60d638fc8f10eab70631c065b9f99a4f8a645df4074316329d6d189b9f6bb967

Analysis

max time kernel
151s
max time network
51s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/10/2022, 21:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60d638fc8f10eab70631c065b9f99a4f8a645df4074316329d6d189b9f6bb967.dll
Size

182KB
MD5

6251835ce0221003e98cde6233873078
SHA1

9410c92944c98b972f5191641eb9806f7f019f0b
SHA256

60d638fc8f10eab70631c065b9f99a4f8a645df4074316329d6d189b9f6bb967
SHA512

e4496eb8a6718fb89e1ee8f0673eef1e46c7d2ac7c7ebabb97756bc9d7e0a87534fc7dba71cde0d6c9025ab61c233f7b3ebb80a875638f3c48d452c4a78527f5
SSDEEP

3072:2rLxDl8mncsfKSySSwTxc7ATOyIB2crwAgV7sDyuKQ10GVeaalof:2rLRl9nXfRDSyxc7AuTr3Is2610Meaam

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\054b	rundll32.exe
File created	C:\Windows\SysWOW64\¸ô!-75100-9969	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 364 wrote to memory of 1620	364	rundll32.exe	26
PID 364 wrote to memory of 1620	364	rundll32.exe	26
PID 364 wrote to memory of 1620	364	rundll32.exe	26
PID 364 wrote to memory of 1620	364	rundll32.exe	26
PID 364 wrote to memory of 1620	364	rundll32.exe	26
PID 364 wrote to memory of 1620	364	rundll32.exe	26
PID 364 wrote to memory of 1620	364	rundll32.exe	26

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\60d638fc8f10eab70631c065b9f99a4f8a645df4074316329d6d189b9f6bb967.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:364
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\60d638fc8f10eab70631c065b9f99a4f8a645df4074316329d6d189b9f6bb967.dll,#1
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  PID:1620

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1620-55-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/1620-56-0x0000000010000000-0x00000000100A5000-memory.dmp

Filesize
660KB

Download
memory/1620-57-0x0000000010000000-0x00000000100A5000-memory.dmp

Filesize
660KB

Download