lrio[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

lrio.exe
Size

1.6MB
MD5

6047e184c92d34f240cc11b7a597e1a7
SHA1

da8d1e9fbe18883b31f366fc00ba8d5c4b7c9085
SHA256

a194098068ae5792a16bc86d77222501d93ee8cdbe7acf70d22491124e8f52d7
SHA512

58d6251b2e032049cf1966bde76346dbc9ca9a698eedf5ccfd822a718cea7a62d9fc57083a22079b195b99f2e803edae50e14ec7614b59aa3020e1c0d8c82179
SSDEEP

49152:wTgjLEFgSMCXmPxwMjYaOwcKTozTnWHiSZ8qcXb3t:wTv2wMjYg

Score

1^/10

Malware Config

Signatures

Files

lrio.exe
.exe windows:6 windows x86 arch:x86

eb10e664d4b6cbc1e96670b062c8f726

Code Sign

56:00:00:06:d4:f5:1f:6b:f6:fc:ad:3b:60:00:00:00:00:06:d4
Certificate

Issuer

CN=Intel External Issuing CA 7B,O=Intel Corporation,L=Santa Clara,ST=CA,C=US

Not Before

07/06/2018, 06:54

Not After

06/06/2020, 06:54

Subject

CN=Intel(R) Software,O=Intel Corporation,L=Santa Clara,ST=CA,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

06:9b:5e:99:27:72:84:c8:76:7f:13:68:a7:de:b0:f3
Certificate

Issuer

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

28/10/2015, 00:00

Not After

17/06/2021, 23:59

Subject

CN=Intel External Issuing CA 7B,O=Intel Corporation,L=Santa Clara,ST=CA,C=US

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageEmailProtection
ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

27:66:ee:56:eb:49:f3:8e:ab:d7:70:a2:fc:84:de:22
Certificate

Issuer

CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE

Not Before

30/05/2000, 10:48

Not After

30/05/2020, 10:48

Subject

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

69:b2:d1:cc:f0:2e:20:dc:c9:5c:62:89:4f:7f:9e:5f:5f:c0:57:bf
Certificate

Issuer

CN=QuoVadis Root Certification Authority,OU=Root Certification Authority,O=QuoVadis Limited,C=BM

Not Before

30/05/2014, 16:35

Not After

17/03/2021, 18:33

Subject

CN=QuoVadis Issuing CA G4,O=QuoVadis Limited,C=BM

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

75:f2:90:06:ae:84:39:0e:cf:57:5e:29:fa:c4:e9:98:0b:0c:43:28
Certificate

Issuer

CN=QuoVadis Issuing CA G4,O=QuoVadis Limited,C=BM

Not Before

10/11/2017, 21:37

Not After

10/11/2018, 21:37

Subject

CN=timestamp.intel.com,OU=Thales TSS ESN:78F7-C430-508C,O=Intel Corporation,L=Santa Clara,ST=CA,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

d0:50:a2:2e:c3:32:fc:81:e8:58:b6:69:ce:b4:ab:6b:00:17:ed:2a:41:21:9b:8a:79:a7:11:01:8b:4b:07:de
Signer

Actual PE Digest

d0:50:a2:2e:c3:32:fc:81:e8:58:b6:69:ce:b4:ab:6b:00:17:ed:2a:41:21:9b:8a:79:a7:11:01:8b:4b:07:de

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

C:\BuildAgent\work\d3d68ac44fb6e69b\bin\Win32\Release Static\lrio.pdb

Imports

advapi32

ReportEventW
RegisterEventSourceW
DeregisterEventSource
RegGetValueW
RegOpenKeyExW
SetSecurityDescriptorOwner
OpenProcessToken
RegCloseKey
GetTokenInformation
EventWriteString
EventProviderEnabled
EventRegister
EventUnregister
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
RegQueryValueExW

kernel32

DeleteCriticalSection
InitializeCriticalSectionEx
CreateMutexW
ReleaseMutex
FormatMessageW
SetErrorMode
GetErrorMode
GetModuleFileNameW
QueryPerformanceCounter
GetTempPathW
GetTempFileNameW
RaiseException
LocalFree
GetProcessHeap
GetSystemTimeAsFileTime
GetModuleHandleA
DecodePointer
WaitForSingleObject
RemoveDirectoryW
CloseHandle
QueryPerformanceFrequency
WideCharToMultiByte
DuplicateHandle
WaitForSingleObjectEx
SwitchToThread
GetCurrentThread
GetCurrentThreadId
GetExitCodeThread
EnterCriticalSection
LeaveCriticalSection
TryEnterCriticalSection
MultiByteToWideChar
GetStringTypeW
EncodePointer
Sleep
InitializeCriticalSectionAndSpinCount
CreateEventW
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetTickCount
CompareStringW
LCMapStringW
GetLocaleInfoW
GetCPInfo
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
SetEvent
ResetEvent
IsDebuggerPresent
GetStartupInfoW
GetCurrentProcessId
InitializeSListHead
HeapFree
LoadLibraryExA
LocalAlloc
GetSystemDirectoryW
CreateThread
HeapAlloc
CreateProcessW
GetExitCodeProcess
CreateFileW
GetEnvironmentVariableW
GetSystemFirmwareTable
DeviceIoControl
GetOverlappedResult
WriteFile
ReadFile
LoadLibraryExW
InterlockedPopEntrySList
InterlockedPushEntrySList
InterlockedFlushSList
QueryDepthSList
GetThreadTimes
FreeLibraryAndExitThread
CreateTimerQueue
SignalObjectAndWait
SetThreadPriority
GetThreadPriority
GetLogicalProcessorInformation
CreateTimerQueueTimer
ChangeTimerQueueTimer
DeleteTimerQueueTimer
GetNumaHighestNodeNumber
GetProcessAffinityMask
SetThreadAffinityMask
RegisterWaitForSingleObject
UnregisterWait
ReleaseSemaphore
UnregisterWaitEx
GetVersionExW
VirtualAlloc
VirtualProtect
VirtualFree
OutputDebugStringW
FreeLibrary
GetModuleHandleW
GetProcAddress
LoadLibraryW
GetLastError
GetCurrentProcess
SetLastError
QueueUserWorkItem
RtlUnwind
ExitThread
GetModuleHandleExW
ExitProcess
GetStdHandle
GetCommandLineA
GetCommandLineW
IsValidCodePage
GetACP
GetOEMCP
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
GetDateFormatW
GetTimeFormatW
GetFileType
FlushFileBuffers
GetConsoleCP
GetConsoleMode
SetFilePointerEx
ReadConsoleW
HeapReAlloc
GetTimeZoneInformation
FindClose
FindFirstFileExW
FindNextFileW
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableW
SetStdHandle
HeapSize
WriteConsoleW
SetEndOfFile
VerSetConditionMask
GlobalFree
VerifyVersionInfoW
CreateDirectoryW
GetFileAttributesExW
DeleteFileW

