Overview

overview

10

Static

static

10

boot_00430000.dll

windows7_x64

1

boot_00430000.dll

windows10-2004_x64

5

Resubmissions

08-07-2022 07:45

220708-jlnrgshhg3 10

08-07-2022 07:38

220708-jgdeyshfc9 10

08-07-2022 07:36

220708-jfkgwafedq 10

08-07-2022 07:30

220708-jb7fvafdaj 10

Analysis

  • max time kernel
    232s
  • max time network
    297s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    08-07-2022 07:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    boot_00430000.dll

  • Size

    75KB

  • MD5

    0ea80c1fd7481bc1fbfe86470069ec81

  • SHA1

    6aaed5570b9af39ae45c43367d0cfa67c7199e42

  • SHA256

    a8c453e85ccd4ca6a99e83036a736cc904b1b96b4a78d4e33c50c31136226a7a

  • SHA512

    1a01e86a5901829e79bd8d625119cbb562228ccd0527bf17bb213209489937fa0bd4987171deaca88c434fb368831e3ee9a6a779be6d28662e4e57cfb7f40e5a

Score
5/10

Malware Config

Signatures

  • Drops file in System32 directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\boot_00430000.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4416
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\boot_00430000.dll,#1
      2⤵
        PID:5004
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:1680
      • C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
        "PowerShell.exe" -noexit -command Set-Location -literalPath 'C:\Users\Admin\AppData\Local\Temp'
        1⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1276
        • C:\Windows\SysWOW64\rundll32.exe
          "C:\Windows\SysWOW64\rundll32.exe" .\boot_00430000.dll,ReflectiveLoader
          2⤵
            PID:3320

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1276-131-0x00000290789D0000-0x00000290789F2000-memory.dmp
          Filesize

          136KB

          Download
        • memory/1276-132-0x0000029078E90000-0x0000029078ED4000-memory.dmp
          Filesize

          272KB

          Download
        • memory/1276-133-0x00007FFA0CEF0000-0x00007FFA0D9B1000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/1276-134-0x0000029078F60000-0x0000029078FD6000-memory.dmp
          Filesize

          472KB

          Download
        • memory/1276-135-0x00007FFA0CEF0000-0x00007FFA0D9B1000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/1276-136-0x0000029078E60000-0x0000029078E7E000-memory.dmp
          Filesize

          120KB

          Download
        • memory/3320-137-0x0000000000000000-mapping.dmp
          Download
        • memory/5004-130-0x0000000000000000-mapping.dmp
          Download