Analysis
-
max time kernel
1s -
max time network
31s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
26-07-2021 12:41
Static task
static1
Behavioral task
behavioral1
Sample
1dbb15d64453eaf80b0630e7d8e25fdfad21329970bed1f2ecd0a81cc7499d9f.sample.dll
Resource
win7v20210410
Behavioral task
behavioral2
Sample
1dbb15d64453eaf80b0630e7d8e25fdfad21329970bed1f2ecd0a81cc7499d9f.sample.dll
Resource
win10v20210408
General
-
Target
1dbb15d64453eaf80b0630e7d8e25fdfad21329970bed1f2ecd0a81cc7499d9f.sample.dll
-
Size
99KB
-
MD5
d045c497fb70e7f1457e564e92e3d4ee
-
SHA1
634242c1e23ba78029a75d70552b42c7ed15b36d
-
SHA256
1dbb15d64453eaf80b0630e7d8e25fdfad21329970bed1f2ecd0a81cc7499d9f
-
SHA512
079727bd80655222c65b43ff51a9f9332701c9e150c1b470511123cbabe00bb368a0ae7a76a454cbf4c1c0f1601d64b7a9cd2dee5423efcd4872b85f1d888b9b
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
rundll32.exedescription ioc process File opened for modification \??\PhysicalDrive0 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeShutdownPrivilege 1892 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1676 wrote to memory of 1892 1676 rundll32.exe rundll32.exe PID 1676 wrote to memory of 1892 1676 rundll32.exe rundll32.exe PID 1676 wrote to memory of 1892 1676 rundll32.exe rundll32.exe PID 1676 wrote to memory of 1892 1676 rundll32.exe rundll32.exe PID 1676 wrote to memory of 1892 1676 rundll32.exe rundll32.exe PID 1676 wrote to memory of 1892 1676 rundll32.exe rundll32.exe PID 1676 wrote to memory of 1892 1676 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1dbb15d64453eaf80b0630e7d8e25fdfad21329970bed1f2ecd0a81cc7499d9f.sample.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1dbb15d64453eaf80b0630e7d8e25fdfad21329970bed1f2ecd0a81cc7499d9f.sample.dll,#12⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken