Overview

overview

10

Static

static

10

lmlmdos.exe

windows10-ltsc 2021-x64

lmlmdos.exe

windows7-x64

10

lmlmdos.exe

windows10-2004-x64

10

lmlmdos.exe

windows10-ltsc 2021-x64

lmlmdos.exe

windows11-21h2-x64

Analysis

  • max time kernel
    239s
  • max time network
    251s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250210-en
  • resource tags

    arch:x64arch:x86image:win11-20250210-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    10-02-2025 13:37

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    lmlmdos.exe

  • Size

    23KB

  • MD5

    5eb67cac2f9ef8a548ba327896909cda

  • SHA1

    b8f3612f2d00c581387b02a615ad178874b51329

  • SHA256

    f5c542679e18756fcaaf434a1df9ecee261c8fa6788b75dc64c458e4eef15f2d

  • SHA512

    40665518a5451f7bd86ca1e3ad58cec178566c0f45fde647e76c2bb8d81611ca61fe1974cb97988065239005ca63fc9de0c449d45357ee90a8a99ccd30a5415f

  • SSDEEP

    384:XweXCQIreJig/8Z7SS1fEBpng6tgL2IBPZVmRvR6JZlbw8hqIusZzZQy:oLq411eRpcnuI

Score
10/10
njratbootkitdefense_evasiondiscoverypersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Njrat family
    njrat
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Disables Task Manager via registry modification
    defense_evasion
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    defense_evasion
  • Drops startup file 2 IoCs
  • Executes dropped EXE 8 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 60 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\lmlmdos.exe
    "C:\Users\Admin\AppData\Local\Temp\lmlmdos.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3748
    • C:\Users\Admin\AppData\Local\Temp\server.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2192
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:572
      • C:\Users\Admin\AppData\Local\Temp\tmpFE57.tmp.COM
        "C:\Users\Admin\AppData\Local\Temp\tmpFE57.tmp.COM"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:784
        • C:\Users\Admin\AppData\Local\Temp\MBR2.exe
          "C:\Users\Admin\AppData\Local\Temp\MBR2.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:768
          • C:\Windows\System32\MatrixMBR.exe
            "C:\Windows\System32\MatrixMBR.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:384
            • C:\Users\Admin\AppData\Local\Temp\GDI.exe
              "C:\Users\Admin\AppData\Local\Temp\GDI.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:4032
            • C:\Users\Admin\AppData\Local\Temp\MBR.exe
              "C:\Users\Admin\AppData\Local\Temp\MBR.exe"
              6⤵
              • Executes dropped EXE
              • Writes to the Master Boot Record (MBR)
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:4272
        • C:\Users\Admin\AppData\Local\Temp\TROLL5.exe
          "C:\Users\Admin\AppData\Local\Temp\TROLL5.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1792
        • C:\Users\Admin\AppData\Local\Temp\TROLL2.exe
          "C:\Users\Admin\AppData\Local\Temp\TROLL2.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1780
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x00000000000004D8 0x00000000000004CC
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\GDI.exe
    Filesize

    11KB

    MD5

    c08ae6d9c6ecd7e13f827bf68767785f

    SHA1

    e71c2ec8d00c1e82b8b07baee0688b0a28604454

    SHA256

    e153def894c867923dd56a7025b7b0b7bd3ee37c801a5957201d39f999bb28bf

    SHA512

    c28bbe8abc66ad2433e5a3b93a4601b28225e86cb4bff077fd3224adfa63164bebfa3002a42b1cb4cb3c7ccad0208f8b143b8a17099bea04fcb964e667c7a1c0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MBR.exe
    Filesize

    93KB

    MD5

    d2fc66cf781a2497fceb4041a93cc676

    SHA1

    480b1aa31b0b31fc0e0833afbba06533ab9a90ee

    SHA256

    acddde9514e3b9d5c40b3d1750af5f4187c99f8987b027d6da44fb6bcf79b3ca

    SHA512

    6c4cb42f786301be7614d4cb0b32601fea151351b0877e2371632435eb2c54bd4cd04d6b23bf4f49017ccaf679331162aac7329a1ed2409e3c2e02d0326e3487

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MBR2.exe
    Filesize

    205KB

    MD5

    3dc0e225f886bae3b655cd9d738ed32f

    SHA1

    abda127fd477bd9d051cd57b16ac13f44030a9ae

    SHA256

    c22e2419f04fe03a92255a139ca8814697962e86d191a1d4171788fd0c903f68

    SHA512

    c8a6c0bfa96defde6f83d847583ff2ec065a43f80f9886259a2d1fe7df306ef6ed7aeed61b7dcf0bdc111fc67419eb66cf1ca44e831711dd4ea7d25ed9aed09b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TROLL2.exe
    Filesize

