092a8e3625cc3b7bdc7ff3173e2653ffd16f0432355ec1924cc3cf804a2169ed

Analysis

max time kernel
39s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 09:17

Target

092a8e3625cc3b7bdc7ff3173e2653ffd16f0432355ec1924cc3cf804a2169ed.dll
Size

80KB
MD5

9a45f2d396b470928bda7ceb7d3473b9
SHA1

408061df9595e40bad6351b46a374fc309be5914
SHA256

092a8e3625cc3b7bdc7ff3173e2653ffd16f0432355ec1924cc3cf804a2169ed
SHA512

fd4de9a0cf4a93427442bd66d85bb006b9ced2d2d7657af54566216e416711295af1803f63de7e795e41d0ce400612602f101c59c5ec2561a7ac17ecc3ef44b4
SSDEEP

1536:qyIumrS8mhZGI1UW6Mqd8M1HOQ6/K3cuyj/S5R3d63B3:derjmhcGV6Mqdt1uQ6/K3cu4w2B3

Score

6^/10

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

Bootkit

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1384	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 1384	1112	rundll32.exe	26
PID 1112 wrote to memory of 1384	1112	rundll32.exe	26
PID 1112 wrote to memory of 1384	1112	rundll32.exe	26
PID 1112 wrote to memory of 1384	1112	rundll32.exe	26
PID 1112 wrote to memory of 1384	1112	rundll32.exe	26
PID 1112 wrote to memory of 1384	1112	rundll32.exe	26
PID 1112 wrote to memory of 1384	1112	rundll32.exe	26

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\092a8e3625cc3b7bdc7ff3173e2653ffd16f0432355ec1924cc3cf804a2169ed.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\092a8e3625cc3b7bdc7ff3173e2653ffd16f0432355ec1924cc3cf804a2169ed.dll,#1
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Suspicious behavior: EnumeratesProcesses
  PID:1384

Initial Access

Execution

Persistence

Bootkit

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1384-55-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download
memory/1384-56-0x0000000000130000-0x0000000000139000-memory.dmp

Filesize
36KB

Download
memory/1384-59-0x0000000000130000-0x0000000000139000-memory.dmp

Filesize
36KB

Download