Malware Analysis Report

2025-08-06 00:04

Sample ID 240223-mpxeksfd34
Target 73e36a2a49d6dd231a294b9d93aa7d8ebf272a17eb0a4a27d5f76f99ab7167e9
SHA256 73e36a2a49d6dd231a294b9d93aa7d8ebf272a17eb0a4a27d5f76f99ab7167e9
Tags
bootkit discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

73e36a2a49d6dd231a294b9d93aa7d8ebf272a17eb0a4a27d5f76f99ab7167e9

Threat Level: Shows suspicious behavior

The file 73e36a2a49d6dd231a294b9d93aa7d8ebf272a17eb0a4a27d5f76f99ab7167e9 was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit discovery persistence

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Checks installed software on the system

Drops file in Program Files directory

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-23 10:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-23 10:38

Reported

2024-02-23 10:41

Platform

win7-20240221-en

Max time kernel

122s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\73e36a2a49d6dd231a294b9d93aa7d8ebf272a17eb0a4a27d5f76f99ab7167e9.exe"

Signatures

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\73e36a2a49d6dd231a294b9d93aa7d8ebf272a17eb0a4a27d5f76f99ab7167e9.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\LuDaShi\{7827E103-8708-4475-8628-61DD99B6A687}.tf C:\Users\Admin\AppData\Local\Temp\73e36a2a49d6dd231a294b9d93aa7d8ebf272a17eb0a4a27d5f76f99ab7167e9.exe N/A
File created C:\Program Files (x86)\LuDaShi\{59754265-1136-4c99-B802-81658BD72C7E}.tmp\{1B8652B4-D1C0-43f7-A5C9-E918B97DF8D7}.tf C:\Users\Admin\AppData\Local\Temp\73e36a2a49d6dd231a294b9d93aa7d8ebf272a17eb0a4a27d5f76f99ab7167e9.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\73e36a2a49d6dd231a294b9d93aa7d8ebf272a17eb0a4a27d5f76f99ab7167e9.exe

"C:\Users\Admin\AppData\Local\Temp\73e36a2a49d6dd231a294b9d93aa7d8ebf272a17eb0a4a27d5f76f99ab7167e9.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 876

Network

Country Destination Domain Proto
US 8.8.8.8:53 s.ludashi.com udp
US 8.8.8.8:53 www.ludashi.com udp
CN 114.116.39.220:80 www.ludashi.com tcp
CN 106.15.136.209:80 s.ludashi.com tcp
CN 106.15.136.209:80 s.ludashi.com tcp

Files

\Users\Admin\AppData\Local\Temp\{FAAB8470-693B-4d68-8D3E-EAA2114F2B89}.tmp\7z.dll

MD5 e8955e395ab5a6800447fe8256bb461e
SHA1 bf6e5dc3007167f4b768f75a3319e4026ed76410
SHA256 cf842130c2cf49ba5a12a33b4a1ec984e31a54c98f7d7aaf431c2ae5ea677e6c
SHA512 18cedfb8ca5b522a5b3a1dbd2de78c694feb231eeb547ab1c52510a8ec93d2a77edae7a296e0145f4918f995fd0819947d0ade26b88e09ac8e1cd257a556bdf1

C:\Users\Admin\AppData\Local\Temp\{07D4C24F-DEAE-4bcd-838C-4700E80615A7}.tmp\NetBridge.dll

MD5 9d145902fb5b9a6da62ac85761434e31
SHA1 c817d77f59e3767d75cf5f5298d6b5711308f7e5
SHA256 98d795d55329b1057f4fd590468e648a8c34b620207fd9a0a6953f3e98d1ea43
SHA512 bbb3109bcd5ded909bfdaeb7f4f006fc5928a9bc501bad5ae8ba9805bc0d924a2c4da8bbd215480db936d663852abd9b0435fa241a40224a4cd93c4b7aff79a9

memory/2196-27-0x00000000003D0000-0x00000000003D1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-23 10:38

Reported

2024-02-23 10:41

Platform

win10v2004-20240221-en

Max time kernel

126s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\73e36a2a49d6dd231a294b9d93aa7d8ebf272a17eb0a4a27d5f76f99ab7167e9.exe"

Signatures

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\73e36a2a49d6dd231a294b9d93aa7d8ebf272a17eb0a4a27d5f76f99ab7167e9.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\73e36a2a49d6dd231a294b9d93aa7d8ebf272a17eb0a4a27d5f76f99ab7167e9.exe

"C:\Users\Admin\AppData\Local\Temp\73e36a2a49d6dd231a294b9d93aa7d8ebf272a17eb0a4a27d5f76f99ab7167e9.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 s.ludashi.com udp
US 8.8.8.8:53 www.ludashi.com udp
CN 101.132.120.17:80 s.ludashi.com tcp
CN 101.132.120.17:80 s.ludashi.com tcp
CN 114.116.39.220:80 www.ludashi.com tcp
US 8.8.8.8:53 23.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
CN 101.132.120.17:80 s.ludashi.com tcp
CN 101.132.120.17:80 s.ludashi.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
CN 101.132.120.17:80 s.ludashi.com tcp
CN 101.132.120.17:80 s.ludashi.com tcp
US 8.8.8.8:53 205.178.17.96.in-addr.arpa udp
CN 101.132.120.17:80 s.ludashi.com tcp
CN 101.132.120.17:80 s.ludashi.com tcp
CN 101.132.120.17:80 s.ludashi.com tcp
CN 101.132.120.17:80 s.ludashi.com tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
CN 101.132.120.17:80 s.ludashi.com tcp
CN 101.132.120.17:80 s.ludashi.com tcp
CN 101.132.120.17:80 s.ludashi.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\{DB4ADBE0-2AD9-4bd1-9AC0-282703516266}.tmp\7z.dll

MD5 2706693dda10c6cc79eed24c56d4e5ef
SHA1 4f34ef1bd49273a0d260b9dab15c73eb0ccb6383
SHA256 0edad8a1af22d5b97c1f324791c86243a6ecce7b5a9d2f30415af99aba9129c3
SHA512 7e7f7ae894528587ba33b6e10999549bb9a2ec2748b5662fa1b8806e5f4ce33af47507b3ef2954f2747a76b5b7c775c1cd671061f577c5016d1f8ba165bbe21c

C:\Users\Admin\AppData\Local\Temp\{35B83C9C-02E4-4026-A225-150E2EF609CA}.tmp\NetBridge.dll

MD5 9d145902fb5b9a6da62ac85761434e31
SHA1 c817d77f59e3767d75cf5f5298d6b5711308f7e5
SHA256 98d795d55329b1057f4fd590468e648a8c34b620207fd9a0a6953f3e98d1ea43
SHA512 bbb3109bcd5ded909bfdaeb7f4f006fc5928a9bc501bad5ae8ba9805bc0d924a2c4da8bbd215480db936d663852abd9b0435fa241a40224a4cd93c4b7aff79a9