Analysis
-
max time kernel
174s -
max time network
230s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
03-12-2022 07:59
Static task
static1
Behavioral task
behavioral1
Sample
88da99406952a8a6d463f61b106a5e516121c3ac6c89307bdac084455316cde7.dll
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
88da99406952a8a6d463f61b106a5e516121c3ac6c89307bdac084455316cde7.dll
Resource
win10v2004-20220812-en
General
-
Target
88da99406952a8a6d463f61b106a5e516121c3ac6c89307bdac084455316cde7.dll
-
Size
402KB
-
MD5
5c11f248ef1e25d12442c5b6585af1f4
-
SHA1
da7f2fe1ae537e33613347927cb002a0c1395ffb
-
SHA256
88da99406952a8a6d463f61b106a5e516121c3ac6c89307bdac084455316cde7
-
SHA512
c05e9cb274f98763ada120e9e60f4124847f9d6ce434df7998c0c096bb84a2ce035a51943ea5141697be169f6e95e9eeb688edb5cc4ee2f2d7d8525dc0875b05
-
SSDEEP
6144:ZG3iS2K8ygqSqYsjtZWQiiM1p9JltPnJ7bzyl/48cVLBIcq7oeUg32eT:chx8y/SqYgdtIpDnJ7nyF48cVLBi7BUu
Malware Config
Signatures
-
Blocklisted process makes network request 6 IoCs
Processes:
rundll32.exeflow pid process 7 1004 rundll32.exe 9 1004 rundll32.exe 10 1004 rundll32.exe 11 1004 rundll32.exe 12 1004 rundll32.exe 15 1004 rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
rundll32.exedescription ioc process File opened for modification \??\PhysicalDrive0 rundll32.exe -
Drops file in System32 directory 2 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Windows\SysWOW64\2924-127-17 rundll32.exe File created C:\Windows\SysWOW64\022 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 2032 wrote to memory of 1004 2032 rundll32.exe rundll32.exe PID 2032 wrote to memory of 1004 2032 rundll32.exe rundll32.exe PID 2032 wrote to memory of 1004 2032 rundll32.exe rundll32.exe PID 2032 wrote to memory of 1004 2032 rundll32.exe rundll32.exe PID 2032 wrote to memory of 1004 2032 rundll32.exe rundll32.exe PID 2032 wrote to memory of 1004 2032 rundll32.exe rundll32.exe PID 2032 wrote to memory of 1004 2032 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\88da99406952a8a6d463f61b106a5e516121c3ac6c89307bdac084455316cde7.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\88da99406952a8a6d463f61b106a5e516121c3ac6c89307bdac084455316cde7.dll,#12⤵
- Blocklisted process makes network request
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory