23ce66bcf4f1cff309b32e85548e1105a3fffaba30652083b9c566da034f31ff

Analysis

max time kernel
47s
max time network
44s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 20:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1be665f7dec9b43c6227d165325df8c1.dll
Size

157KB
MD5

1be665f7dec9b43c6227d165325df8c1
SHA1

190e679ecd751fabddbbdc1c8caa2be7f9db057a
SHA256

23ce66bcf4f1cff309b32e85548e1105a3fffaba30652083b9c566da034f31ff
SHA512

798cd48b122ce1b5a1a51b550a28aff2e9b43e62e5ff6ac0c5aa6659e5b4cf9b225019d4b5d9e8d3f879625248fca2f4785a2bd0b1a774bb363266890beb1247
SSDEEP

3072:UaaZmaE0AY9rsoaBdNNHbbrMbvT0q8O1cZPzQ7IXMBc+AMP+QfQEhxFyVU7cavvM:Kc0AKc71wvP6bQ7yMP+DE827leK7hu

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	regsvr32.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13539089-270A-449C-8C6F-DEEBDA8C2A2E}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13539089-270A-449C-8C6F-DEEBDA8C2A2E}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13539089-270A-449C-8C6F-DEEBDA8C2A2E}\1.0\ = "loader_c 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13539089-270A-449C-8C6F-DEEBDA8C2A2E}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13539089-270A-449C-8C6F-DEEBDA8C2A2E}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13539089-270A-449C-8C6F-DEEBDA8C2A2E}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13539089-270A-449C-8C6F-DEEBDA8C2A2E}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1be665f7dec9b43c6227d165325df8c1.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13539089-270A-449C-8C6F-DEEBDA8C2A2E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13539089-270A-449C-8C6F-DEEBDA8C2A2E}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13539089-270A-449C-8C6F-DEEBDA8C2A2E}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 2736	2660	regsvr32.exe	29
PID 2660 wrote to memory of 2736	2660	regsvr32.exe	29
PID 2660 wrote to memory of 2736	2660	regsvr32.exe	29
PID 2660 wrote to memory of 2736	2660	regsvr32.exe	29
PID 2660 wrote to memory of 2736	2660	regsvr32.exe	29
PID 2660 wrote to memory of 2736	2660	regsvr32.exe	29
PID 2660 wrote to memory of 2736	2660	regsvr32.exe	29

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\1be665f7dec9b43c6227d165325df8c1.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\1be665f7dec9b43c6227d165325df8c1.dll
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Modifies registry class
  PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2736-0-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/2736-1-0x0000000000160000-0x0000000000190000-memory.dmp

Filesize
192KB

Download
memory/2736-2-0x00000000001D0000-0x00000000001D3000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads