Analysis
-
max time kernel
8s -
max time network
39s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
26-07-2021 12:59
Static task
static1
Behavioral task
behavioral1
Sample
542a38bf52afa6a4a008089a6fbf22c9d68ef5d6c634dd2c0773d859a8ae2bbf.sample.dll
Resource
win7v20210408
Behavioral task
behavioral2
Sample
542a38bf52afa6a4a008089a6fbf22c9d68ef5d6c634dd2c0773d859a8ae2bbf.sample.dll
Resource
win10v20210408
General
-
Target
542a38bf52afa6a4a008089a6fbf22c9d68ef5d6c634dd2c0773d859a8ae2bbf.sample.dll
-
Size
47KB
-
MD5
7899d6090efae964024e11f6586a69ce
-
SHA1
9078e741d6d66fb6b4920878f0b7cd6a0f8b1cc7
-
SHA256
542a38bf52afa6a4a008089a6fbf22c9d68ef5d6c634dd2c0773d859a8ae2bbf
-
SHA512
566ab18ec22115fff4a2ea41fdb4ed27249f27186bb41b69637d7eafd82e79723e36df4a377a80c7ea51617702116eaf8fe44a5fe4275e1ace1bdf6afaa5c40f
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
rundll32.exedescription ioc process File opened for modification \??\PhysicalDrive0 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeShutdownPrivilege 1224 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1812 wrote to memory of 1224 1812 rundll32.exe rundll32.exe PID 1812 wrote to memory of 1224 1812 rundll32.exe rundll32.exe PID 1812 wrote to memory of 1224 1812 rundll32.exe rundll32.exe PID 1812 wrote to memory of 1224 1812 rundll32.exe rundll32.exe PID 1812 wrote to memory of 1224 1812 rundll32.exe rundll32.exe PID 1812 wrote to memory of 1224 1812 rundll32.exe rundll32.exe PID 1812 wrote to memory of 1224 1812 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\542a38bf52afa6a4a008089a6fbf22c9d68ef5d6c634dd2c0773d859a8ae2bbf.sample.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\542a38bf52afa6a4a008089a6fbf22c9d68ef5d6c634dd2c0773d859a8ae2bbf.sample.dll,#12⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken