e28e1bc276a54bfb741fa358cfb1e824ec230383fabe7c4740d1de0508618be9

Analysis

max time kernel
118s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15-07-2024 06:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99d13f5411586ec6696ca1271d46a5a0N.exe
Size

1.9MB
MD5

99d13f5411586ec6696ca1271d46a5a0
SHA1

001a7cb423e069b0ded3f8300d7fa2ea542f5c78
SHA256

e28e1bc276a54bfb741fa358cfb1e824ec230383fabe7c4740d1de0508618be9
SHA512

6a8818f05884454f1a6b43990131d624470cf08eb6734ab5e41dfc73a7e570e222caed09f7a045b8c68bbd75e740923ca9d71f8714886fb17e2f624874a64686
SSDEEP

49152:45okD3PW/R/6Dii0+LitIg+oYng7juTER6arQrlucqlGWHoZ8YhTn:4N70RiFG0oYngXuU9rQSl8hhb

Score

7^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3444	join.me.exe

Loads dropped DLL 1 IoCs

pid	Process
3444	join.me.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	join.me.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3444	join.me.exe
3444	join.me.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	3444	join.me.exe
Token: SeBackupPrivilege	3444	join.me.exe
Token: SeDebugPrivilege	3444	join.me.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3444	join.me.exe
3444	join.me.exe
3444	join.me.exe
3444	join.me.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4920 wrote to memory of 3444	4920	99d13f5411586ec6696ca1271d46a5a0N.exe	86
PID 4920 wrote to memory of 3444	4920	99d13f5411586ec6696ca1271d46a5a0N.exe	86
PID 4920 wrote to memory of 3444	4920	99d13f5411586ec6696ca1271d46a5a0N.exe	86

C:\Users\Admin\AppData\Local\Temp\99d13f5411586ec6696ca1271d46a5a0N.exe
"C:\Users\Admin\AppData\Local\Temp\99d13f5411586ec6696ca1271d46a5a0N.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4920
- C:\Users\Admin\AppData\Local\Temp\joiAB34.tmp\join.me.exe
  "C:\Users\Admin\AppData\Local\Temp\joiAB34.tmp\join.me.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\joiAB34.tmp\LMIInputHook32.dll

Filesize
73KB

MD5
733cb0bcaaf7d6b2092eb38bd19ce24a

SHA1
dd5fce1d23cdc0d7b96cc4261c960c96c06f06c2

SHA256
92a7a686ceba459b2b26a71d55bfd4740ef9a29b21100b702eb2be721c2d0260

SHA512
c568e7325f4aa923a8fff7e08aa5ced6ca0b2c21f106d3bd955b9dff60049a93972ddf320fabee86959aa12e3c678fd8ee95cf2e64b75aeec564b4c6ad956169

Download Submit
C:\Users\Admin\AppData\Local\Temp\joiAB34.tmp\join.me.exe

Filesize
8.5MB

MD5
f0dcd31940ef3b30f88fa70af40605cf

SHA1
303631a2c38f73cc033bf8a95d099c77f80a4715

SHA256
532af5b31fdf46b759660c787635e8fa7ee054f83f3644d59c4dc42c6a43223a

SHA512
68d56b7dd93e6b82c6f08a9b52f6c78b3c921acd50d7680199a12f76ba69d147a736f43c328a690131bcc515d38ef1a2d7ba0d4eafe12e763a7e5fc1256f87b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\joiAB34.tmp\join.me.log

Filesize
3KB

MD5
86d9a660bf9ac834bc0e5027795809d7

SHA1
36b501d892ac890aef662fe97df309e253bb88dd

SHA256
bd974e7290ee3a921f62532f36d604cf95b7cb4fbe192c02ce9c15cfd5b3b406

SHA512
9f6d8703f296f96e6617cf75b3f0949bf0177359fd2082a57608f41db613b3b57b4123a40bb8f1d9836f6c66daff4f0adbc1b12692acc72bf96fa8aeab5557fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\joiAB34.tmp\join.me.log

Filesize
6KB

MD5
c86bcab89283aaae560400e0b9577e14

SHA1
ee3146a1ed3655ce296c002e7590dd6a01fdb890

SHA256
bf7e11855f89fab4cee9d676ad6086000f1020006a851699fbee55207cf5e6ce

SHA512
1e67c11312a9e4f0df5b6d5bb228a0dd60583bb8b78c490784f8a12aefc5201dfe5ae4278cf68f48e98a0484729dcb286d86704c2047a7728802e5212cfa4228

Download Submit
C:\Users\Admin\AppData\Local\Temp\joiAB34.tmp\params.txt

Filesize
102B

MD5
1c8877ac6c0fa0bdfb7329ab7026c392

SHA1
fa91587185f632a3c96fe3a54a37e7a659122f5b

SHA256
432e56ee367031130ed77e8edd415c56079abf5c1624853ea6d743c49639e733

SHA512
ae6aa2b50d5b2b50e9648e473157c598bacf427adadf8d030c3034098c5083686b9c22859769fb36170f0f9b4e1d035a658bde281d242435b6eef6c68861b7c4

Download Submit
memory/3444-44-0x0000000005B80000-0x0000000005B81000-memory.dmp

Filesize
4KB

Download
memory/3444-56-0x0000000005B80000-0x0000000005B81000-memory.dmp

Filesize
4KB

Download