e1aac48ed5b516abd110c102b928640bd409c18ee27ee2759f00775097435353

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/12/2023, 22:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

06407291ede076818f1234ddc94836f5.dll
Size

395KB
MD5

06407291ede076818f1234ddc94836f5
SHA1

8911570fe822819cf41d627e01a0af357a2ed4c1
SHA256

e1aac48ed5b516abd110c102b928640bd409c18ee27ee2759f00775097435353
SHA512

7f20b51fec9a7c214b68aba1df0666104b49d777ec5410b67995b9b2cfc937e07cb0e7c6a3cb923631e4d1dc97779b684fd355c17852dc11f40fe9c4a020c3e3
SSDEEP

12288:bgOHTl3IxS9d9N4c2tJYFYUBMUHhCmyva:bgOHTx7dTOJHUgmyC

Score

8^/10

bootkit persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\{7937403C31CF2BA4BA0DC8E74D6FEF9A}\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\206D.tmp"	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
2480	regsvr32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	regsvr32.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 2436	2928	rundll32.exe	16
PID 2928 wrote to memory of 2436	2928	rundll32.exe	16
PID 2928 wrote to memory of 2436	2928	rundll32.exe	16
PID 2928 wrote to memory of 2436	2928	rundll32.exe	16
PID 2928 wrote to memory of 2436	2928	rundll32.exe	16
PID 2928 wrote to memory of 2436	2928	rundll32.exe	16
PID 2928 wrote to memory of 2436	2928	rundll32.exe	16
PID 2436 wrote to memory of 2480	2436	rundll32.exe	29
PID 2436 wrote to memory of 2480	2436	rundll32.exe	29
PID 2436 wrote to memory of 2480	2436	rundll32.exe	29
PID 2436 wrote to memory of 2480	2436	rundll32.exe	29
PID 2436 wrote to memory of 2480	2436	rundll32.exe	29
PID 2436 wrote to memory of 2480	2436	rundll32.exe	29
PID 2436 wrote to memory of 2480	2436	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\06407291ede076818f1234ddc94836f5.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\06407291ede076818f1234ddc94836f5.dll,#1
  2⤵
  - Sets service image path in registry
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\1890.tmp
    3⤵
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1890.tmp

Filesize
93KB

MD5
c3bb1087e36b7f173a802bfdd340caf2

SHA1
794acfd08b4bf1ce76eb8d17e90dbf3422906f5b

SHA256
a9379fa5cac8058f033aa1e9c95c27940c89e33202f8b36b48ee4ab00122914f

SHA512
0784df214d461075afed782b67a70d44d828c0a9c730dc3e104f9cf7103d65f09b5baae43a91f0868fa099eab66d02458196acbb2a0225f6a89b6c951ac02366

Download Submit
\Users\Admin\AppData\Local\Temp\1890.tmp

Filesize
92KB

MD5
057f61333a93cf0b9cc311bb6a17da63

SHA1
e762166305861aaca86682b2720668d832c74a19

SHA256
84cb90d9d48aacbf645a6b35d8ab1cc5291bd7feed870bb3e480381569a068c6

SHA512
f0e6870e8f4adcabd1eff9408f16377cf1ec8d69181fd0da77c07968cb8fb4a6a4e5058dcf3678240a4e955c12f8d477c2450a07c71996c89b1c2554cf91c0c2

Download Submit
memory/2436-0-0x0000000000180000-0x00000000001FD000-memory.dmp

Filesize
500KB

Download
memory/2436-4-0x00000000002E0000-0x0000000000345000-memory.dmp

Filesize
404KB

Download
memory/2436-1-0x00000000002E0000-0x0000000000345000-memory.dmp

Filesize
404KB

Download
memory/2480-10-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads