f00ff9bc7ea5919b6dbe3d9f67781fa7cbeb4592111e3c95b604fd88232e1c0f

Analysis

max time kernel
0s
max time network
132s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 15:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

785fcd0990670a20576d67ad691ebc0b.dll
Size

231KB
MD5

785fcd0990670a20576d67ad691ebc0b
SHA1

7531a7c710b0d99f760b2af7327e5b329c27fe74
SHA256

f00ff9bc7ea5919b6dbe3d9f67781fa7cbeb4592111e3c95b604fd88232e1c0f
SHA512

d22f6ab8c5342e2356b7c8cc4ccf50aec5124810724e4d3785a60d84cb1acdbebc3f2e43f797dc725515e3ff172d4a3f5ae0319ca4e3bdbcdf1d6ec52bb2bf9e
SSDEEP

6144:+r4vKsAtsBf+OUnVDnqr8se7Q26QMNE/S:+0v6iyVDnqw3kyMNOS

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
3016	1660	WerFault.exe

Modifies registry class 3 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	rundll32.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 1660	1908	rundll32.exe	21
PID 1908 wrote to memory of 1660	1908	rundll32.exe	21
PID 1908 wrote to memory of 1660	1908	rundll32.exe	21
PID 1908 wrote to memory of 1660	1908	rundll32.exe	21
PID 1908 wrote to memory of 1660	1908	rundll32.exe	21
PID 1908 wrote to memory of 1660	1908	rundll32.exe	21
PID 1908 wrote to memory of 1660	1908	rundll32.exe	21
PID 1660 wrote to memory of 2516	1660	rundll32.exe	20
PID 1660 wrote to memory of 2516	1660	rundll32.exe	20
PID 1660 wrote to memory of 2516	1660	rundll32.exe	20
PID 1660 wrote to memory of 2516	1660	rundll32.exe	20
PID 1660 wrote to memory of 2616	1660	rundll32.exe	19
PID 1660 wrote to memory of 2616	1660	rundll32.exe	19
PID 1660 wrote to memory of 2616	1660	rundll32.exe	19
PID 1660 wrote to memory of 2616	1660	rundll32.exe	19
PID 1660 wrote to memory of 3016	1660	rundll32.exe	18
PID 1660 wrote to memory of 3016	1660	rundll32.exe	18
PID 1660 wrote to memory of 3016	1660	rundll32.exe	18
PID 1660 wrote to memory of 3016	1660	rundll32.exe	18

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\785fcd0990670a20576d67ad691ebc0b.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\785fcd0990670a20576d67ad691ebc0b.dll,#1
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1660

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2516 CREDAT:275457 /prefetch:2
1⤵
PID:2628

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2616 CREDAT:275457 /prefetch:2
1⤵
PID:2664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 448
1⤵
- Program crash
PID:3016

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://wr-hooks.net//index.php?/user/5-takado%e2%84%a2/
1⤵
PID:2616

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.hanf-spiel.de/325750
1⤵
PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
12KB

MD5
3a77010dd60b1aadb43c280a02bf6924

SHA1
ad09dc208cf3bc30d99514b3b04d22e3d9b75a6c

SHA256
c68b9b0a0182ff2af267e1860f48442be31722974dd0887bc03c886e8b9c7052

SHA512
268904ae85ce044e31d0373e2f5854c85de54a31edc263a0351648faabbe6a38ad5ff41633d633917f0a6a2e01cb4b5a489a045875a03049881649a17edf3cf4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
e994e743fb33167888b31309b7adc138

SHA1
33657ba68610d8f17218825a9c3553efce586d70

SHA256
5d0d2b3eb11949e28004bc4c9cadafb52d4c4b1006379592ac438e86cfae91a3

SHA512
1c2ee5affc21a4d1a4e81365ffae7e9dccccee6366657bcc4647fba76acc37ecf027c28685251d6b3944c5b5f74d517028195995bd68f6e9ae403b0aec6b20bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4c70ee7cf3eecf9504d716dd9f93f683

SHA1
1f61fd27a8e53917570960d1a4f4154b81529316

SHA256
b15407f5fe36d3fbefa2f8b47fb3dcfaa0587f1a81a26b24d3d53d5c64dbc8e1

SHA512
1ad91d050a171ed091995530d00ab88a4209a02a7870b4f53c6289d2dadeea11f59e18960bdb7b17196bc826db0f7d652a8e8f6e78628b1dd15d9ac2f366530c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3746cc7a536e85ebb8d28a23de5004f4

SHA1
8bfbcec985ee4d722ad7a4054acb06df46b6f7d4

SHA256
c866a77073eb219c3e8789d3c056536f7f684713772611b2997aad1a0660e7b0

SHA512
9a47d487184a8694a84ae660dd973da9da68d9dfe30e2152a775cea78744a36713531b61d17e65298cf3fb087eb53793d4b053dd47d09464fdd27eac7d23562a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6bb7dd246174a5201da5f848a882c25d

SHA1
d101e4ada6efac7c209caf8d465e448ded2cb30d

SHA256
222d7cf6a2b2e32ed7a8df87de651cb80bc58a4b58f2e6978635b0a2e446a94f

SHA512
76ac74a02c30f31fea7dda43d7d07ffd77c7dd533aeed8e3225968289d24649c495085edc61a27d9df86f2c53df5baaf81ea4164b054fd089e51c9956de0473c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3812cc27db0cc5ba893338ec83e0217e

