fd8f87b0b7d9a02fc7afe9a0a3dff67a8f0306e241046bdda8ecca1294e400eb

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
02/09/2023, 08:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd8f87b0b7d9a02fc7afe9a0a3dff67a8f0306e241046bdda8ecca1294e400eb.dll
Size

4.5MB
MD5

5d537254370fb7f3256524e6e74743d0
SHA1

e931de448f728bc9910dbb85e91e74e05e7ead0e
SHA256

fd8f87b0b7d9a02fc7afe9a0a3dff67a8f0306e241046bdda8ecca1294e400eb
SHA512

c0389f2af34f8f2b95d0c6bfd91e1a53c7e90186c19b15d67571a7cabe76b5a3ddc8cad02ca2354a0d29742fc643b9c90243605ae359ad013dfd486da5beaf15
SSDEEP

98304:JAZdwZomsjDGwYYtQddncl5oVb/lbGWRB2A:OQmMYedFcl5oVb/R7B2A

Score

7^/10

bootkit persistence

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
1860	rundll32.exe
1860	rundll32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 1860	2996	rundll32.exe	28
PID 2996 wrote to memory of 1860	2996	rundll32.exe	28
PID 2996 wrote to memory of 1860	2996	rundll32.exe	28
PID 2996 wrote to memory of 1860	2996	rundll32.exe	28
PID 2996 wrote to memory of 1860	2996	rundll32.exe	28
PID 2996 wrote to memory of 1860	2996	rundll32.exe	28
PID 2996 wrote to memory of 1860	2996	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fd8f87b0b7d9a02fc7afe9a0a3dff67a8f0306e241046bdda8ecca1294e400eb.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\fd8f87b0b7d9a02fc7afe9a0a3dff67a8f0306e241046bdda8ecca1294e400eb.dll,#1
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in Windows directory
  PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\{FBAB31BB-9771-40c9-B2C5-0B93E98BEAAF}.tmp\curl.dll

Filesize
1.9MB

MD5
7dadf54b11a68b3efd5d19338b960036

SHA1
986bd5df5f365c34728095fa655261b055396622

SHA256
a30676bcfebde05da262ac222e1a4250ca7e8d9ee5958f3d23af0e854f63dd45

SHA512
76ae75f6329973c6772e43d16fcc0d4c2739f7f40f62429a98ec0dd91a2bc472e28cb98dc3af74995a81b7f2c493253d7529f67a2ad003a6777ad89998670e20

Download Submit
\Users\Admin\AppData\Local\Temp\{348525AD-754E-49a4-97E0-3792C92B5AD1}.tmp\7z.dll

Filesize
1.1MB

MD5
6abb7f08afe440d408cfb44d7f3ddc54

SHA1
9b37119ad5f575b732f4b1816f9f15ac54f8eb8a

SHA256
0e0021d348ba56d3e24d30382a453f95cc609750ea3552cfda37acb53befcdc3

SHA512
f3d70e5e5f0fbddcdd19f8c058db6f4cefaaa58473e575fb1f9b563334d6505fae79a03c10b6eb1628c8a63766c13c1255939ac40c7d88567aacc28ca6d3c2e2

Download Submit
\Users\Admin\AppData\Local\Temp\{FBAB31BB-9771-40c9-B2C5-0B93E98BEAAF}.tmp\curl.dll

Filesize
1.9MB

MD5
7dadf54b11a68b3efd5d19338b960036

SHA1
986bd5df5f365c34728095fa655261b055396622

SHA256
a30676bcfebde05da262ac222e1a4250ca7e8d9ee5958f3d23af0e854f63dd45

SHA512
76ae75f6329973c6772e43d16fcc0d4c2739f7f40f62429a98ec0dd91a2bc472e28cb98dc3af74995a81b7f2c493253d7529f67a2ad003a6777ad89998670e20

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads