Analysis
-
max time kernel
141s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
30-06-2024 13:15
Behavioral task
behavioral1
Sample
RGSS202E.dll
Resource
win7-20240508-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
RGSS202E.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
RGSS202E.dll
-
Size
832KB
-
MD5
73b5e408ef0b2a8d498107448ea119b6
-
SHA1
4623ded035d009a3a7a975035e2bd505386d6b11
-
SHA256
3f8ec6209a117ad6ec24eb748b20631b1b09ee65566e2b98fbe5a7021967e40a
-
SHA512
b4f4fdc318c231c5677910c43f0da45ad2fe9d333fd89b9912794b890fc4297e6201c6ebfd90b8459cd6130809e05229ae7e0a9119bebf6298f20fc6ad2c81cd
-
SSDEEP
24576:nyctOF+OJjkh/cR5vmEhuBFm62+Ze3JWPCVBO:pO0i+EYBXzZJiO
Score
6/10
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
rundll32.exedescription ioc process File opened for modification \??\PhysicalDrive0 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2896 2604 WerFault.exe rundll32.exe -
Modifies registry class 3 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1028 wrote to memory of 2604 1028 rundll32.exe rundll32.exe PID 1028 wrote to memory of 2604 1028 rundll32.exe rundll32.exe PID 1028 wrote to memory of 2604 1028 rundll32.exe rundll32.exe PID 1028 wrote to memory of 2604 1028 rundll32.exe rundll32.exe PID 1028 wrote to memory of 2604 1028 rundll32.exe rundll32.exe PID 1028 wrote to memory of 2604 1028 rundll32.exe rundll32.exe PID 1028 wrote to memory of 2604 1028 rundll32.exe rundll32.exe PID 2604 wrote to memory of 2896 2604 rundll32.exe WerFault.exe PID 2604 wrote to memory of 2896 2604 rundll32.exe WerFault.exe PID 2604 wrote to memory of 2896 2604 rundll32.exe WerFault.exe PID 2604 wrote to memory of 2896 2604 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\RGSS202E.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\RGSS202E.dll,#12⤵
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 2723⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2604-0-0x0000000010000000-0x00000000101FB000-memory.dmpFilesize
2.0MB
-
memory/2604-1-0x0000000010000000-0x00000000101FB000-memory.dmpFilesize
2.0MB
-
memory/2604-3-0x00000000101D3000-0x00000000101D4000-memory.dmpFilesize
4KB
-
memory/2604-4-0x0000000010000000-0x00000000101FB000-memory.dmpFilesize
2.0MB
-
memory/2604-2-0x00000000001E0000-0x0000000000215000-memory.dmpFilesize
212KB
-
memory/2604-5-0x0000000010000000-0x00000000101FB000-memory.dmpFilesize
2.0MB
-
memory/2604-7-0x00000000001E0000-0x0000000000215000-memory.dmpFilesize
212KB
-
memory/2604-8-0x00000000101D3000-0x00000000101D4000-memory.dmpFilesize
4KB