Analysis
-
max time kernel
4s -
max time network
35s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
05-12-2022 21:51
Static task
static1
Behavioral task
behavioral1
Sample
15871c610c9beb6400cbd4f544362202a8d8dd826ec95347f63e34ad002c1281.dll
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
15871c610c9beb6400cbd4f544362202a8d8dd826ec95347f63e34ad002c1281.dll
Resource
win10v2004-20220812-en
General
-
Target
15871c610c9beb6400cbd4f544362202a8d8dd826ec95347f63e34ad002c1281.dll
-
Size
1.2MB
-
MD5
1190a82a7c5cc1938ccb061332e33da0
-
SHA1
05803d07b4e12fa0ee78edd7f0e6edd1aa9281c3
-
SHA256
15871c610c9beb6400cbd4f544362202a8d8dd826ec95347f63e34ad002c1281
-
SHA512
55a87a3027623b3264397d8e620251012d18a8a8ed7370fb3a3a989db4609e835b732b9ae65597a025d02293bd643754e224e5cbd56db487c44b5639e1f7dd90
-
SSDEEP
24576:53Hgz8MmGQcoAnhFGs7G3iSL8jzR9XG3r:RHjcrFGNySG9Xm
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
rundll32.exedescription ioc process File opened for modification \??\PhysicalDrive0 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 556 rundll32.exe 556 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 556 rundll32.exe Token: SeShutdownPrivilege 556 rundll32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
rundll32.exepid process 556 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1188 wrote to memory of 556 1188 rundll32.exe rundll32.exe PID 1188 wrote to memory of 556 1188 rundll32.exe rundll32.exe PID 1188 wrote to memory of 556 1188 rundll32.exe rundll32.exe PID 1188 wrote to memory of 556 1188 rundll32.exe rundll32.exe PID 1188 wrote to memory of 556 1188 rundll32.exe rundll32.exe PID 1188 wrote to memory of 556 1188 rundll32.exe rundll32.exe PID 1188 wrote to memory of 556 1188 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\15871c610c9beb6400cbd4f544362202a8d8dd826ec95347f63e34ad002c1281.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\15871c610c9beb6400cbd4f544362202a8d8dd826ec95347f63e34ad002c1281.dll,#12⤵
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx