Overview

overview

8

Static

static

1fd44f53ba...a0.dll

windows7-x64

8

1fd44f53ba...a0.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    47s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    04-12-2022 03:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1fd44f53bae4369a177295b93322f331112e67f7357e07ceef475a52f34918a0.dll

  • Size

    7.4MB

  • MD5

    ad0541f1a98fec199c33580c11bebb50

  • SHA1

    74114e04912f606b98aca27e5a57f46236f61bd2

  • SHA256

    1fd44f53bae4369a177295b93322f331112e67f7357e07ceef475a52f34918a0

  • SHA512

    aee734d5487c071e8b64c59f4f6e5fd819c20112682888ebc0671eefe325aa0c254a433b822b0ca558c662f1d9fb4d212616c3922eca50329a35caae347e5343

  • SSDEEP

    98304:Y2F/rBjd+nbf5ewT0f+2Ck7XbJUjC3AMDb7Kz/Ec0gD6aZaQhB104uwoPWvY:xbmbhewo22RXbajYHHuL0gjBhBIWvY

Score
8/10
bootkitpersistence

Malware Config

Signatures

  • Blocklisted process makes network request 4 IoCs
  • Executes dropped EXE 5 IoCs
  • Modifies Installed Components in the registry 2 TTPs 6 IoCs
    persistence
  • Loads dropped DLL 17 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies system certificate store 2 TTPs 64 IoCs
    evasionspywaretrojan
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\1fd44f53bae4369a177295b93322f331112e67f7357e07ceef475a52f34918a0.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1380
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\1fd44f53bae4369a177295b93322f331112e67f7357e07ceef475a52f34918a0.dll,#1
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Writes to the Master Boot Record (MBR)
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies system certificate store
      • Suspicious use of WriteProcessMemory
      PID:1672
      • C:\Users\Admin\AppData\Local\Temp\{9DA0B2C1-0E67-42c3-BF0D-67C2079C818F}.tmp\KB931125.exe
        "C:\Users\Admin\AppData\Local\Temp\{9DA0B2C1-0E67-42c3-BF0D-67C2079C818F}.tmp\KB931125.exe"
        3⤵
        • Executes dropped EXE
        • Modifies Installed Components in the registry
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1272
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe
          C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe authroots.sst
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Modifies system certificate store
          PID:1808
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe
          C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe updroots.sst
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Modifies system certificate store
          PID:984
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe
          C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe -l roots.sst
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Modifies system certificate store
          PID:1940
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe
          C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe -d delroots.sst
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:1772

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Bootkit

1
T1067

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\authroots.sst
    Filesize

    73KB

    MD5

    bb49ccc10926cdb601eba81afef749a2

    SHA1

    a4766c9aea8d211e9632148fd4b625cece195be9

    SHA256

    f013ee3b7fede9a95844e83e83ee298d38cba6efce5a5cafcd8b95255c32f86c

    SHA512

    94c2809727039d1ed07a3742a4b2f9300e865ea7c49bc1fcf547a30238eeecc88d8dd06a2d4f3112317f948908b9af082b50f412a41a2bcb48d5e30d6d8ecbba

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\delroots.sst
    Filesize

    9KB

    MD5

    7b32871e409608ff887b6cf4d87debb0

    SHA1

    191f9ea1298ee52dbd6f977b3584109a064f57b9

    SHA256

    3f01268547364d2d60a0f65b46757cccfd9225fc39d581846a8fbffdb5756ff2

    SHA512

    534a384f7946db4083e639b8e02d83ac97293c60630b8811a84c85e0330e9c293f05f5cf71e0f3580551e7923bc5a3bfb7f0406432ca3cdb7efeb4a950ac5e8a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\roots.sst
    Filesize

    7KB

    MD5

    9e5de0fd1f90486a66dee4bfe89a78d7

    SHA1

    90e3188ef63495aaa71c85d4ff0f23253c834b40

    SHA256

    8b95ff56d61586582864d05563762615c8705779578dca3c98a303c3b1f4122e

    SHA512

    60006fa6f57e4d280642d51055f85f8d27b913ce71373de5b928c515c77647295030ab73ab4a55024de4a40c18f200909f49ffb52c26cf554835fc3d4cc348f1

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe
    Filesize

    5KB

    MD5

    9c18ae971cbffb096952177f6804ea31

    SHA1

    bb255dd1bd9bb39cdbb8671af66054432c686828

    SHA256

    2703c25453b09c40ee81fdc458b8cc24712e387a12d15ff94e12b02921fe98cb

    SHA512

    21086509bb4ea5afede55d034955de0bdf8b366d5d8d4bfa7a6c68b0f35fbf217ff3e932f87fc1d37f09022805e79ceeecbaf3dbccbd96d7c93029ffe7370e4c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe
    Filesize

    5KB

    MD5

    9c18ae971cbffb096952177f6804ea31

    SHA1

    bb255dd1bd9bb39cdbb8671af66054432c686828

    SHA256

    2703c25453b09c40ee81fdc458b8cc24712e387a12d15ff94e12b02921fe98cb

    SHA512

    21086509bb4ea5afede55d034955de0bdf8b366d5d8d4bfa7a6c68b0f35fbf217ff3e932f87fc1d37f09022805e79ceeecbaf3dbccbd96d7c93029ffe7370e4c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe
    Filesize

    5KB

    MD5

    9c18ae971cbffb096952177f6804ea31

    SHA1

    bb255dd1bd9bb39cdbb8671af66054432c686828

    SHA256

    2703c25453b09c40ee81fdc458b8cc24712e387a12d15ff94e12b02921fe98cb

    SHA512

    21086509bb4ea5afede55d034955de0bdf8b366d5d8d4bfa7a6c68b0f35fbf217ff3e932f87fc1d37f09022805e79ceeecbaf3dbccbd96d7c93029ffe7370e4c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe
    Filesize

    5KB

    MD5

    9c18ae971cbffb096952177f6804ea31

    SHA1

    bb255dd1bd9bb39cdbb8671af66054432c686828

    SHA256

    2703c25453b09c40ee81fdc458b8cc24712e387a12d15ff94e12b02921fe98cb

    SHA512

    21086509bb4ea5afede55d034955de0bdf8b366d5d8d4bfa7a6c68b0f35fbf217ff3e932f87fc1d37f09022805e79ceeecbaf3dbccbd96d7c93029ffe7370e4c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe
    Filesize

    5KB

    MD5

    9c18ae971cbffb096952177f6804ea31

    SHA1

    bb255dd1bd9bb39cdbb8671af66054432c686828

    SHA256

    2703c25453b09c40ee81fdc458b8cc24712e387a12d15ff94e12b02921fe98cb

    SHA512

    21086509bb4ea5afede55d034955de0bdf8b366d5d8d4bfa7a6c68b0f35fbf217ff3e932f87fc1d37f09022805e79ceeecbaf3dbccbd96d7c93029ffe7370e4c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.sst
    Filesize

    320KB

    MD5

    2d9b4498c847715418160bfd7e7c8a2d

    SHA1

    e0873091d476d2566aa6fc988cb364247c95dc97

    SHA256

    c49c05b701c390c679e5e3226ec621f22a08155b1065fcfc37b509f648f03b41

    SHA512

    dcf3208cdd1e4353f82823f796d735c1209f149f183eea827a90753ec55509a1c460a16c120e07c12a5eacf0e67d2661c25638491ecf4403e25d6508983e519b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\{9DA0B2C1-0E67-42c3-BF0D-67C2079C818F}.tmp\KB931125.exe
    Filesize

