e7796bfd0f8a7a62490ed930420a91557ae725d71520305495a10a0fdbfe259d

Analysis

max time kernel
87s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/11/2022, 22:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e7796bfd0f8a7a62490ed930420a91557ae725d71520305495a10a0fdbfe259d.dll
Size

1.9MB
MD5

272cc6ff7321066739a99babbd250a39
SHA1

0215f62d45154313a4ad307f4652da545bbd8b1a
SHA256

e7796bfd0f8a7a62490ed930420a91557ae725d71520305495a10a0fdbfe259d
SHA512

bfdaffd92dbfaa1729b3945c1f0ea7693bd911dadd627ebdc0bea19019c3572a335f5e1afc98115a65bb865951914d151e6ae04df0e418ff1eed99364327d719
SSDEEP

24576:VckrgNeGnvSl2OMScqJQ3D4sAvT9eol0rS9E0nFAaklteKeEBpZPOTEj4jLAcNt4:VckrqvIMSWaL8o7fdwteKDrQT4ELkB

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3820	rundll32.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4404	3820	WerFault.exe	81
3816	3820	WerFault.exe	81
2328	3820	WerFault.exe	81

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3820	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 3820	3044	rundll32.exe	81
PID 3044 wrote to memory of 3820	3044	rundll32.exe	81
PID 3044 wrote to memory of 3820	3044	rundll32.exe	81

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e7796bfd0f8a7a62490ed930420a91557ae725d71520305495a10a0fdbfe259d.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\e7796bfd0f8a7a62490ed930420a91557ae725d71520305495a10a0fdbfe259d.dll,#1
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetWindowsHookEx
  PID:3820
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 828
    3⤵
    - Program crash
    PID:4404
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 876
    3⤵
    - Program crash
    PID:3816
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 636
    3⤵
    - Program crash
    PID:2328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3820 -ip 3820
1⤵
PID:4204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3820 -ip 3820
1⤵
PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3820 -ip 3820
1⤵
PID:4760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3820-133-0x0000000010000000-0x0000000010521000-memory.dmp

Filesize
5.1MB

Download
memory/3820-137-0x0000000010000000-0x0000000010521000-memory.dmp

Filesize
5.1MB

Download