ole32

CoUninitialize
CoInitializeEx
CoCreateInstance
CoCreateGuid
StringFromGUID2

version

GetFileVersionInfoW
GetFileVersionInfoSizeW
VerQueryValueW

shlwapi

PathIsURLW

winhttp

WinHttpSendRequest
WinHttpSetCredentials
WinHttpQueryAuthSchemes
WinHttpReceiveResponse
WinHttpAddRequestHeaders
WinHttpGetProxyForUrl
WinHttpGetDefaultProxyConfiguration
WinHttpCloseHandle
WinHttpWriteData
WinHttpOpenRequest
WinHttpGetIEProxyConfigForCurrentUser
WinHttpSetTimeouts
WinHttpQueryDataAvailable
WinHttpSetStatusCallback
WinHttpReadData
WinHttpConnect
WinHttpSetOption
WinHttpQueryHeaders
WinHttpOpen
WinHttpQueryOption

bcrypt

BCryptFinishHash
BCryptHashData
BCryptCreateHash
BCryptGetProperty
BCryptOpenAlgorithmProvider
BCryptDestroyHash
BCryptCloseAlgorithmProvider

crypt32

CryptHashCertificate
CertGetCertificateChain
CertFreeCertificateContext
CertFreeCertificateChain
CryptUnprotectMemory

Sections

.text
Size: 1.2MB - Virtual size: 1.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 270KB - Virtual size: 270KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 62KB - Virtual size: 68KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 63KB - Virtual size: 63KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

eb10e664d4b6cbc1e96670b062c8f726

Code Sign

56:00:00:06:d4:f5:1f:6b:f6:fc:ad:3b:60:00:00:00:00:06:d4Certificate

Extended Key Usages

Key Usages

06:9b:5e:99:27:72:84:c8:76:7f:13:68:a7:de:b0:f3Certificate

Extended Key Usages

Key Usages

27:66:ee:56:eb:49:f3:8e:ab:d7:70:a2:fc:84:de:22Certificate

Key Usages

69:b2:d1:cc:f0:2e:20:dc:c9:5c:62:89:4f:7f:9e:5f:5f:c0:57:bfCertificate

Key Usages

75:f2:90:06:ae:84:39:0e:cf:57:5e:29:fa:c4:e9:98:0b:0c:43:28Certificate

Extended Key Usages

Key Usages

d0:50:a2:2e:c3:32:fc:81:e8:58:b6:69:ce:b4:ab:6b:00:17:ed:2a:41:21:9b:8a:79:a7:11:01:8b:4b:07:deSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

advapi32

kernel32

ole32

version

shlwapi

winhttp

bcrypt

crypt32

Sections

.text Size: 1.2MB - Virtual size: 1.2MB

.rdata Size: 270KB - Virtual size: 270KB

.data Size: 62KB - Virtual size: 68KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 63KB - Virtual size: 63KB

56:00:00:06:d4:f5:1f:6b:f6:fc:ad:3b:60:00:00:00:00:06:d4
Certificate

06:9b:5e:99:27:72:84:c8:76:7f:13:68:a7:de:b0:f3
Certificate

27:66:ee:56:eb:49:f3:8e:ab:d7:70:a2:fc:84:de:22
Certificate

69:b2:d1:cc:f0:2e:20:dc:c9:5c:62:89:4f:7f:9e:5f:5f:c0:57:bf
Certificate

75:f2:90:06:ae:84:39:0e:cf:57:5e:29:fa:c4:e9:98:0b:0c:43:28
Certificate

d0:50:a2:2e:c3:32:fc:81:e8:58:b6:69:ce:b4:ab:6b:00:17:ed:2a:41:21:9b:8a:79:a7:11:01:8b:4b:07:de
Signer

.text
Size: 1.2MB - Virtual size: 1.2MB

.rdata
Size: 270KB - Virtual size: 270KB

.data
Size: 62KB - Virtual size: 68KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 63KB - Virtual size: 63KB