Analysis
-
max time kernel
44s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
04-12-2022 03:33
Static task
static1
Behavioral task
behavioral1
Sample
e63a3a9f0c89ff358005e976f7a3e7666b3a135d25c4394fbc120b6089ac71c1.dll
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
e63a3a9f0c89ff358005e976f7a3e7666b3a135d25c4394fbc120b6089ac71c1.dll
Resource
win10v2004-20221111-en
General
-
Target
e63a3a9f0c89ff358005e976f7a3e7666b3a135d25c4394fbc120b6089ac71c1.dll
-
Size
4.3MB
-
MD5
64f196646947529c6c4d21188ec9c4dd
-
SHA1
f2db17ef0dc389ba1e76879cbe400d1031249977
-
SHA256
e63a3a9f0c89ff358005e976f7a3e7666b3a135d25c4394fbc120b6089ac71c1
-
SHA512
c04f8c8fb9036921fd0f9e87d9935403022336cc8bdbe13d20c7311d04ef8a65cfda2a8b45e068d02ce9507693e92222583703064dac9e22edeed2a54b063da8
-
SSDEEP
98304:uBu6l4QWOabPG1f5edNM/Cw/khc5FbKEQ26PVR7m6gZ1MRGNCyI5AxV3001fiofB:qYQeohedNM/Cw/khc5FbKEV6PVR7m6gr
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
rundll32.exedescription ioc process File opened for modification \??\PhysicalDrive0 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2028 844 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1348 wrote to memory of 844 1348 rundll32.exe rundll32.exe PID 1348 wrote to memory of 844 1348 rundll32.exe rundll32.exe PID 1348 wrote to memory of 844 1348 rundll32.exe rundll32.exe PID 1348 wrote to memory of 844 1348 rundll32.exe rundll32.exe PID 1348 wrote to memory of 844 1348 rundll32.exe rundll32.exe PID 1348 wrote to memory of 844 1348 rundll32.exe rundll32.exe PID 1348 wrote to memory of 844 1348 rundll32.exe rundll32.exe PID 844 wrote to memory of 2028 844 rundll32.exe WerFault.exe PID 844 wrote to memory of 2028 844 rundll32.exe WerFault.exe PID 844 wrote to memory of 2028 844 rundll32.exe WerFault.exe PID 844 wrote to memory of 2028 844 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e63a3a9f0c89ff358005e976f7a3e7666b3a135d25c4394fbc120b6089ac71c1.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e63a3a9f0c89ff358005e976f7a3e7666b3a135d25c4394fbc120b6089ac71c1.dll,#12⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 844 -s 3563⤵
- Program crash