Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
28/03/2025, 17:24
Static task
static1
Behavioral task
behavioral1
Sample
376784dcecdde06277726880a47066d1b8c925e202854b5feadad3233dfa3710.dll
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
376784dcecdde06277726880a47066d1b8c925e202854b5feadad3233dfa3710.dll
Resource
win10v2004-20250314-en
General
-
Target
376784dcecdde06277726880a47066d1b8c925e202854b5feadad3233dfa3710.dll
-
Size
482KB
-
MD5
88cf0a2c27cd1a9b49e7e08907c0ed7c
-
SHA1
f168902b7eb126f999283055f8d6c17ead0f7426
-
SHA256
376784dcecdde06277726880a47066d1b8c925e202854b5feadad3233dfa3710
-
SHA512
d216e5a6a4dde55c49b1d48b9eb725f56e02e6144723fa381b035bf2f9bb0fc69242a8cd56965fb9f437b86ea536fe70527610d8a1e181aaf48a23487e8382ac
-
SSDEEP
12288:G781CVzL11BXrpTgOYdhYAVNfCzdq26tsvXwUy6m:G7ZL1DXqFhlfCzo26tsvXG6m
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 rundll32.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\1b0506 rundll32.exe File created C:\Windows\SysWOW64\-101-112019 rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1688 wrote to memory of 2408 1688 rundll32.exe 30 PID 1688 wrote to memory of 2408 1688 rundll32.exe 30 PID 1688 wrote to memory of 2408 1688 rundll32.exe 30 PID 1688 wrote to memory of 2408 1688 rundll32.exe 30 PID 1688 wrote to memory of 2408 1688 rundll32.exe 30 PID 1688 wrote to memory of 2408 1688 rundll32.exe 30 PID 1688 wrote to memory of 2408 1688 rundll32.exe 30
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\376784dcecdde06277726880a47066d1b8c925e202854b5feadad3233dfa3710.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\376784dcecdde06277726880a47066d1b8c925e202854b5feadad3233dfa3710.dll,#12⤵
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2408
-