Analysis
-
max time kernel
172s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 20:31
Behavioral task
behavioral1
Sample
12c0b1a6be0b09f1f8639d5200f1a1498cb7917110630f6cf2ec13a88898c770.dll
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
12c0b1a6be0b09f1f8639d5200f1a1498cb7917110630f6cf2ec13a88898c770.dll
Resource
win10v2004-20221111-en
General
-
Target
12c0b1a6be0b09f1f8639d5200f1a1498cb7917110630f6cf2ec13a88898c770.dll
-
Size
914KB
-
MD5
7ddc9aee1acdc3d724cd23f2e9908c25
-
SHA1
eb89bcdcaa3cb72b02883eab5afc047bdfb72fab
-
SHA256
12c0b1a6be0b09f1f8639d5200f1a1498cb7917110630f6cf2ec13a88898c770
-
SHA512
74df5983de289935505c370411c53775ce5b2560eddf0ff1a4d7da024eb2cc32acefc4cab002074d2ce45a82bde6940f77eff07cfdb870f5a1780aa1e7b01dc9
-
SSDEEP
12288:8yxH1k5Z2/W/AjMdJ8s+GLbdjCEiHOkcigDj+1NAzljkNwH0OMmcMyZOnbZSD:JVcerjktFttipqj+8ljyW0OMm4ZabU
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
rundll32.exedescription ioc process File opened for modification \??\PhysicalDrive0 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3856 4260 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3616 wrote to memory of 4260 3616 rundll32.exe rundll32.exe PID 3616 wrote to memory of 4260 3616 rundll32.exe rundll32.exe PID 3616 wrote to memory of 4260 3616 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\12c0b1a6be0b09f1f8639d5200f1a1498cb7917110630f6cf2ec13a88898c770.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\12c0b1a6be0b09f1f8639d5200f1a1498cb7917110630f6cf2ec13a88898c770.dll,#12⤵
- Writes to the Master Boot Record (MBR)
PID:4260 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 6843⤵
- Program crash
PID:3856
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4260 -ip 42601⤵PID:768
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4260-132-0x0000000000000000-mapping.dmp