Overview

overview

7

Static

static

7

1792EL4.4?...or.exe

windows7-x64

7

1792EL4.4?...or.exe

windows10-2004-x64

7

1792EL4.4?...ne.dll

windows7-x64

7

1792EL4.4?...ne.dll

windows10-2004-x64

7

1792EL4.4?...ce.dll

windows7-x64

7

1792EL4.4?...ce.dll

windows10-2004-x64

7

1792EL4.4?/Update.exe

windows7-x64

1

1792EL4.4?/Update.exe

windows10-2004-x64

1

1792EL4.4?/sign.dll

windows7-x64

1

1792EL4.4?/sign.dll

windows10-2004-x64

1

1792EL4.4?...pi.dll

windows7-x64

3

1792EL4.4?...pi.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    41s
  • max time network
    53s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-07-2024 04:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1792EL4.4?/ElementsEngine.dll

  • Size

    3.0MB

  • MD5

    9983eef61740b311b2383b869a308b09

  • SHA1

    bfe16190c6bbffcd7f154b0fc34878b3c3282654

  • SHA256

    2916246e84289df1dc43d9b38a06bc6bb3e16ff6043ab79fa6b152ff979e503a

  • SHA512

    4dd586edce7c47a52be5779132c3afe56d637a5e07c9f8c3cbf2ff41c770129a334d9cd58a06d5a82d6a7bee3118d13aa60c36d8101b3221f6eec38aeb47f18c

  • SSDEEP

    49152:4yetB97Xw8Fq/taUpZ338lmtSr+cKwjNdtJNVe7Y1g:8M8FmxZSAGbTV

Score
7/10
bootkitpersistencevmprotect

Malware Config

Signatures

  • VMProtect packed file 2 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\1792EL4.4_\ElementsEngine.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1704
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\1792EL4.4_\ElementsEngine.dll,#1
      2⤵
      • Writes to the Master Boot Record (MBR)
      PID:4612

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4612-0-0x0000000074FD0000-0x0000000075589000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/4612-1-0x0000000074FD0000-0x0000000075589000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/4612-3-0x0000000002BC0000-0x0000000002BE7000-memory.dmp
    Filesize

    156KB

    Download