3b0ccf0d649ed4280896d099ab96ae475694f8b9bf2820c9958d92d3f0364aef

Analysis

max time kernel
144s
max time network
180s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
12/02/2023, 10:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b0ccf0d649ed4280896d099ab96ae475694f8b9bf2820c9958d92d3f0364aef.dll
Size

4.1MB
MD5

ae6e8862385c61675be88105a2f46740
SHA1

cd05a2bd877f390a89a6ba1efd62ae02d9b4b6f9
SHA256

3b0ccf0d649ed4280896d099ab96ae475694f8b9bf2820c9958d92d3f0364aef
SHA512

a3d95ed2737c9811e3651ec073f73644b73c5083d3f93d3eabf1373de8c40fc1f4d21f3a54740fab0310b9bc2029e98a7860a350b6c56703ed7d4422a326ca5e
SSDEEP

98304:fBHB2pne7a1mN1E8lkcf5YjovKqGYiOE8oLj5jIrL:fv1GGE5gyjovK65E8oq/

Score

8^/10

bootkit persistence

Malware Config

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
4	1484	rundll32.exe
8	1484	rundll32.exe
10	1484	rundll32.exe
11	1484	rundll32.exe
12	1484	rundll32.exe

Loads dropped DLL 3 IoCs

pid	Process
1484	rundll32.exe
1484	rundll32.exe
1484	rundll32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 1484	1104	rundll32.exe	28
PID 1104 wrote to memory of 1484	1104	rundll32.exe	28
PID 1104 wrote to memory of 1484	1104	rundll32.exe	28
PID 1104 wrote to memory of 1484	1104	rundll32.exe	28
PID 1104 wrote to memory of 1484	1104	rundll32.exe	28
PID 1104 wrote to memory of 1484	1104	rundll32.exe	28
PID 1104 wrote to memory of 1484	1104	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3b0ccf0d649ed4280896d099ab96ae475694f8b9bf2820c9958d92d3f0364aef.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\3b0ccf0d649ed4280896d099ab96ae475694f8b9bf2820c9958d92d3f0364aef.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  PID:1484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\{B58B7834-8248-4db6-8713-B687E0F0F593}.tmp\360NetUL.dll

Filesize
234KB

MD5
cd03029957ebc78c0ca7a6c02a9ca846

SHA1
0044114b8073781479044f0294701be9611be2ac

SHA256
139fdd92e6ddf1aac0761a68502b374daa32e82039621018511dc491ed9b4048

SHA512
14c641cb9536def0ddc1969d50b97b83a23017c97373e3ad74d3fbf9825ac81f3fdf8169281c8ad4cebd45d9c9ae05f752d553ba4653e620889b274479cb7c32

Download Submit
\Users\Admin\AppData\Local\Temp\{B58B7834-8248-4db6-8713-B687E0F0F593}.tmp\Utils\LDSBasic.dll

Filesize
2.1MB

MD5
6747848a45de0eaa7e3dbc339a4d11ff

SHA1
698b763d9b6530cbef35f2c4f6240ab51f98879b

SHA256
8b060c0575bcf7b466166d8397c65c5be150c21cce32a680c448c3605f524eb1

SHA512
3fb05eb464a5b3a6e1d6b0c40d96fc55c6fcd9c6e4eeafe9a3911530b55491a1bb0d4821fbbe2b25c9fe0baef8f208ad307b530ff73f86351fb1e3e6c2c3acbe

Download Submit
\Users\Admin\AppData\Local\Temp\{BFC6169D-1A29-4f48-B0E7-3424C5A8F93B}.tmp\7z.dll

Filesize
1.1MB

MD5
a46135bdd574092d85955070e72d5aad

SHA1
aad137b0a883fea22b7118778512ffc7865513bc

SHA256
aa57160684feb240a85da677caaf7cf6a08b7349d89ae9cb4a3476884d80aac5

SHA512
72188f348d9ae33e2b5a7886c80667cc3015bfac170249537baa9e31abf8d63ca198903206feb64887f1d509a1b9bfc9f54ede8b3aa26bee3f5c4375e5c6a24b

Download Submit
memory/1484-55-0x0000000076AE1000-0x0000000076AE3000-memory.dmp

Filesize
8KB

Download