Analysis
-
max time kernel
41s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 20:31
Behavioral task
behavioral1
Sample
221cbbb460e56a0da3a319868bcd8cc655aea7c9903a897cdbbed1507caec41a.dll
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
221cbbb460e56a0da3a319868bcd8cc655aea7c9903a897cdbbed1507caec41a.dll
Resource
win10v2004-20221111-en
General
-
Target
221cbbb460e56a0da3a319868bcd8cc655aea7c9903a897cdbbed1507caec41a.dll
-
Size
1.3MB
-
MD5
77c65616770bccfb5a9a0c77ae5bc263
-
SHA1
8029b4c149b08ac01e270230ea0885a72c1c5229
-
SHA256
221cbbb460e56a0da3a319868bcd8cc655aea7c9903a897cdbbed1507caec41a
-
SHA512
b357ef1b8c6026cb9ac34f998e22e4f738bdcdfbaa036633b25d97ff3eee12db4e6a39ad8752f26a1de1dd30e97ddd17ee84310c8087d75b8e80e2ad0777f2c8
-
SSDEEP
24576:EZWmSs4phYgGwpDaO9l11Vy3gJu7Hjrmd9KIf1bKLauR:EZiCgnuOL1CgJ/sC1bkau
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1620-56-0x00000000008B0000-0x00000000009F8000-memory.dmp vmprotect -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
rundll32.exedescription ioc process File opened for modification \??\PhysicalDrive0 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 824 1620 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1208 wrote to memory of 1620 1208 rundll32.exe rundll32.exe PID 1208 wrote to memory of 1620 1208 rundll32.exe rundll32.exe PID 1208 wrote to memory of 1620 1208 rundll32.exe rundll32.exe PID 1208 wrote to memory of 1620 1208 rundll32.exe rundll32.exe PID 1208 wrote to memory of 1620 1208 rundll32.exe rundll32.exe PID 1208 wrote to memory of 1620 1208 rundll32.exe rundll32.exe PID 1208 wrote to memory of 1620 1208 rundll32.exe rundll32.exe PID 1620 wrote to memory of 824 1620 rundll32.exe WerFault.exe PID 1620 wrote to memory of 824 1620 rundll32.exe WerFault.exe PID 1620 wrote to memory of 824 1620 rundll32.exe WerFault.exe PID 1620 wrote to memory of 824 1620 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\221cbbb460e56a0da3a319868bcd8cc655aea7c9903a897cdbbed1507caec41a.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\221cbbb460e56a0da3a319868bcd8cc655aea7c9903a897cdbbed1507caec41a.dll,#12⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 3243⤵
- Program crash
PID:824