fa078

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ign33B2.tmp\LMIGuardianSvc.exe

Filesize
419KB

MD5
fde1c6ce73d9aa9656ab49981b51c201

SHA1
8ae4829ca1ef3b26268bb62479025617b02cf2b3

SHA256
80e747e83329333cf6ba7358b1626724eb9b3886652b79229c9cf4a7435feb21

SHA512
df34b8fccb67f3cba8d4c4e0e554f4a71e49d54b4f6ae56e5eef826a64a7da6b9bdf1a37e914269d9b2e50ae149176388ae9c73f802a6d9f0baa6416e4bfd59b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ign33B2.tmp\LMIIgnition.exe

Filesize
7.0MB

MD5
81ec0a0308bdf96741d4c9212b9162e0

SHA1
cdc6758218a3b32f03e54a8c196a3ef12d759481

SHA256
b39614acbf0781908065233808691d62bc062262b843b15ee4d0ce3a2edc89a4

SHA512
6748b4746a1eef44f708b9884b01b51b3ef558e886f2b76d88d7fe5526c059331d108ea09001956d34e9139c7a1dd639499164bc6a2277f092a05d03b8ad529a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ign33B2.tmp\LMIProxyHelper.exe

Filesize
74KB

MD5
709ba5e80c9cfed72a838f3b2b76b93d

SHA1
abef7aa6aa77e404df29f8682c28f9e97f80a6c1

SHA256
64f223385570a51f63a534137d6823ed06ff45eb26a962337a9a7115fb522258

SHA512
cfba0cc656f2a8eadafbcb95c255c6ef6aca38cd3b037a43ae508f1f7cba3828c105f692e82936a13ad28f32b43ba0f1f919070e08963651cc3a0c938c521b03

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ign33B2.tmp\RACtrl.dll

Filesize
7.6MB

MD5
285860a070f3b25286a7b13604117ec4

SHA1
4a42f236686a57324b0c218914114b89a876309a

SHA256
3d2de215b93c70f8a020d5dfcdcc066b7db672c7a0f72d0b64054de079ffe6ec

SHA512
ee0eacf86f40a0a2f10c7cecaa8da9938462c3d36427cc651737ffd8a52a2e25702847073ecc81958e770f5f4f0ff56e589a9fba90cc63e792c58af626a123eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ign33B2.tmp\WebView2Loader.dll

Filesize
109KB

MD5
3c8a0d5c1e67675feefe87b6c42835ce

SHA1
69fa501939636e98620444fb3eb35605ff175379

SHA256
5586f7ecbbee2567de5e4ed10080e9f1b307afc0fb6278801f7e9da3075b5339

SHA512
788aebb7a920d13dfb128116676f5a948e9c7a46ab79e4aa8e734605c5ec29c50db7b7bbba3ccf9c63d70d01bf66d6e242ba2ba3d04a63370a156663221d1e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ign33B2.tmp\deployinfo.txt

Filesize
130B

MD5
8da7de96a70f4e9f277e8657420d2f7f

SHA1
78b19a394fd0aed0f3a7aad777a2d9176721b3dc

SHA256
3cc939a7a0fa2011a6aac85407787636e874f883cdb35d96fbbf93401c8b73f9

SHA512
f41799658783532db7606b40db561116a672722ae8a402016aaf377bc82209a50d096b68905d0a99b268fde93dc4d6dca059939af4dde1f7a8b5e83c62ba81ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ign33B2.tmp\ractrlkeyhook.dll

Filesize
13KB

MD5
e80263e744f96af8bb4ce237e9c07763

SHA1
77fdd7fdbf11929ee465e6e3c822ab3b948dc998

SHA256
43b049ea9a3f1e01a01aa2bab140c0ecb5c69635bf8c20551ac31dc01b2248ef

SHA512
d8b96c34f5c7cfd1361b0816e4dd16351bb55f254832b60c7710b3e755c4ad0cd9053ae2e3c81d9f28697ec4dc9fed484347fb587abc88de2d588649c5e43241

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ign33B2.tmp\webview.dll

Filesize
396KB

MD5
f7c1c50906af8edc249a40865cd38c65

SHA1
bce0696e9ee9b66a2af4b059fdbde7a3795d09ce

SHA256
5632dad07e020c9a6a3eb4eeea986406e455c6be7dfd5da55347499740b50d7d

SHA512
f8614e1ffcd00092fcb161a02cc1050763bc4abe31d47500eda7b1c3cc66a528f93e6dd320c0c37a84e317f1f03d6c682c232f813f5ce51f91571578593ac007

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ign3BC1.tmp.cmd

Filesize
957B

MD5
e8db5690f6c0a68d4ffc6501b0f5c0b5

SHA1
7a84a1294e03e55442429541a8a47bc7d5a32bdf

SHA256
4b4ec4b831602862622dde19dc84dd35aea0251eed4f8f3e40c629aff1cefaeb

SHA512
9c930e75c936201b402279c3dc7e634777975fc9795b9a38a1f18f12f3ecab75b0625f463a025b3fb47dc2c7b8c0a51fdee255bc46b2a1b28a0d711fdeea6ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ign3C1F.tmp.cmd

Filesize
957B

MD5
8fe45d4f96902c803bca80d6bc0d0dda

SHA1
c760debb70277d5be8fd7c0e82a1bdade1b9880b

SHA256
e930c5125d1b11f10d77de99815a83bf086783c9214eba0394ee583c1eb62b8d

SHA512
8dea51fefdd09c9faf26255bc0ca3cf7a80a1409ca0f6281d0f5312915ed2a5d6ee908bac2020f327fef4d5106fa374c8fc856727a98639699fb58008050d121

Download Submit