    105KB

    MD5

    52a2a5517deb1a06896891a35299ce20

    SHA1

    badcbdfef312bd71de997a7416ee20cee5d66af6

    SHA256

    dcdf5140bc51db27f3aec80ae9a66a57aad446a2522904d288770e8d8cde8cee

    SHA512

    7cb0de412c0508f5af522aeaf3731dda418f72f7cae8dd3f21b34d5cdbc08f9dea8699d59878610496c68d687227a0269739221490d70d03b8e4b84dfd29d5f1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TROLL5.exe
    Filesize

    712KB

    MD5

    542a4e400ff233b21a1a3c27751ac783

    SHA1

    000a67f00b0003531d65a6ed6f16488ae5dcd0fe

    SHA256

    79f00c7dab0891824136539fabd542c74e26cbed94b9add3f1aa7f793d653de6

    SHA512

    8335118ca0c268635d9495b331fb65800a32a0631f132cd34ce84ca3b523d0a9e23eee6d76539d0c81d86fda534da56c936914012d8bad35040b15cc8caaf645

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\server.exe
    Filesize

    23KB

    MD5

    5eb67cac2f9ef8a548ba327896909cda

    SHA1

    b8f3612f2d00c581387b02a615ad178874b51329

    SHA256

    f5c542679e18756fcaaf434a1df9ecee261c8fa6788b75dc64c458e4eef15f2d

    SHA512

    40665518a5451f7bd86ca1e3ad58cec178566c0f45fde647e76c2bb8d81611ca61fe1974cb97988065239005ca63fc9de0c449d45357ee90a8a99ccd30a5415f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpFE57.tmp.COM
    Filesize

    921KB

    MD5

    d0ae6aea701de9f127f91e7efdb50252

    SHA1

    cb9ef64cbcb999372fb4046e99fe89a03df9bc81

    SHA256

    c1aeab35f61f12db28274d82713bff400b808625854a18e49504022f92805e31

    SHA512

    505d11808e9923ff0ec1a51acd51509711f8c5c42da81b47a97249954b06f6f45ddda4655446daeb7f231785cd484ebc6e9ada92b857ad3a8d7ce04276536f13

    Download Submit

  • C:\Windows\System32\MatrixMBR.exe
    Filesize

    250KB

    MD5

    24c441662c09b94e14a4096a8e59c316

    SHA1

    11576cad137bd8ed76efecd711c0390fe5c85292

    SHA256

    339fe94164952a8454e6ec5fc75e2c38baade2c14b231e47bf41989ffbb55ee4

    SHA512

    7f6ca1366733c5fb4925001c0846510732031a9e5f1b16291ff596187c20a88f41193389cedcb73e3928c318fc972be4f03e3cb71f1487c34642897ff9a2b590

    Download Submit

  • memory/384-78-0x0000000000CA0000-0x0000000000CE6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/768-50-0x00000000006C0000-0x00000000006FA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/784-24-0x00000000003F0000-0x00000000004DC000-memory.dmp

    Filesize

    944KB

    Download

  • memory/784-25-0x000000001B180000-0x000000001B264000-memory.dmp

    Filesize

    912KB

    Download

  • memory/1780-79-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/1792-62-0x0000000005B00000-0x00000000060A6000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1792-64-0x00000000055D0000-0x00000000055DA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1792-63-0x00000000055F0000-0x0000000005682000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1792-61-0x0000000000A60000-0x0000000000B18000-memory.dmp

    Filesize

    736KB

    Download

  • memory/2192-16-0x0000000073F60000-0x0000000074511000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2192-17-0x0000000073F60000-0x0000000074511000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2192-18-0x0000000073F60000-0x0000000074511000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2192-12-0x0000000073F60000-0x0000000074511000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2192-14-0x0000000073F60000-0x0000000074511000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3748-0-0x0000000073F61000-0x0000000073F62000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3748-13-0x0000000073F60000-0x0000000074511000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3748-2-0x0000000073F60000-0x0000000074511000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3748-1-0x0000000073F60000-0x0000000074511000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4032-100-0x0000000000980000-0x0000000000988000-memory.dmp

    Filesize

    32KB

    Download