SHA1
6ffc8d292bcae05e92c3e445bdb7fdcac1d2c4a3

SHA256
77c433dd47ecf12a28f8a78434b2b66b5f5686489e9e5f92d23c5c9930ec6cd5

SHA512
0dbcb5d2af0f7bc3ac1c23e7be1f7443091741da9d33d0add673cd05634a1c2b548ccf4c8452941295c0bfd0ddb21d11df01729f661679b73054a6952a56abbd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8f2ecf34b12cd9c5f4dcb5c056b9cf3a

SHA1
a7ca054c9b7c9e1b38a01cd30deb180d8772ad0a

SHA256
14e396fc4471379bc77f8137399d3ce984e2e8e4bbf463766a8830be439c61ba

SHA512
4990a635a59303d6c178905f868859d98eb5c08e2b4717a2a041e8547d2d8628597c4bfb5c91aeeae2e9e0a26c47eca46398ce39711f7598c0cfbebe1c8fba64

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
576553026d82053b995d807596490ad8

SHA1
a7b378a6e0b47db0e588efb01cd0910eac2ddb98

SHA256
37036c0ec29dddbba7754a2566a11a646b2da39d80fcb24551fd1536492e5b6b

SHA512
db9fe45d3b55ce75c46e1926446f5b384d7681dc66894d0c1d8739912996e30f4bd8e212fb7bba7219c9187640b5f8265efbac59f918785f1b8ccb18ecfd6b6c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f8c6f66e928567d1f046a0a785901a74

SHA1
121fff93f792f33cfcd208e3f530b58a7ce6c52e

SHA256
e7813d01e5231ae3bb5fb4e35480768ae18c5b0b1741ac06007f55752149156b

SHA512
ced76ebe39b485011c629363e27838d77c2cb83398e21ed66838b24292176fc153ab1d7880a477f28174797868f68057c961f9963d350b3161e377035016cbe1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ffe404b2a25728511cac92c5b74150e4

SHA1
46860c6e50b6fbb9ff30d357cd655c4e23feabbb

SHA256
5151ca12f726c1faaf47005aba221455e392709ff79e7ae81595652046efe432

SHA512
ff8e2efcea10834d147705ee5df4afc7d2e91dd9bd2024e5048ea93f57a37e3efe774f1f407039cf971e090c84e93e3df9244e86a01213bfd10d0c369587db2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
52ab5d5e4073647cc2c439cd3a94cf47

SHA1
abd3d8edd27ecf2d2201b80b736ee5aaf26d03ea

SHA256
83b02e4f62a770e78b4cfe85d92b8783fccab5cd365295301ab3b7199c035c46

SHA512
14dabc451a2c8324351791dfbc0019957ba1df8dd88915fc22f6d48d14ad30a9ed1c37beb615ae42504569a00efd9119618f5573531d292fa0dfc037faedaee3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
e3eb27392226c867cef985808a82053e

SHA1
02400dc731aa9a162e9aac6863143366bd34210e

SHA256
71544df7ab41ca356fa1149c969ff78cd896bf3551594c3adb113573da82c793

SHA512
859d7c0fea072f67c84e48572ea16a8a951ddccc71caff97a7f6a7fab994092def8fa0154dff4ea65635c20210dd6c880b3abd147e816595023fe3bc3fc46eef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E6856B11-A401-11EE-B69B-6AA5205CD920}.dat

Filesize
5KB

MD5
c7e6b2e6d204fcb5ba08376d8f3dd1ca

SHA1
c7e7155ed63fd7c6af1dd4c59472488cca00d068

SHA256
f12740230d893418b08702f12b2e2b24f9591d6ad5e64e932142b7669165b044

SHA512
cb134f9cd4ba35bb61767079213f7e265c840f4efa56a6b7fcca88147f4ec58154156f2452e898dba8c436877c076c3abec00224c38ac2db2dfff44cdb7483e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E6859221-A401-11EE-B69B-6AA5205CD920}.dat

Filesize
3KB

MD5
dd4b1dd2ac61bb575ffdba7654eb22ea

SHA1
23bdbe8bdc6da732ede055fcf332ec79848d1a97

SHA256
8880d9f67dda6fd4101153b13e3ccbdd7a9044a0d42b9e91b4fd8930a165a547

SHA512
1479b062214e2707ea7c3e916e1be96fb167792db2e317a067603f716965ac849f1b9108cc3688dbff75fc71d3104e37aebc37a04dd9a76ce5e2823aef091e0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2967.tmp

Filesize
24KB

MD5
a612dc6e78afa87dfe4f9d31683c0b62

SHA1
e984dbf713225cebeff8f1f6f032af055422f7cd

SHA256
3eeb9f68f272504a7562b65b3bdecfe8131d3827457732319f86a074fa68e97d

SHA512
414e18cf35a4eaed77def885029079070a4d0ddd34bc7a207a0cd4281c7200023bf6748446589ebdf9b35f09f17755837a955b4eea08d3de2b28d6f68d980057

Download Submit
memory/1660-2-0x00000000744A0000-0x0000000074541000-memory.dmp

Filesize
644KB

Download
memory/1660-1-0x00000000743F0000-0x0000000074491000-memory.dmp

Filesize
644KB

Download
memory/1660-597-0x0000000074490000-0x0000000074531000-memory.dmp

Filesize
644KB

Download
memory/1660-609-0x00000000743F0000-0x0000000074491000-memory.dmp

Filesize
644KB

Download
memory/1660-608-0x00000000744A0000-0x0000000074541000-memory.dmp

Filesize
644KB

Download
memory/1660-0-0x00000000744A0000-0x0000000074541000-memory.dmp

Filesize
644KB

Download
memory/1660-4-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/1660-5-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/1660-6-0x00000000029E0000-0x00000000029E1000-memory.dmp

Filesize
4KB

Download
memory/1660-3-0x0000000074490000-0x0000000074531000-memory.dmp

Filesize
644KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads