4ca44db051393abde5d5990cf892423b143fcd7e033fb0cfac6d5d976eaefd8a

Analysis

max time kernel
130s
max time network
140s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 02:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0c07b1a58f72350406eccfa717cc6664.dll
Size

8KB
MD5

0c07b1a58f72350406eccfa717cc6664
SHA1

82c3f5779903352ec7079cb9b2ca24816504e9b3
SHA256

4ca44db051393abde5d5990cf892423b143fcd7e033fb0cfac6d5d976eaefd8a
SHA512

4b5de6a6b1a9884a683a5cb2df0db629e77d318456cb060c07084963192e38f40ddde7f01db2a4adb364ddadcbcacb3a3069a405580e38150eabe571ac7b2c22
SSDEEP

192:zbtE4N4fdWqSCZkeWdx9jFFK22ICqGlTFl+Ih:tEm8LkesjvK28Rp3+I

Score

8^/10

bootkit persistence

Malware Config

Signatures

Blocklisted process makes network request 6 IoCs

flow	pid	Process
2	2340	rundll32.exe
3	2340	rundll32.exe
4	2340	rundll32.exe
5	2340	rundll32.exe
6	2340	rundll32.exe
7	2340	rundll32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 2340	1832	rundll32.exe	28
PID 1832 wrote to memory of 2340	1832	rundll32.exe	28
PID 1832 wrote to memory of 2340	1832	rundll32.exe	28
PID 1832 wrote to memory of 2340	1832	rundll32.exe	28
PID 1832 wrote to memory of 2340	1832	rundll32.exe	28
PID 1832 wrote to memory of 2340	1832	rundll32.exe	28
PID 1832 wrote to memory of 2340	1832	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0c07b1a58f72350406eccfa717cc6664.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\0c07b1a58f72350406eccfa717cc6664.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Writes to the Master Boot Record (MBR)
  PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads