88da99406952a8a6d463f61b106a5e516121c3ac6c89307bdac084455316cde7

Analysis

max time kernel
174s
max time network
230s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 07:59

Target

88da99406952a8a6d463f61b106a5e516121c3ac6c89307bdac084455316cde7.dll
Size

402KB
MD5

5c11f248ef1e25d12442c5b6585af1f4
SHA1

da7f2fe1ae537e33613347927cb002a0c1395ffb
SHA256

88da99406952a8a6d463f61b106a5e516121c3ac6c89307bdac084455316cde7
SHA512

c05e9cb274f98763ada120e9e60f4124847f9d6ce434df7998c0c096bb84a2ce035a51943ea5141697be169f6e95e9eeb688edb5cc4ee2f2d7d8525dc0875b05
SSDEEP

6144:ZG3iS2K8ygqSqYsjtZWQiiM1p9JltPnJ7bzyl/48cVLBIcq7oeUg32eT:chx8y/SqYgdtIpDnJ7nyF48cVLBi7BUu

Score

8^/10

Blocklisted process makes network request 6 IoCs

Processes:

rundll32.exe

flow pid process

7 1004 rundll32.exe
9 1004 rundll32.exe
10 1004 rundll32.exe
11 1004 rundll32.exe
12 1004 rundll32.exe
15 1004 rundll32.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

rundll32.exe

description ioc process

File opened for modification \??\PhysicalDrive0 rundll32.exe
Drops file in System32 directory 2 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\Windows\SysWOW64\2924-127-17 rundll32.exe
File created C:\Windows\SysWOW64\022 rundll32.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	rundll32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\2924-127-17	rundll32.exe
File created	C:\Windows\SysWOW64\022	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2032 wrote to memory of 1004	2032	rundll32.exe	rundll32.exe
PID 2032 wrote to memory of 1004	2032	rundll32.exe	rundll32.exe
PID 2032 wrote to memory of 1004	2032	rundll32.exe	rundll32.exe
PID 2032 wrote to memory of 1004	2032	rundll32.exe	rundll32.exe
PID 2032 wrote to memory of 1004	2032	rundll32.exe	rundll32.exe
PID 2032 wrote to memory of 1004	2032	rundll32.exe	rundll32.exe
PID 2032 wrote to memory of 1004	2032	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\88da99406952a8a6d463f61b106a5e516121c3ac6c89307bdac084455316cde7.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2032

Initial Access

Execution

Persistence

Bootkit

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

memory/1004-54-0x0000000000000000-mapping.dmp

Download
memory/1004-55-0x0000000075881000-0x0000000075883000-memory.dmp

Filesize
8KB

Download