bb6661c2b8e9c437feaf538dd5140abd4387debc5b2feeef445ef8a50538bfb1

Analysis

max time kernel
36s
max time network
41s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 05:48

Target

bb6661c2b8e9c437feaf538dd5140abd4387debc5b2feeef445ef8a50538bfb1.dll
Size

92KB
MD5

4b5926bf73cbf4cf1f778dea288679d1
SHA1

a538ec4e75e722d7fdfd2c406bc884d3b6850ecb
SHA256

bb6661c2b8e9c437feaf538dd5140abd4387debc5b2feeef445ef8a50538bfb1
SHA512

198d491986af00642fd178f7df8f14c679d131c04efca03d495c49e11bd44065c3848cc10876a9b9bdccc2ea7b7a002f536249353f20b82c66b37e3274cf6485
SSDEEP

1536:7e7sTu5lV63OyslEw35+gKDBT9DOcNIHTRToBw+b5LuAj:7rTu5KOlEs+gKDBT9DO1HJoBwAl

Score

6^/10

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

Bootkit

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1264	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1256 wrote to memory of 1264	1256	rundll32.exe	27
PID 1256 wrote to memory of 1264	1256	rundll32.exe	27
PID 1256 wrote to memory of 1264	1256	rundll32.exe	27
PID 1256 wrote to memory of 1264	1256	rundll32.exe	27
PID 1256 wrote to memory of 1264	1256	rundll32.exe	27
PID 1256 wrote to memory of 1264	1256	rundll32.exe	27
PID 1256 wrote to memory of 1264	1256	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bb6661c2b8e9c437feaf538dd5140abd4387debc5b2feeef445ef8a50538bfb1.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\bb6661c2b8e9c437feaf538dd5140abd4387debc5b2feeef445ef8a50538bfb1.dll,#1
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Suspicious behavior: EnumeratesProcesses
  PID:1264

Initial Access

Execution

Persistence

Bootkit

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1264-55-0x0000000075C61000-0x0000000075C63000-memory.dmp

Filesize
8KB

Download
memory/1264-56-0x0000000000160000-0x000000000016A000-memory.dmp

Filesize
40KB

Download
memory/1264-58-0x0000000010000000-0x0000000010009000-memory.dmp

Filesize
36KB

Download
memory/1264-60-0x0000000010000000-0x0000000010009000-memory.dmp

Filesize
36KB

Download
memory/1264-61-0x0000000000160000-0x000000000016A000-memory.dmp

Filesize
40KB

Download