    349KB

    MD5

    4a4d72d34f9da1fc5019e0748fcde2f5

    SHA1

    f54752ec63369522f37e545325519ee434cdf439

    SHA256

    83b660f3f3eaddd4b388ed3f806f7444f03429fb63fc1f8db3d86294914a05ca

    SHA512

    95986ffbf51483a0d1a256028847c7ee6ac73ffd62f6d838309a69e1833f719a7cfed5422815f4d4a49dbd599c449f8db8f60273136720cb1da5f8b0eb24cb33

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\{9DA0B2C1-0E67-42c3-BF0D-67C2079C818F}.tmp\KB931125.exe
    Filesize

    349KB

    MD5

    4a4d72d34f9da1fc5019e0748fcde2f5

    SHA1

    f54752ec63369522f37e545325519ee434cdf439

    SHA256

    83b660f3f3eaddd4b388ed3f806f7444f03429fb63fc1f8db3d86294914a05ca

    SHA512

    95986ffbf51483a0d1a256028847c7ee6ac73ffd62f6d838309a69e1833f719a7cfed5422815f4d4a49dbd599c449f8db8f60273136720cb1da5f8b0eb24cb33

    Download Submit
  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\ADVPACK.DLL
    Filesize

    89KB

    MD5

    a64e4b204d44548eeb5c3d86eca2ad70

    SHA1

    e3245bf6dbb2e56d71a9cbad2697aa4fa0df6bbe

    SHA256

    985a5603ebf94539ac11549999f83b5e6dc008180994898c5daa6fd31ae1e9dc

    SHA512

    dca4099318954bab5f1204645be0d0e8fea0c2e97ee95496fa884fbed627e376358623fa94c39bf0abe97d07d46a7e6c5e1081496cdd1987e07e595995a46cd5

    Download Submit
  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe
    Filesize

    5KB

    MD5

    9c18ae971cbffb096952177f6804ea31

    SHA1

    bb255dd1bd9bb39cdbb8671af66054432c686828

    SHA256

    2703c25453b09c40ee81fdc458b8cc24712e387a12d15ff94e12b02921fe98cb

    SHA512

    21086509bb4ea5afede55d034955de0bdf8b366d5d8d4bfa7a6c68b0f35fbf217ff3e932f87fc1d37f09022805e79ceeecbaf3dbccbd96d7c93029ffe7370e4c

    Download Submit
  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe
    Filesize

    5KB

    MD5

    9c18ae971cbffb096952177f6804ea31

    SHA1

    bb255dd1bd9bb39cdbb8671af66054432c686828

    SHA256

    2703c25453b09c40ee81fdc458b8cc24712e387a12d15ff94e12b02921fe98cb

    SHA512

    21086509bb4ea5afede55d034955de0bdf8b366d5d8d4bfa7a6c68b0f35fbf217ff3e932f87fc1d37f09022805e79ceeecbaf3dbccbd96d7c93029ffe7370e4c

    Download Submit
  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe
    Filesize

    5KB

    MD5

    9c18ae971cbffb096952177f6804ea31

    SHA1

    bb255dd1bd9bb39cdbb8671af66054432c686828

    SHA256

    2703c25453b09c40ee81fdc458b8cc24712e387a12d15ff94e12b02921fe98cb

    SHA512

    21086509bb4ea5afede55d034955de0bdf8b366d5d8d4bfa7a6c68b0f35fbf217ff3e932f87fc1d37f09022805e79ceeecbaf3dbccbd96d7c93029ffe7370e4c

    Download Submit
  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe
    Filesize

    5KB

    MD5

    9c18ae971cbffb096952177f6804ea31

    SHA1

    bb255dd1bd9bb39cdbb8671af66054432c686828

    SHA256

    2703c25453b09c40ee81fdc458b8cc24712e387a12d15ff94e12b02921fe98cb

    SHA512

    21086509bb4ea5afede55d034955de0bdf8b366d5d8d4bfa7a6c68b0f35fbf217ff3e932f87fc1d37f09022805e79ceeecbaf3dbccbd96d7c93029ffe7370e4c

    Download Submit
  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe
    Filesize

