4d4b0060ff09ac7d0da455adae4e0ffaab4f0066c3fcf0da28f3630a2d543629

Analysis

max time kernel
44s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 22:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

qqjiahaoyou-v2.2/CrackCaptchaAPI.dll
Size

1.3MB
MD5

9a4965011a94705227f62df0776f2ab6
SHA1

fe91972e1c993731cdacc7429c4f4760672adcf7
SHA256

a9ea79e9c5017616ca9085351ef166f35882ad5a201b92c4839ffdf1169e4113
SHA512

e74bc303d99a2151dd00b8f4da0aabd70b37fe46a74702034a5a0ab3da7cad9ad0b7d69b960a10d0876ad5b660e1b868c8956e8d05321f7120f480baee34378a
SSDEEP

24576:ll7VKWLgjBTGxuQi0aqj45fnNVWhb0yX6i2JHoBTURfymDdTELFI:lwmX4N2hbYiPTUQmJTa

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

rundll32.exe

description ioc process

File opened for modification \??\PhysicalDrive0 rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

612 932 WerFault.exe rundll32.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	rundll32.exe

pid	pid_target	process	target process
612	932	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 976 wrote to memory of 932	976	rundll32.exe	rundll32.exe
PID 976 wrote to memory of 932	976	rundll32.exe	rundll32.exe
PID 976 wrote to memory of 932	976	rundll32.exe	rundll32.exe
PID 976 wrote to memory of 932	976	rundll32.exe	rundll32.exe
PID 976 wrote to memory of 932	976	rundll32.exe	rundll32.exe
PID 976 wrote to memory of 932	976	rundll32.exe	rundll32.exe
PID 976 wrote to memory of 932	976	rundll32.exe	rundll32.exe
PID 932 wrote to memory of 612	932	rundll32.exe	WerFault.exe
PID 932 wrote to memory of 612	932	rundll32.exe	WerFault.exe
PID 932 wrote to memory of 612	932	rundll32.exe	WerFault.exe
PID 932 wrote to memory of 612	932	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\qqjiahaoyou-v2.2\CrackCaptchaAPI.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:976

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\qqjiahaoyou-v2.2\CrackCaptchaAPI.dll,#1
2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 240
3⤵
- Program crash
PID:612

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/612-56-0x0000000000000000-mapping.dmp

Download
memory/932-54-0x0000000000000000-mapping.dmp

Download
memory/932-55-0x00000000756B1000-0x00000000756B3000-memory.dmp

Filesize
8KB

Download