f50d969eb2303835ed661ce08d4b58dcf40b92304b572c1f959b03b79dfa3585

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
18-01-2024 02:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f50d969eb2303835ed661ce08d4b58dcf40b92304b572c1f959b03b79dfa3585.exe
Size

3.8MB
MD5

594d1c8328de987dbea5f2354ff8bd9c
SHA1

96040a91ddb18e82cdf85ba2da6dff61b033fce8
SHA256

f50d969eb2303835ed661ce08d4b58dcf40b92304b572c1f959b03b79dfa3585
SHA512

b84f2d06dc7028c945d30013b908dd054021d85b59836e01674118dfdbc5fe47824c383791d5e0801060e8839d53be1b92b6235af1e9d4b450a9c2bf42f01b1c
SSDEEP

49152:v7Idf70vsomJNLUhLaV+fYmKMuSGOp09B/pwJrN6GFVfoPpNf9CXOnMh61RpvPNb:DIdfiKLegiKBVPG5o28N15nMApRT

Score

7^/10

bootkit discovery persistence

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
2052	f50d969eb2303835ed661ce08d4b58dcf40b92304b572c1f959b03b79dfa3585.exe
2052	f50d969eb2303835ed661ce08d4b58dcf40b92304b572c1f959b03b79dfa3585.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	f50d969eb2303835ed661ce08d4b58dcf40b92304b572c1f959b03b79dfa3585.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\LuDaShi\{E42CD458-16E8-4cab-9F32-7EF7925D824C}.tf	f50d969eb2303835ed661ce08d4b58dcf40b92304b572c1f959b03b79dfa3585.exe
File created	C:\Program Files (x86)\LuDaShi\{05A745E4-70C0-4fa9-A534-F4D3760E4449}.tmp\{EBD496BB-DCEC-4b06-9E6A-4D57C1113D44}.tf	f50d969eb2303835ed661ce08d4b58dcf40b92304b572c1f959b03b79dfa3585.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2696	2052	WerFault.exe	27

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 2696	2052	f50d969eb2303835ed661ce08d4b58dcf40b92304b572c1f959b03b79dfa3585.exe	28
PID 2052 wrote to memory of 2696	2052	f50d969eb2303835ed661ce08d4b58dcf40b92304b572c1f959b03b79dfa3585.exe	28
PID 2052 wrote to memory of 2696	2052	f50d969eb2303835ed661ce08d4b58dcf40b92304b572c1f959b03b79dfa3585.exe	28
PID 2052 wrote to memory of 2696	2052	f50d969eb2303835ed661ce08d4b58dcf40b92304b572c1f959b03b79dfa3585.exe	28

C:\Users\Admin\AppData\Local\Temp\f50d969eb2303835ed661ce08d4b58dcf40b92304b572c1f959b03b79dfa3585.exe
"C:\Users\Admin\AppData\Local\Temp\f50d969eb2303835ed661ce08d4b58dcf40b92304b572c1f959b03b79dfa3585.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 948
  2⤵
  - Program crash
  PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\{092101F9-1B1B-4346-BF77-8D8E05AD1125}.tmp\NetBridge.dll

Filesize
237KB

MD5
5bb1414cf35091fed3821ae0e0ec675b

SHA1
c753aa9ac6db957bffd3a1b083d99b9157fbc8d9

SHA256
2bb88e1e9634afbd8500fa36816e89ce5f0afc870ad1fef97c3ed3a4be7da272

SHA512
d915569c4bb41fad257f982e8e2880d2590eb77ce353cb3b5cf6dad5cf135d1c0b4f6fc3a491b2f642a2c78307ffce92a8ce2991e89f5f60481b0e04d0f83f20

Download Submit
\Users\Admin\AppData\Local\Temp\{092101F9-1B1B-4346-BF77-8D8E05AD1125}.tmp\NetBridge.dll

Filesize
206KB

MD5
638c58bb9afc878f40c2bbce80c30f4f

SHA1
812d185d47666bf881c4db1489e531a8a0504724

SHA256
fd370644857501b65aba8ceb316e64acf0caf6c0c0f5a569ddcf82c0444db674

SHA512
b0fc8d300002c8338687d3f540b41dbe5ce37c8fff33b7544ede44d6e34c3b6482ff08d0ffbaacf12df4c4721a2d636c2402512c362c9f8358d18024e1b9b22f

Download Submit
\Users\Admin\AppData\Local\Temp\{52610AF5-2B20-4f41-BAA4-B359E7C95E91}.tmp\7z.dll

Filesize
405KB

MD5
331e95be42b11c217b86284033c41e8a

SHA1
040f5d0620c09267b3d233d25895f171f42c6a5a

SHA256
b309b423a5c8c0fb864632c1e6c75bc1f9414e725e9e2a09c61829b83d72f308

SHA512
233ddde16018ba3a05e8a3989d80abf7e50cc0fc4abcc0daa822f4d286db779841570e28d1aa1f5913688004e0a4c8c9e5b89dfcdfa0eaafbc14b527238afb43

Download Submit
memory/2052-27-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads