Malware Analysis Report

2025-08-10 14:16

Sample ID 241016-cyjvqssdpn
Target 2de2bd707476c849111c62fc6afec911b4e0fd88f01455d226e8044158660be1
SHA256 2de2bd707476c849111c62fc6afec911b4e0fd88f01455d226e8044158660be1
Tags
bootkit discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

2de2bd707476c849111c62fc6afec911b4e0fd88f01455d226e8044158660be1

Threat Level: Shows suspicious behavior

The file 2de2bd707476c849111c62fc6afec911b4e0fd88f01455d226e8044158660be1 was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit discovery persistence

Loads dropped DLL

Checks installed software on the system

Writes to the Master Boot Record (MBR)

Drops file in Program Files directory

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 02:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 02:29

Reported

2024-10-16 02:31

Platform

win7-20241010-en

Max time kernel

122s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2de2bd707476c849111c62fc6afec911b4e0fd88f01455d226e8044158660be1.exe"

Signatures

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\2de2bd707476c849111c62fc6afec911b4e0fd88f01455d226e8044158660be1.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\LuDaShi\{25E909E8-CEB2-43f6-8E4B-9DD83708F3CF}.tf C:\Users\Admin\AppData\Local\Temp\2de2bd707476c849111c62fc6afec911b4e0fd88f01455d226e8044158660be1.exe N/A
File created C:\Program Files (x86)\LuDaShi\{E39F4F65-1D53-4534-A6C0-89FE5D201D9B}.tmp\{7FE82DA8-9085-4e73-B796-F68D311DD55F}.tf C:\Users\Admin\AppData\Local\Temp\2de2bd707476c849111c62fc6afec911b4e0fd88f01455d226e8044158660be1.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2de2bd707476c849111c62fc6afec911b4e0fd88f01455d226e8044158660be1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2de2bd707476c849111c62fc6afec911b4e0fd88f01455d226e8044158660be1.exe

"C:\Users\Admin\AppData\Local\Temp\2de2bd707476c849111c62fc6afec911b4e0fd88f01455d226e8044158660be1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 988

Network

Country Destination Domain Proto
US 8.8.8.8:53 s.ludashi.com udp
US 8.8.8.8:53 www.ludashi.com udp

Files

\Users\Admin\AppData\Local\Temp\{E98776DC-DDE3-4b05-A3EB-95B1290EE6C9}.tmp\7z.dll

MD5 2706693dda10c6cc79eed24c56d4e5ef
SHA1 4f34ef1bd49273a0d260b9dab15c73eb0ccb6383
SHA256 0edad8a1af22d5b97c1f324791c86243a6ecce7b5a9d2f30415af99aba9129c3
SHA512 7e7f7ae894528587ba33b6e10999549bb9a2ec2748b5662fa1b8806e5f4ce33af47507b3ef2954f2747a76b5b7c775c1cd671061f577c5016d1f8ba165bbe21c

\Users\Admin\AppData\Local\Temp\{BE96BEB9-0FA3-49ac-A6C1-7B0DBFBB2683}.tmp\NetBridge.dll

MD5 9d145902fb5b9a6da62ac85761434e31
SHA1 c817d77f59e3767d75cf5f5298d6b5711308f7e5
SHA256 98d795d55329b1057f4fd590468e648a8c34b620207fd9a0a6953f3e98d1ea43
SHA512 bbb3109bcd5ded909bfdaeb7f4f006fc5928a9bc501bad5ae8ba9805bc0d924a2c4da8bbd215480db936d663852abd9b0435fa241a40224a4cd93c4b7aff79a9

memory/2880-27-0x0000000000340000-0x0000000000341000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 02:29

Reported

2024-10-16 02:31

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2de2bd707476c849111c62fc6afec911b4e0fd88f01455d226e8044158660be1.exe"

Signatures

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\2de2bd707476c849111c62fc6afec911b4e0fd88f01455d226e8044158660be1.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2de2bd707476c849111c62fc6afec911b4e0fd88f01455d226e8044158660be1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2de2bd707476c849111c62fc6afec911b4e0fd88f01455d226e8044158660be1.exe

"C:\Users\Admin\AppData\Local\Temp\2de2bd707476c849111c62fc6afec911b4e0fd88f01455d226e8044158660be1.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.ludashi.com udp
US 8.8.8.8:53 s.ludashi.com udp
CN 114.116.48.235:80 www.ludashi.com tcp
CN 47.100.118.105:80 s.ludashi.com tcp
CN 47.100.118.105:80 s.ludashi.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
CN 47.100.118.105:80 s.ludashi.com tcp
CN 47.100.118.105:80 s.ludashi.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
CN 47.100.118.105:80 s.ludashi.com tcp
CN 47.100.118.105:80 s.ludashi.com tcp
CN 47.100.118.105:80 s.ludashi.com tcp
CN 47.100.118.105:80 s.ludashi.com tcp
CN 47.100.118.105:80 s.ludashi.com tcp
CN 47.100.118.105:80 s.ludashi.com tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
CN 47.100.118.105:80 s.ludashi.com tcp
CN 47.100.118.105:80 s.ludashi.com tcp
CN 47.100.118.105:80 s.ludashi.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\{AEC80E5E-7BF6-4f03-A1D8-CC648BC06B5E}.tmp\7z.dll

MD5 2706693dda10c6cc79eed24c56d4e5ef
SHA1 4f34ef1bd49273a0d260b9dab15c73eb0ccb6383
SHA256 0edad8a1af22d5b97c1f324791c86243a6ecce7b5a9d2f30415af99aba9129c3
SHA512 7e7f7ae894528587ba33b6e10999549bb9a2ec2748b5662fa1b8806e5f4ce33af47507b3ef2954f2747a76b5b7c775c1cd671061f577c5016d1f8ba165bbe21c

C:\Users\Admin\AppData\Local\Temp\{FB70E6A6-B15C-4f97-8262-E9C816A63357}.tmp\NetBridge.dll

MD5 9d145902fb5b9a6da62ac85761434e31
SHA1 c817d77f59e3767d75cf5f5298d6b5711308f7e5
SHA256 98d795d55329b1057f4fd590468e648a8c34b620207fd9a0a6953f3e98d1ea43
SHA512 bbb3109bcd5ded909bfdaeb7f4f006fc5928a9bc501bad5ae8ba9805bc0d924a2c4da8bbd215480db936d663852abd9b0435fa241a40224a4cd93c4b7aff79a9