e28e1bc276a54bfb741fa358cfb1e824ec230383fabe7c4740d1de0508618be9

Analysis

max time kernel
118s
max time network
124s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
15-07-2024 06:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99d13f5411586ec6696ca1271d46a5a0N.exe
Size

1.9MB
MD5

99d13f5411586ec6696ca1271d46a5a0
SHA1

001a7cb423e069b0ded3f8300d7fa2ea542f5c78
SHA256

e28e1bc276a54bfb741fa358cfb1e824ec230383fabe7c4740d1de0508618be9
SHA512

6a8818f05884454f1a6b43990131d624470cf08eb6734ab5e41dfc73a7e570e222caed09f7a045b8c68bbd75e740923ca9d71f8714886fb17e2f624874a64686
SSDEEP

49152:45okD3PW/R/6Dii0+LitIg+oYng7juTER6arQrlucqlGWHoZ8YhTn:4N70RiFG0oYngXuU9rQSl8hhb

Score

7^/10

bootkit discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2844	join.me.exe

Loads dropped DLL 2 IoCs

pid	Process
2268	99d13f5411586ec6696ca1271d46a5a0N.exe
2844	join.me.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	join.me.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2844	join.me.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2844	join.me.exe
Token: SeBackupPrivilege	2844	join.me.exe
Token: SeDebugPrivilege	2844	join.me.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2844	join.me.exe
2844	join.me.exe
2844	join.me.exe
2844	join.me.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 2844	2268	99d13f5411586ec6696ca1271d46a5a0N.exe	30
PID 2268 wrote to memory of 2844	2268	99d13f5411586ec6696ca1271d46a5a0N.exe	30
PID 2268 wrote to memory of 2844	2268	99d13f5411586ec6696ca1271d46a5a0N.exe	30
PID 2268 wrote to memory of 2844	2268	99d13f5411586ec6696ca1271d46a5a0N.exe	30

C:\Users\Admin\AppData\Local\Temp\99d13f5411586ec6696ca1271d46a5a0N.exe
"C:\Users\Admin\AppData\Local\Temp\99d13f5411586ec6696ca1271d46a5a0N.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Users\Admin\AppData\Local\Temp\joi9F3C.tmp\join.me.exe
  "C:\Users\Admin\AppData\Local\Temp\joi9F3C.tmp\join.me.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\joi9F3C.tmp\LMIInputHook32.dll

Filesize
73KB

MD5
733cb0bcaaf7d6b2092eb38bd19ce24a

SHA1
dd5fce1d23cdc0d7b96cc4261c960c96c06f06c2

SHA256
92a7a686ceba459b2b26a71d55bfd4740ef9a29b21100b702eb2be721c2d0260

SHA512
c568e7325f4aa923a8fff7e08aa5ced6ca0b2c21f106d3bd955b9dff60049a93972ddf320fabee86959aa12e3c678fd8ee95cf2e64b75aeec564b4c6ad956169

Download Submit
C:\Users\Admin\AppData\Local\Temp\joi9F3C.tmp\join.me.log

Filesize
5KB

MD5
a14d9924cebcea4ff079ef8a0855b8d8

SHA1
bb1ecb47834d59746e9fa871e4aabef975af1dbc

SHA256
2e1d83ed1e8ad386ff098031d22926b4e6c5a0f0aab75e35d36fb389e3b34918

SHA512
8aac731e54f0b846b52f9424f0c9add89d039c24fee8c707dbc203a6d1181127923f4426c3d6d2b437b864aca383071269b69487389e3b1d1d06c16b06dd662c

Download Submit
C:\Users\Admin\AppData\Local\Temp\joi9F3C.tmp\params.txt

Filesize
102B

MD5
1c8877ac6c0fa0bdfb7329ab7026c392

SHA1
fa91587185f632a3c96fe3a54a37e7a659122f5b

SHA256
432e56ee367031130ed77e8edd415c56079abf5c1624853ea6d743c49639e733

SHA512
ae6aa2b50d5b2b50e9648e473157c598bacf427adadf8d030c3034098c5083686b9c22859769fb36170f0f9b4e1d035a658bde281d242435b6eef6c68861b7c4

Download Submit
\Users\Admin\AppData\Local\Temp\joi9F3C.tmp\join.me.exe

Filesize
8.5MB

MD5
f0dcd31940ef3b30f88fa70af40605cf

SHA1
303631a2c38f73cc033bf8a95d099c77f80a4715

SHA256
532af5b31fdf46b759660c787635e8fa7ee054f83f3644d59c4dc42c6a43223a

SHA512
68d56b7dd93e6b82c6f08a9b52f6c78b3c921acd50d7680199a12f76ba69d147a736f43c328a690131bcc515d38ef1a2d7ba0d4eafe12e763a7e5fc1256f87b7

Download Submit
memory/2844-45-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/2844-56-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download