a8c453e85ccd4ca6a99e83036a736cc904b1b96b4a78d4e33c50c31136226a7a

Resubmissions

08-07-2022 07:45

220708-jlnrgshhg3 10

08-07-2022 07:38

220708-jgdeyshfc9 10

08-07-2022 07:36

220708-jfkgwafedq 10

08-07-2022 07:30

220708-jb7fvafdaj 10

Analysis

max time kernel
199s
max time network
67s
platform
windows7_x64
resource
win7-20220414-en
submitted
08-07-2022 07:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

boot_00430000.dll
Size

75KB
MD5

0ea80c1fd7481bc1fbfe86470069ec81
SHA1

6aaed5570b9af39ae45c43367d0cfa67c7199e42
SHA256

a8c453e85ccd4ca6a99e83036a736cc904b1b96b4a78d4e33c50c31136226a7a
SHA512

1a01e86a5901829e79bd8d625119cbb562228ccd0527bf17bb213209489937fa0bd4987171deaca88c434fb368831e3ee9a6a779be6d28662e4e57cfb7f40e5a

Score

1^/10

Malware Config

Signatures

Suspicious behavior: CmdExeWriteProcessMemorySpam 3 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

pid process

1080 rundll32.exe
1684 rundll32.exe
756 rundll32.exe

pid	process
1080	rundll32.exe
1684	rundll32.exe
756	rundll32.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXE

description	pid	process
Token: 33	1760	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1760	AUDIODG.EXE
Token: 33	1760	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1760	AUDIODG.EXE

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

rundll32.execmd.exe

description	pid	process	target process
PID 1948 wrote to memory of 2028	1948	rundll32.exe	rundll32.exe
PID 1948 wrote to memory of 2028	1948	rundll32.exe	rundll32.exe
PID 1948 wrote to memory of 2028	1948	rundll32.exe	rundll32.exe
PID 1948 wrote to memory of 2028	1948	rundll32.exe	rundll32.exe
PID 1948 wrote to memory of 2028	1948	rundll32.exe	rundll32.exe
PID 1948 wrote to memory of 2028	1948	rundll32.exe	rundll32.exe
PID 1948 wrote to memory of 2028	1948	rundll32.exe	rundll32.exe
PID 1260 wrote to memory of 1080	1260	cmd.exe	rundll32.exe
PID 1260 wrote to memory of 1080	1260	cmd.exe	rundll32.exe
PID 1260 wrote to memory of 1080	1260	cmd.exe	rundll32.exe
PID 1260 wrote to memory of 1080	1260	cmd.exe	rundll32.exe
PID 1260 wrote to memory of 1080	1260	cmd.exe	rundll32.exe
PID 1260 wrote to memory of 1080	1260	cmd.exe	rundll32.exe
PID 1260 wrote to memory of 1080	1260	cmd.exe	rundll32.exe
PID 1260 wrote to memory of 1684	1260	cmd.exe	rundll32.exe
PID 1260 wrote to memory of 1684	1260	cmd.exe	rundll32.exe
PID 1260 wrote to memory of 1684	1260	cmd.exe	rundll32.exe
PID 1260 wrote to memory of 1684	1260	cmd.exe	rundll32.exe
PID 1260 wrote to memory of 1684	1260	cmd.exe	rundll32.exe
PID 1260 wrote to memory of 1684	1260	cmd.exe	rundll32.exe
PID 1260 wrote to memory of 1684	1260	cmd.exe	rundll32.exe
PID 1260 wrote to memory of 756	1260	cmd.exe	rundll32.exe
PID 1260 wrote to memory of 756	1260	cmd.exe	rundll32.exe
PID 1260 wrote to memory of 756	1260	cmd.exe	rundll32.exe
PID 1260 wrote to memory of 756	1260	cmd.exe	rundll32.exe
PID 1260 wrote to memory of 756	1260	cmd.exe	rundll32.exe
PID 1260 wrote to memory of 756	1260	cmd.exe	rundll32.exe
PID 1260 wrote to memory of 756	1260	cmd.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\boot_00430000.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\boot_00430000.dll,#1
2⤵
PID:2028

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x568
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Windows\system32\cmd.exe
"cmd.exe" /s /k pushd "C:\Users\Admin\AppData\Local\Temp"
1⤵
- Suspicious use of WriteProcessMemory
PID:1260

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe boot_00430000.dll, ReflectiveLoader
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1080

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe boot_00430000.dll,DllEntryPoint
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1684

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe boot_00430000.dll, ReflectiveLoader
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:756

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/756-60-0x0000000000000000-mapping.dmp

Download
memory/1080-56-0x0000000000000000-mapping.dmp

Download
memory/1684-58-0x0000000000000000-mapping.dmp

Download
memory/2028-54-0x0000000000000000-mapping.dmp

Download
memory/2028-55-0x0000000075581000-0x0000000075583000-memory.dmp

Filesize
8KB

Download