62b885718ceb19c8605428bb83802b539f76dd9382421a9ff3da93da00dcb8cc

Analysis

max time kernel
48s
max time network
53s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
20-10-2022 00:54

Target

62b885718ceb19c8605428bb83802b539f76dd9382421a9ff3da93da00dcb8cc.dll
Size

100KB
MD5

a16abfa25b8565663f15468903fc6572
SHA1

9e9ca4537bd735bb46e1b132507199a8ad2914a4
SHA256

62b885718ceb19c8605428bb83802b539f76dd9382421a9ff3da93da00dcb8cc
SHA512

130630e40256037ec0cee2f954ea97b79cef7f598c47f918888a562dcb8d479c640ab39eadcf3066ba74441ae426e5b6cbc6b0a390062b2571216ff0c0d789d1
SSDEEP

1536:1wsQqzozCVE4ybCsbycX0erTfFkWGq6cjTAc:1wsLzDVE4yvierTdkWGqzjTAc

Score

6^/10

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

Bootkit

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
840	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 840	1376	rundll32.exe	26
PID 1376 wrote to memory of 840	1376	rundll32.exe	26
PID 1376 wrote to memory of 840	1376	rundll32.exe	26
PID 1376 wrote to memory of 840	1376	rundll32.exe	26
PID 1376 wrote to memory of 840	1376	rundll32.exe	26
PID 1376 wrote to memory of 840	1376	rundll32.exe	26
PID 1376 wrote to memory of 840	1376	rundll32.exe	26

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\62b885718ceb19c8605428bb83802b539f76dd9382421a9ff3da93da00dcb8cc.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\62b885718ceb19c8605428bb83802b539f76dd9382421a9ff3da93da00dcb8cc.dll,#1
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Suspicious behavior: EnumeratesProcesses
  PID:840

Initial Access

Execution

Persistence

Bootkit

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/840-55-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/840-56-0x00000000000F0000-0x00000000000F9000-memory.dmp

Filesize
36KB

Download
memory/840-59-0x00000000000F0000-0x00000000000F9000-memory.dmp

Filesize
36KB

Download