Malware Analysis Report

2025-08-06 00:04

Sample ID 240223-npafgsfg94
Target fabda82b69857866e19c933af976f4d8779fe8a797a0c92338d4ef5cbb68d6a4
SHA256 fabda82b69857866e19c933af976f4d8779fe8a797a0c92338d4ef5cbb68d6a4
Tags
bootkit discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

fabda82b69857866e19c933af976f4d8779fe8a797a0c92338d4ef5cbb68d6a4

Threat Level: Shows suspicious behavior

The file fabda82b69857866e19c933af976f4d8779fe8a797a0c92338d4ef5cbb68d6a4 was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit discovery persistence

Loads dropped DLL

Checks installed software on the system

Writes to the Master Boot Record (MBR)

Drops file in Program Files directory

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-23 11:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-23 11:33

Reported

2024-02-23 11:36

Platform

win7-20240221-en

Max time kernel

118s

Max time network

122s

Command Line

C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 812

Signatures

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\fabda82b69857866e19c933af976f4d8779fe8a797a0c92338d4ef5cbb68d6a4.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\LuDaShi\{D94A1F80-6229-45ec-B654-986B8C6D8AB0}.tf C:\Users\Admin\AppData\Local\Temp\fabda82b69857866e19c933af976f4d8779fe8a797a0c92338d4ef5cbb68d6a4.exe N/A
File created C:\Program Files (x86)\LuDaShi\{D1197744-151D-4cd9-9A12-B02FDC09A974}.tmp\{6993F3EE-0309-413b-96A2-C62BEAD5E7A5}.tf C:\Users\Admin\AppData\Local\Temp\fabda82b69857866e19c933af976f4d8779fe8a797a0c92338d4ef5cbb68d6a4.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Processes

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 812

C:\Users\Admin\AppData\Local\Temp\fabda82b69857866e19c933af976f4d8779fe8a797a0c92338d4ef5cbb68d6a4.exe

"C:\Users\Admin\AppData\Local\Temp\fabda82b69857866e19c933af976f4d8779fe8a797a0c92338d4ef5cbb68d6a4.exe"

Network

N/A

Files

memory/2704-27-0x0000000000230000-0x0000000000231000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{3CEBAC2A-D675-4bcb-810C-5C358D972B53}.tmp\NetBridge.dll

MD5 8786d469338c30e0ba9fedfc62bd5197
SHA1 5fb12028ceae9772f938e1b98b699f0e02e32718
SHA256 beeaf8b72f7008e9adabacfcd85e32a50747a0dfb5c86802aeb973bd1f5c3d2f
SHA512 5db1e5b78e62cda81a63e8e712e720f87a7c7a539237a55a9098c076f9fb4e0b5adb83383c23657b4ccc90c117e55e3946a399cdf3d15cb94444b203d9d6c45c

\Users\Admin\AppData\Local\Temp\{6B9EC451-1998-4959-88B3-8DC98BB8C4D5}.tmp\7z.dll

MD5 2706693dda10c6cc79eed24c56d4e5ef
SHA1 4f34ef1bd49273a0d260b9dab15c73eb0ccb6383
SHA256 0edad8a1af22d5b97c1f324791c86243a6ecce7b5a9d2f30415af99aba9129c3
SHA512 7e7f7ae894528587ba33b6e10999549bb9a2ec2748b5662fa1b8806e5f4ce33af47507b3ef2954f2747a76b5b7c775c1cd671061f577c5016d1f8ba165bbe21c

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-23 11:33

Reported

2024-02-23 11:36

Platform

win10v2004-20240221-en

Max time kernel

146s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fabda82b69857866e19c933af976f4d8779fe8a797a0c92338d4ef5cbb68d6a4.exe"

Signatures

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\fabda82b69857866e19c933af976f4d8779fe8a797a0c92338d4ef5cbb68d6a4.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 C:\Users\Admin\AppData\Local\Temp\fabda82b69857866e19c933af976f4d8779fe8a797a0c92338d4ef5cbb68d6a4.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a C:\Users\Admin\AppData\Local\Temp\fabda82b69857866e19c933af976f4d8779fe8a797a0c92338d4ef5cbb68d6a4.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a C:\Users\Admin\AppData\Local\Temp\fabda82b69857866e19c933af976f4d8779fe8a797a0c92338d4ef5cbb68d6a4.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fabda82b69857866e19c933af976f4d8779fe8a797a0c92338d4ef5cbb68d6a4.exe

"C:\Users\Admin\AppData\Local\Temp\fabda82b69857866e19c933af976f4d8779fe8a797a0c92338d4ef5cbb68d6a4.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 www.ludashi.com udp
US 8.8.8.8:53 s.ludashi.com udp
CN 114.116.39.220:80 www.ludashi.com tcp
CN 139.224.193.172:80 s.ludashi.com tcp
CN 139.224.193.172:80 s.ludashi.com tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 202.77.24.184.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
CN 139.224.193.172:80 s.ludashi.com tcp
CN 139.224.193.172:80 s.ludashi.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
CN 139.224.193.172:80 s.ludashi.com tcp
CN 139.224.193.172:80 s.ludashi.com tcp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
CN 139.224.193.172:80 s.ludashi.com tcp
CN 139.224.193.172:80 s.ludashi.com tcp
CN 139.224.193.172:80 s.ludashi.com tcp
CN 139.224.193.172:80 s.ludashi.com tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
CN 139.224.193.172:80 s.ludashi.com tcp
CN 139.224.193.172:80 s.ludashi.com tcp
CN 139.224.193.172:80 s.ludashi.com tcp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\{8E8FED7A-6766-4aa2-917C-D2020CF5B0ED}.tmp\7z.dll

MD5 2706693dda10c6cc79eed24c56d4e5ef
SHA1 4f34ef1bd49273a0d260b9dab15c73eb0ccb6383
SHA256 0edad8a1af22d5b97c1f324791c86243a6ecce7b5a9d2f30415af99aba9129c3
SHA512 7e7f7ae894528587ba33b6e10999549bb9a2ec2748b5662fa1b8806e5f4ce33af47507b3ef2954f2747a76b5b7c775c1cd671061f577c5016d1f8ba165bbe21c

C:\Users\Admin\AppData\Local\Temp\{0E39DB11-68C9-42ac-A91E-1B12697282D7}.tmp\NetBridge.dll

MD5 8786d469338c30e0ba9fedfc62bd5197
SHA1 5fb12028ceae9772f938e1b98b699f0e02e32718
SHA256 beeaf8b72f7008e9adabacfcd85e32a50747a0dfb5c86802aeb973bd1f5c3d2f
SHA512 5db1e5b78e62cda81a63e8e712e720f87a7c7a539237a55a9098c076f9fb4e0b5adb83383c23657b4ccc90c117e55e3946a399cdf3d15cb94444b203d9d6c45c

C:\Users\Admin\AppData\Local\Temp\{0E39DB11-68C9-42ac-A91E-1B12697282D7}.tmp\NetBridge.dll

MD5 9a850b21b2d3a290ca9be5e389ae965d
SHA1 c6fb8fd418ce2320e391548085c6c5b05b015c58
SHA256 7e60476d6d53e694ffc5ff8d880a948637c3aa4c20d6bba04b441dcf8d6f8056
SHA512 61e26b9f730714da90533b8206906c5c30ae269f6c865cc54dbf65f9aaf7dcaf08a03f8428857856f3e88fce7a6cf576e62a8348cc7d2ac2bd280413b7cc9e7b