Resubmissions
08-07-2022 07:45
220708-jlnrgshhg3 1008-07-2022 07:38
220708-jgdeyshfc9 1008-07-2022 07:36
220708-jfkgwafedq 1008-07-2022 07:30
220708-jb7fvafdaj 10Analysis
-
max time kernel
199s -
max time network
67s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08-07-2022 07:38
Static task
static1
Behavioral task
behavioral1
Sample
boot_00430000.dll
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
boot_00430000.dll
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
boot_00430000.dll
-
Size
75KB
-
MD5
0ea80c1fd7481bc1fbfe86470069ec81
-
SHA1
6aaed5570b9af39ae45c43367d0cfa67c7199e42
-
SHA256
a8c453e85ccd4ca6a99e83036a736cc904b1b96b4a78d4e33c50c31136226a7a
-
SHA512
1a01e86a5901829e79bd8d625119cbb562228ccd0527bf17bb213209489937fa0bd4987171deaca88c434fb368831e3ee9a6a779be6d28662e4e57cfb7f40e5a
Score
1/10
Malware Config
Signatures
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 3 IoCs
Processes:
rundll32.exerundll32.exerundll32.exepid process 1080 rundll32.exe 1684 rundll32.exe 756 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
AUDIODG.EXEdescription pid process Token: 33 1760 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1760 AUDIODG.EXE Token: 33 1760 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1760 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
rundll32.execmd.exedescription pid process target process PID 1948 wrote to memory of 2028 1948 rundll32.exe rundll32.exe PID 1948 wrote to memory of 2028 1948 rundll32.exe rundll32.exe PID 1948 wrote to memory of 2028 1948 rundll32.exe rundll32.exe PID 1948 wrote to memory of 2028 1948 rundll32.exe rundll32.exe PID 1948 wrote to memory of 2028 1948 rundll32.exe rundll32.exe PID 1948 wrote to memory of 2028 1948 rundll32.exe rundll32.exe PID 1948 wrote to memory of 2028 1948 rundll32.exe rundll32.exe PID 1260 wrote to memory of 1080 1260 cmd.exe rundll32.exe PID 1260 wrote to memory of 1080 1260 cmd.exe rundll32.exe PID 1260 wrote to memory of 1080 1260 cmd.exe rundll32.exe PID 1260 wrote to memory of 1080 1260 cmd.exe rundll32.exe PID 1260 wrote to memory of 1080 1260 cmd.exe rundll32.exe PID 1260 wrote to memory of 1080 1260 cmd.exe rundll32.exe PID 1260 wrote to memory of 1080 1260 cmd.exe rundll32.exe PID 1260 wrote to memory of 1684 1260 cmd.exe rundll32.exe PID 1260 wrote to memory of 1684 1260 cmd.exe rundll32.exe PID 1260 wrote to memory of 1684 1260 cmd.exe rundll32.exe PID 1260 wrote to memory of 1684 1260 cmd.exe rundll32.exe PID 1260 wrote to memory of 1684 1260 cmd.exe rundll32.exe PID 1260 wrote to memory of 1684 1260 cmd.exe rundll32.exe PID 1260 wrote to memory of 1684 1260 cmd.exe rundll32.exe PID 1260 wrote to memory of 756 1260 cmd.exe rundll32.exe PID 1260 wrote to memory of 756 1260 cmd.exe rundll32.exe PID 1260 wrote to memory of 756 1260 cmd.exe rundll32.exe PID 1260 wrote to memory of 756 1260 cmd.exe rundll32.exe PID 1260 wrote to memory of 756 1260 cmd.exe rundll32.exe PID 1260 wrote to memory of 756 1260 cmd.exe rundll32.exe PID 1260 wrote to memory of 756 1260 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\boot_00430000.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\boot_00430000.dll,#12⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5681⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"cmd.exe" /s /k pushd "C:\Users\Admin\AppData\Local\Temp"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe boot_00430000.dll, ReflectiveLoader2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe boot_00430000.dll,DllEntryPoint2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe boot_00430000.dll, ReflectiveLoader2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/756-60-0x0000000000000000-mapping.dmp
-
memory/1080-56-0x0000000000000000-mapping.dmp
-
memory/1684-58-0x0000000000000000-mapping.dmp
-
memory/2028-54-0x0000000000000000-mapping.dmp
-
memory/2028-55-0x0000000075581000-0x0000000075583000-memory.dmpFilesize
8KB