Analysis
-
max time kernel
153s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2022 07:59
Static task
static1
Behavioral task
behavioral1
Sample
88da99406952a8a6d463f61b106a5e516121c3ac6c89307bdac084455316cde7.dll
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
88da99406952a8a6d463f61b106a5e516121c3ac6c89307bdac084455316cde7.dll
Resource
win10v2004-20220812-en
General
-
Target
88da99406952a8a6d463f61b106a5e516121c3ac6c89307bdac084455316cde7.dll
-
Size
402KB
-
MD5
5c11f248ef1e25d12442c5b6585af1f4
-
SHA1
da7f2fe1ae537e33613347927cb002a0c1395ffb
-
SHA256
88da99406952a8a6d463f61b106a5e516121c3ac6c89307bdac084455316cde7
-
SHA512
c05e9cb274f98763ada120e9e60f4124847f9d6ce434df7998c0c096bb84a2ce035a51943ea5141697be169f6e95e9eeb688edb5cc4ee2f2d7d8525dc0875b05
-
SSDEEP
6144:ZG3iS2K8ygqSqYsjtZWQiiM1p9JltPnJ7bzyl/48cVLBIcq7oeUg32eT:chx8y/SqYgdtIpDnJ7nyF48cVLBi7BUu
Malware Config
Signatures
-
Blocklisted process makes network request 7 IoCs
Processes:
rundll32.exeflow pid process 30 3612 rundll32.exe 42 3612 rundll32.exe 46 3612 rundll32.exe 50 3612 rundll32.exe 55 3612 rundll32.exe 60 3612 rundll32.exe 67 3612 rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
rundll32.exedescription ioc process File opened for modification \??\PhysicalDrive0 rundll32.exe -
Drops file in System32 directory 2 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Windows\SysWOW64\1d63 rundll32.exe File created C:\Windows\SysWOW64\-35-6376-5 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1000 wrote to memory of 3612 1000 rundll32.exe rundll32.exe PID 1000 wrote to memory of 3612 1000 rundll32.exe rundll32.exe PID 1000 wrote to memory of 3612 1000 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\88da99406952a8a6d463f61b106a5e516121c3ac6c89307bdac084455316cde7.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\88da99406952a8a6d463f61b106a5e516121c3ac6c89307bdac084455316cde7.dll,#12⤵
- Blocklisted process makes network request
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3612-132-0x0000000000000000-mapping.dmp