e7275ce521f0376694c3178442e555cb55614c5a6deedd9f4658d7fde887a7c1

Analysis

max time kernel
195s
max time network
204s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2022 02:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7275ce521f0376694c3178442e555cb55614c5a6deedd9f4658d7fde887a7c1.dll
Size

1.4MB
MD5

d2380f47648da28acb358f0954023f64
SHA1

ed0874517b958a08127db05744c192a0d48a247f
SHA256

e7275ce521f0376694c3178442e555cb55614c5a6deedd9f4658d7fde887a7c1
SHA512

1226e4782dcfe24028c0872b2e1a1b7018ae74bd95a2c82891c22112b6ba141e7d877857ab6f7a34a154def57b6a4409035aa714be5f6f075f08264165161e5e
SSDEEP

24576:MxqUxAk+ZgDjcfju2+62uGo4LEfs+rO/SJ9sHGBEoi4P3:M/qNs+j+LH2Eo1P3

Score

8^/10

bootkit persistence upx vmprotect

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3264-138-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/3264-141-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/3264-143-0x0000000000400000-0x0000000000426000-memory.dmp	upx

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/3264-133-0x0000000010000000-0x0000000010391000-memory.dmp	vmprotect
behavioral2/memory/3264-134-0x0000000010000000-0x0000000010391000-memory.dmp	vmprotect
behavioral2/memory/3264-142-0x0000000010000000-0x0000000010391000-memory.dmp	vmprotect

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3264	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3264	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 3264	1700	rundll32.exe	45
PID 1700 wrote to memory of 3264	1700	rundll32.exe	45
PID 1700 wrote to memory of 3264	1700	rundll32.exe	45
PID 3264 wrote to memory of 4564	3264	rundll32.exe	83
PID 3264 wrote to memory of 4564	3264	rundll32.exe	83
PID 3264 wrote to memory of 4564	3264	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e7275ce521f0376694c3178442e555cb55614c5a6deedd9f4658d7fde887a7c1.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\e7275ce521f0376694c3178442e555cb55614c5a6deedd9f4658d7fde887a7c1.dll,#1
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3264
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C C:\Users\Admin\AppData\Local\Temp\rom631F.tmp.exe > C:\Users\Admin\AppData\Local\Temp\rom631F.tmp
    3⤵
    PID:4564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rom631F.tmp.exe

Filesize
240B

MD5
3359a9e4e97e802bf2269be93d360f62

SHA1
63dc0d559cb8dc86168d902489f92b65861376ef

SHA256
72b682830825f59cac469868288bb9a91a6674ebc0ff280108fbe76c714395ff

SHA512
c2396baa8c14b90634d3b04cdfcaebdadede8377b114e8528f1174e7fdc39cb19032458a894db52ba9f42589822557af48823636737657fda97ca6a325a11838

Download Submit
memory/3264-132-0x0000000000000000-mapping.dmp

Download
memory/3264-133-0x0000000010000000-0x0000000010391000-memory.dmp

Filesize
3.6MB

Download
memory/3264-134-0x0000000010000000-0x0000000010391000-memory.dmp

Filesize
3.6MB

Download
memory/3264-138-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3264-141-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3264-142-0x0000000010000000-0x0000000010391000-memory.dmp

Filesize
3.6MB

Download
memory/3264-143-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4564-139-0x0000000000000000-mapping.dmp

Download