    5KB

    MD5

    9c18ae971cbffb096952177f6804ea31

    SHA1

    bb255dd1bd9bb39cdbb8671af66054432c686828

    SHA256

    2703c25453b09c40ee81fdc458b8cc24712e387a12d15ff94e12b02921fe98cb

    SHA512

    21086509bb4ea5afede55d034955de0bdf8b366d5d8d4bfa7a6c68b0f35fbf217ff3e932f87fc1d37f09022805e79ceeecbaf3dbccbd96d7c93029ffe7370e4c

    Download Submit
  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe
    Filesize

    5KB

    MD5

    9c18ae971cbffb096952177f6804ea31

    SHA1

    bb255dd1bd9bb39cdbb8671af66054432c686828

    SHA256

    2703c25453b09c40ee81fdc458b8cc24712e387a12d15ff94e12b02921fe98cb

    SHA512

    21086509bb4ea5afede55d034955de0bdf8b366d5d8d4bfa7a6c68b0f35fbf217ff3e932f87fc1d37f09022805e79ceeecbaf3dbccbd96d7c93029ffe7370e4c

    Download Submit
  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe
    Filesize

    5KB

    MD5

    9c18ae971cbffb096952177f6804ea31

    SHA1

    bb255dd1bd9bb39cdbb8671af66054432c686828

    SHA256

    2703c25453b09c40ee81fdc458b8cc24712e387a12d15ff94e12b02921fe98cb

    SHA512

    21086509bb4ea5afede55d034955de0bdf8b366d5d8d4bfa7a6c68b0f35fbf217ff3e932f87fc1d37f09022805e79ceeecbaf3dbccbd96d7c93029ffe7370e4c

    Download Submit
  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe
    Filesize

    5KB

    MD5

    9c18ae971cbffb096952177f6804ea31

    SHA1

    bb255dd1bd9bb39cdbb8671af66054432c686828

    SHA256

    2703c25453b09c40ee81fdc458b8cc24712e387a12d15ff94e12b02921fe98cb

    SHA512

    21086509bb4ea5afede55d034955de0bdf8b366d5d8d4bfa7a6c68b0f35fbf217ff3e932f87fc1d37f09022805e79ceeecbaf3dbccbd96d7c93029ffe7370e4c

    Download Submit
  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe
    Filesize

    5KB

    MD5

    9c18ae971cbffb096952177f6804ea31

    SHA1

    bb255dd1bd9bb39cdbb8671af66054432c686828

    SHA256

    2703c25453b09c40ee81fdc458b8cc24712e387a12d15ff94e12b02921fe98cb

    SHA512

    21086509bb4ea5afede55d034955de0bdf8b366d5d8d4bfa7a6c68b0f35fbf217ff3e932f87fc1d37f09022805e79ceeecbaf3dbccbd96d7c93029ffe7370e4c

    Download Submit
  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe
    Filesize

    5KB

    MD5

    9c18ae971cbffb096952177f6804ea31

    SHA1

    bb255dd1bd9bb39cdbb8671af66054432c686828

    SHA256

    2703c25453b09c40ee81fdc458b8cc24712e387a12d15ff94e12b02921fe98cb

    SHA512

    21086509bb4ea5afede55d034955de0bdf8b366d5d8d4bfa7a6c68b0f35fbf217ff3e932f87fc1d37f09022805e79ceeecbaf3dbccbd96d7c93029ffe7370e4c

    Download Submit
  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe
    Filesize

    5KB

    MD5

    9c18ae971cbffb096952177f6804ea31

    SHA1

    bb255dd1bd9bb39cdbb8671af66054432c686828

    SHA256

    2703c25453b09c40ee81fdc458b8cc24712e387a12d15ff94e12b02921fe98cb

    SHA512

    21086509bb4ea5afede55d034955de0bdf8b366d5d8d4bfa7a6c68b0f35fbf217ff3e932f87fc1d37f09022805e79ceeecbaf3dbccbd96d7c93029ffe7370e4c

    Download Submit
  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe
    Filesize

