064d473b7ad14eba851626e43b8e9edf51a5c43c1a357780e8bdb6fa2a41b4cf

Analysis

max time kernel
148s
max time network
196s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
29/11/2022, 11:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

064d473b7ad14eba851626e43b8e9edf51a5c43c1a357780e8bdb6fa2a41b4cf.dll
Size

421KB
MD5

cef88c4eb3156742c9865de7275b9890
SHA1

17847f8eb7c5da15b4925102e1bc2702308d5f8b
SHA256

064d473b7ad14eba851626e43b8e9edf51a5c43c1a357780e8bdb6fa2a41b4cf
SHA512

4ef8dee2c5c54df0f1c60fa343a56ae4765e9f1ed65590764bc58cbfc3e3fec0345d8c228f302c9f5a28987dcbd63520e758aedda46226a182650e0022aa3970
SSDEEP

6144:AO/AhcWoi8yw1NJEi1OrEduMuGbzIW4FmNiI8ARVOVQFpCm:AcAhcWotJ1NWvOTuG3WYNAQbCm

Score

8^/10

bootkit persistence

Malware Config

Signatures

Blocklisted process makes network request 8 IoCs

flow	pid	Process
7	1676	rundll32.exe
9	1676	rundll32.exe
10	1676	rundll32.exe
11	1676	rundll32.exe
12	1676	rundll32.exe
13	1676	rundll32.exe
14	1676	rundll32.exe
15	1676	rundll32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\80-3188104	rundll32.exe
File created	C:\Windows\SysWOW64\108848	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1584 wrote to memory of 1676	1584	rundll32.exe	28
PID 1584 wrote to memory of 1676	1584	rundll32.exe	28
PID 1584 wrote to memory of 1676	1584	rundll32.exe	28
PID 1584 wrote to memory of 1676	1584	rundll32.exe	28
PID 1584 wrote to memory of 1676	1584	rundll32.exe	28
PID 1584 wrote to memory of 1676	1584	rundll32.exe	28
PID 1584 wrote to memory of 1676	1584	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\064d473b7ad14eba851626e43b8e9edf51a5c43c1a357780e8bdb6fa2a41b4cf.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\064d473b7ad14eba851626e43b8e9edf51a5c43c1a357780e8bdb6fa2a41b4cf.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  PID:1676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1676-55-0x0000000075C81000-0x0000000075C83000-memory.dmp

Filesize
8KB

Download