1379fd67588484b8817a50e5fdfb37ced156e44b3a4f0fdd466409e481733ef5

Analysis

max time kernel
16s
max time network
35s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 22:40

Target

ʹ֮/CrackCaptchaAPI.dll
Size

1.3MB
MD5

6046edcc5db052bea9e7e6d2f2e869b1
SHA1

f9efa2ff06eb664a0a3e9f2c53bc1c538c59b590
SHA256

07b407b9344bc636a5595493f4bef9e66a3e0f14d6557c3a2a979a400670235c
SHA512

fc6340b7a795566126da4efe6228a19eb36ee22e35323ad892289a62481ed414f1486a64c770bcb53ad6d8967363d81da91839ddd2a11c1dfb1e72a51a9bd8a8
SSDEEP

24576:An6WrvFhoN0oXr2HbAR4rMuwKc3QC5fexfduH2FRNEpzvKdYu2TB3DEZ:APNet4PWQC5yluHQuzQYTTFIZ

Score

6^/10

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

rundll32.exe

description ioc process

File opened for modification \??\PhysicalDrive0 rundll32.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1380 wrote to memory of 1400	1380	rundll32.exe	rundll32.exe
PID 1380 wrote to memory of 1400	1380	rundll32.exe	rundll32.exe
PID 1380 wrote to memory of 1400	1380	rundll32.exe	rundll32.exe
PID 1380 wrote to memory of 1400	1380	rundll32.exe	rundll32.exe
PID 1380 wrote to memory of 1400	1380	rundll32.exe	rundll32.exe
PID 1380 wrote to memory of 1400	1380	rundll32.exe	rundll32.exe
PID 1380 wrote to memory of 1400	1380	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ʹ֮\CrackCaptchaAPI.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1380
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\ʹ֮\CrackCaptchaAPI.dll,#1
  2⤵
  - Writes to the Master Boot Record (MBR)
  PID:1400

Initial Access

Execution

Persistence

Bootkit

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1400-54-0x0000000000000000-mapping.dmp

Download
memory/1400-55-0x00000000764C1000-0x00000000764C3000-memory.dmp

Filesize
8KB

Download