    5KB

    MD5

    9c18ae971cbffb096952177f6804ea31

    SHA1

    bb255dd1bd9bb39cdbb8671af66054432c686828

    SHA256

    2703c25453b09c40ee81fdc458b8cc24712e387a12d15ff94e12b02921fe98cb

    SHA512

    21086509bb4ea5afede55d034955de0bdf8b366d5d8d4bfa7a6c68b0f35fbf217ff3e932f87fc1d37f09022805e79ceeecbaf3dbccbd96d7c93029ffe7370e4c

    Download Submit
  • \Users\Admin\AppData\Local\Temp\{1AAEF8E5-7DD3-4015-B02A-1AC6A9A232B3}.tmp\7z.dll
    Filesize

    1.1MB

    MD5

    9d6512e7b271aec1511801a89ddce27a

    SHA1

    63ff62abf4095adc478f95431623e927d9934d22

    SHA256

    3d1fd81def03c91a7beeed02c5dee630ab46481a87d6ccc4bdc9af5529b1315c

    SHA512

    aa16d73794bdba1aef47fcb76cd0f6f3c55ea210f321c3a4b92952211f0aa05d6e3373a74cdebbc530fb5f558b85ae5793f4b7ecaf609fbf40b8b99b19a641f7

    Download Submit
  • \Users\Admin\AppData\Local\Temp\{54A3E390-EDCE-408c-B16E-7B2426330649}.tmp\netcurl.dll
    Filesize

    280KB

    MD5

    eab9581c79c34a213984d0600def9762

    SHA1

    f201daf147cf736be5e840bac1a465244d693dd4

    SHA256

    99b8b0e5e5950fd079c63a1b9ce68da9cbd6056a2fad277c3bb8fa2749dc395a

    SHA512

    3093f6a80da14d4bf3b48db5c1323fa10db05f88774e25091a18b250dc858702761a9d55fb4703d4282ff5459b450d71e3e5d7d129d53087db3621b452e48f04

    Download Submit
  • \Users\Admin\AppData\Local\Temp\{9DA0B2C1-0E67-42c3-BF0D-67C2079C818F}.tmp\KB931125.exe
    Filesize

    349KB

    MD5

    4a4d72d34f9da1fc5019e0748fcde2f5

    SHA1

    f54752ec63369522f37e545325519ee434cdf439

    SHA256

    83b660f3f3eaddd4b388ed3f806f7444f03429fb63fc1f8db3d86294914a05ca

    SHA512

    95986ffbf51483a0d1a256028847c7ee6ac73ffd62f6d838309a69e1833f719a7cfed5422815f4d4a49dbd599c449f8db8f60273136720cb1da5f8b0eb24cb33

    Download Submit
  • \Users\Admin\AppData\Local\Temp\{9DA0B2C1-0E67-42c3-BF0D-67C2079C818F}.tmp\KB931125.exe
    Filesize

    349KB

    MD5

    4a4d72d34f9da1fc5019e0748fcde2f5

    SHA1

    f54752ec63369522f37e545325519ee434cdf439

    SHA256

    83b660f3f3eaddd4b388ed3f806f7444f03429fb63fc1f8db3d86294914a05ca

    SHA512

    95986ffbf51483a0d1a256028847c7ee6ac73ffd62f6d838309a69e1833f719a7cfed5422815f4d4a49dbd599c449f8db8f60273136720cb1da5f8b0eb24cb33

    Download Submit
  • memory/984-75-0x0000000000000000-mapping.dmp
    Download
  • memory/1272-59-0x0000000000000000-mapping.dmp
    Download
  • memory/1672-54-0x0000000000000000-mapping.dmp
    Download
  • memory/1672-55-0x00000000757A1000-0x00000000757A3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1772-89-0x0000000000000000-mapping.dmp
    Download
  • memory/1808-67-0x0000000000000000-mapping.dmp
    Download
  • memory/1940-82-0x0000000000000000-mapping.dmp
    Download