9aab2724546a45fbba897315157e7af8bc71dfebd6688ff67d256f3e2a601baf

Analysis

max time kernel
40s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01-01-2023 20:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Mogeko ver1.13/System/RGSS301.dll
Size

1.0MB
MD5

dd25855ac39d32da033902fc58fa210b
SHA1

0ffa23a4d0b81438a329258f5c8d3b3403f4aa94
SHA256

27647690ed16218cd988dd71069fdca67207515b2a2df775be361f0198ab6876
SHA512

07f7f7cb4eda2165b4b28456fb01d4edea6e3d5f305dde19256865777905a0d0bb1d13ce1194a8639d740f633ccf1507a1b87530644d5e2d512a86829195ae60
SSDEEP

24576:+pc8WbPqpzFwdPhet279ae3P7zqP2JzCNkX67Flr1nH0F3ia:+pc8W7qEdPhet2hae3HfJR2Uf

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 1952	1908	rundll32.exe	28
PID 1908 wrote to memory of 1952	1908	rundll32.exe	28
PID 1908 wrote to memory of 1952	1908	rundll32.exe	28
PID 1908 wrote to memory of 1952	1908	rundll32.exe	28
PID 1908 wrote to memory of 1952	1908	rundll32.exe	28
PID 1908 wrote to memory of 1952	1908	rundll32.exe	28
PID 1908 wrote to memory of 1952	1908	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Mogeko ver1.13\System\RGSS301.dll",#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Mogeko ver1.13\System\RGSS301.dll",#1
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Modifies registry class
  PID:1952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1952-54-0x0000000000000000-mapping.dmp

Download
memory/1952-55-0x00000000762F1000-0x00000000762F3000-memory.dmp

Filesize
8KB

Download