9fccbbeea4b966efae9ff729b9aa7670df52aea2c2eea49adb7459c875c7166f

Analysis

max time kernel
42s
max time network
47s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 01:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

GetMachineInfo.dll
Size

166KB
MD5

a004915330a150f649e73d94b5c2e7ba
SHA1

ae1acefbf6a481ddc6e486e173d18be8c6e09a92
SHA256

cdf2c8378548e6a549f7d88a51d96cd917c655c8f368ff009d8ebf244c4e4dc1
SHA512

00ee6ab487bfa238835d865ad4fdf9422caa8a594afe2bc8c0b268468b3dcf6f553ac5c4a5d259aa1bcfa2c3a56b95be4f26691dc1b1a3baeab769c608ebcf1d
SSDEEP

1536:0WpUUJT60s+PVTxgvbaJ+XoT/hHy39DlPgjHCw6/OaH85pBlBbtU6hD28iT7bpgr:0T+e3l+J2oTA9BPuQOJNlJ26hViTxgr

Score

7^/10

bootkit persistence

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	rundll32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1300	840	WerFault.exe	27

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1000 wrote to memory of 840	1000	rundll32.exe	27
PID 1000 wrote to memory of 840	1000	rundll32.exe	27
PID 1000 wrote to memory of 840	1000	rundll32.exe	27
PID 1000 wrote to memory of 840	1000	rundll32.exe	27
PID 1000 wrote to memory of 840	1000	rundll32.exe	27
PID 1000 wrote to memory of 840	1000	rundll32.exe	27
PID 1000 wrote to memory of 840	1000	rundll32.exe	27
PID 840 wrote to memory of 1300	840	rundll32.exe	28
PID 840 wrote to memory of 1300	840	rundll32.exe	28
PID 840 wrote to memory of 1300	840	rundll32.exe	28
PID 840 wrote to memory of 1300	840	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\GetMachineInfo.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1000
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\GetMachineInfo.dll,#1
  2⤵
  - Checks BIOS information in registry
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of WriteProcessMemory
  PID:840
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 840 -s 232
    3⤵
    - Program crash
    PID:1300

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/840-55-0x0000000076561000-0x0000000076563000-memory.dmp

Filesize
8KB

Download