Resubmissions
08-07-2022 07:45
220708-jlnrgshhg3 1008-07-2022 07:38
220708-jgdeyshfc9 1008-07-2022 07:36
220708-jfkgwafedq 1008-07-2022 07:30
220708-jb7fvafdaj 10Analysis
-
max time kernel
232s -
max time network
297s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08-07-2022 07:45
Static task
static1
Behavioral task
behavioral1
Sample
boot_00430000.dll
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
boot_00430000.dll
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
boot_00430000.dll
-
Size
75KB
-
MD5
0ea80c1fd7481bc1fbfe86470069ec81
-
SHA1
6aaed5570b9af39ae45c43367d0cfa67c7199e42
-
SHA256
a8c453e85ccd4ca6a99e83036a736cc904b1b96b4a78d4e33c50c31136226a7a
-
SHA512
1a01e86a5901829e79bd8d625119cbb562228ccd0527bf17bb213209489937fa0bd4987171deaca88c434fb368831e3ee9a6a779be6d28662e4e57cfb7f40e5a
Score
5/10
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
Processes:
PowerShell.exedescription ioc process File opened for modification C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk PowerShell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
PowerShell.exepid process 1276 PowerShell.exe 1276 PowerShell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
PowerShell.exedescription pid process Token: SeDebugPrivilege 1276 PowerShell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exePowerShell.exedescription pid process target process PID 4416 wrote to memory of 5004 4416 rundll32.exe rundll32.exe PID 4416 wrote to memory of 5004 4416 rundll32.exe rundll32.exe PID 4416 wrote to memory of 5004 4416 rundll32.exe rundll32.exe PID 1276 wrote to memory of 3320 1276 PowerShell.exe rundll32.exe PID 1276 wrote to memory of 3320 1276 PowerShell.exe rundll32.exe PID 1276 wrote to memory of 3320 1276 PowerShell.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\boot_00430000.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\boot_00430000.dll,#12⤵PID:5004
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1680
-
C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe"PowerShell.exe" -noexit -command Set-Location -literalPath 'C:\Users\Admin\AppData\Local\Temp'1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" .\boot_00430000.dll,ReflectiveLoader2⤵PID:3320
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1276-131-0x00000290789D0000-0x00000290789F2000-memory.dmpFilesize
136KB
-
memory/1276-132-0x0000029078E90000-0x0000029078ED4000-memory.dmpFilesize
272KB
-
memory/1276-133-0x00007FFA0CEF0000-0x00007FFA0D9B1000-memory.dmpFilesize
10.8MB
-
memory/1276-134-0x0000029078F60000-0x0000029078FD6000-memory.dmpFilesize
472KB
-
memory/1276-135-0x00007FFA0CEF0000-0x00007FFA0D9B1000-memory.dmpFilesize
10.8MB
-
memory/1276-136-0x0000029078E60000-0x0000029078E7E000-memory.dmpFilesize
120KB
-
memory/3320-137-0x0000000000000000-mapping.dmp
-
memory/5004-130-0x0000000000000000-mapping.dmp