92b38091f9f7e830d083f33f0303640cf381c302d03ec3cc742fee1312216e31

Analysis

max time kernel
144s
max time network
151s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
16-02-2023 04:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92b38091f9f7e830d083f33f0303640cf381c302d03ec3cc742fee1312216e31.dll
Size

4.9MB
MD5

2ecf1b072a18a1422cf930b11e2c3247
SHA1

d9ca379437a0fa5906c5742c18a896c5c4ea5709
SHA256

92b38091f9f7e830d083f33f0303640cf381c302d03ec3cc742fee1312216e31
SHA512

f451b0f1cda54262ab75839a0acca849715dbf686a19087192ebd1e78ca1b88377e96553efeeb650c2ecb35f923331af348f713cb461113b7fd03f64ef05cb2a
SSDEEP

98304:fBHB2pne7a1mN1E8lkcf5YjovKqGYiOE8oLj5jIrHL3GqHqh:fv1GGE5gyjovK65E8oqjLPu

Score

8^/10

bootkit persistence

Malware Config

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
3	2016	rundll32.exe
6	2016	rundll32.exe
8	2016	rundll32.exe
9	2016	rundll32.exe
10	2016	rundll32.exe

Loads dropped DLL 3 IoCs

pid	Process
2016	rundll32.exe
2016	rundll32.exe
2016	rundll32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 2016	1112	rundll32.exe	28
PID 1112 wrote to memory of 2016	1112	rundll32.exe	28
PID 1112 wrote to memory of 2016	1112	rundll32.exe	28
PID 1112 wrote to memory of 2016	1112	rundll32.exe	28
PID 1112 wrote to memory of 2016	1112	rundll32.exe	28
PID 1112 wrote to memory of 2016	1112	rundll32.exe	28
PID 1112 wrote to memory of 2016	1112	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\92b38091f9f7e830d083f33f0303640cf381c302d03ec3cc742fee1312216e31.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\92b38091f9f7e830d083f33f0303640cf381c302d03ec3cc742fee1312216e31.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  PID:2016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\{20B27B1D-AFAE-45cc-8E5F-E4926CB9B69B}.tmp\7z.dll

Filesize
1.1MB

MD5
a46135bdd574092d85955070e72d5aad

SHA1
aad137b0a883fea22b7118778512ffc7865513bc

SHA256
aa57160684feb240a85da677caaf7cf6a08b7349d89ae9cb4a3476884d80aac5

SHA512
72188f348d9ae33e2b5a7886c80667cc3015bfac170249537baa9e31abf8d63ca198903206feb64887f1d509a1b9bfc9f54ede8b3aa26bee3f5c4375e5c6a24b

Download Submit
\Users\Admin\AppData\Local\Temp\{C6E69AE4-8194-4051-A332-BD2AE97D393F}.tmp\360NetUL.dll

Filesize
234KB

MD5
cd03029957ebc78c0ca7a6c02a9ca846

SHA1
0044114b8073781479044f0294701be9611be2ac

SHA256
139fdd92e6ddf1aac0761a68502b374daa32e82039621018511dc491ed9b4048

SHA512
14c641cb9536def0ddc1969d50b97b83a23017c97373e3ad74d3fbf9825ac81f3fdf8169281c8ad4cebd45d9c9ae05f752d553ba4653e620889b274479cb7c32

Download Submit
\Users\Admin\AppData\Local\Temp\{C6E69AE4-8194-4051-A332-BD2AE97D393F}.tmp\Utils\LDSBasic.dll

Filesize
2.1MB

MD5
6747848a45de0eaa7e3dbc339a4d11ff

SHA1
698b763d9b6530cbef35f2c4f6240ab51f98879b

SHA256
8b060c0575bcf7b466166d8397c65c5be150c21cce32a680c448c3605f524eb1

SHA512
3fb05eb464a5b3a6e1d6b0c40d96fc55c6fcd9c6e4eeafe9a3911530b55491a1bb0d4821fbbe2b25c9fe0baef8f208ad307b530ff73f86351fb1e3e6c2c3acbe

Download Submit
memory/2016-55-0x00000000760D1000-0x00000000760D3000-memory.dmp

Filesize
8KB

Download