Analysis
-
max time kernel
34s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
05-12-2022 02:59
Static task
static1
Behavioral task
behavioral1
Sample
6ded32aa3d1f387da983270faf43302c34062d2e7acb7dd640bc00a4a075bee9.dll
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
6ded32aa3d1f387da983270faf43302c34062d2e7acb7dd640bc00a4a075bee9.dll
Resource
win10v2004-20220812-en
General
-
Target
6ded32aa3d1f387da983270faf43302c34062d2e7acb7dd640bc00a4a075bee9.dll
-
Size
4.9MB
-
MD5
96477867eff583e877c03a1c8e7a1204
-
SHA1
186a1ad525f043936d2733bbe069392be3057a23
-
SHA256
6ded32aa3d1f387da983270faf43302c34062d2e7acb7dd640bc00a4a075bee9
-
SHA512
2c4466965d80ef8f87ff85c563c0d0760553038ce65354b3eb2f9b804afd92335e1b231bf91d13986cc73617dd9d52080f855dc7b9430ea5c0d7c32a2d64e5ea
-
SSDEEP
98304:M5Bw2Bzx0k9/BZXxkIWPG1f5e7aU2Sz9NwrZZ:ABl0sBZBkIvhe7aUnNK
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
rundll32.exedescription ioc process File opened for modification \??\PhysicalDrive0 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 996 1964 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1956 wrote to memory of 1964 1956 rundll32.exe rundll32.exe PID 1956 wrote to memory of 1964 1956 rundll32.exe rundll32.exe PID 1956 wrote to memory of 1964 1956 rundll32.exe rundll32.exe PID 1956 wrote to memory of 1964 1956 rundll32.exe rundll32.exe PID 1956 wrote to memory of 1964 1956 rundll32.exe rundll32.exe PID 1956 wrote to memory of 1964 1956 rundll32.exe rundll32.exe PID 1956 wrote to memory of 1964 1956 rundll32.exe rundll32.exe PID 1964 wrote to memory of 996 1964 rundll32.exe WerFault.exe PID 1964 wrote to memory of 996 1964 rundll32.exe WerFault.exe PID 1964 wrote to memory of 996 1964 rundll32.exe WerFault.exe PID 1964 wrote to memory of 996 1964 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6ded32aa3d1f387da983270faf43302c34062d2e7acb7dd640bc00a4a075bee9.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6ded32aa3d1f387da983270faf43302c34062d2e7acb7dd640bc00a4a075bee9.dll,#12⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 4643⤵
- Program crash