Analysis
-
max time kernel
122s -
max time network
121s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
08-11-2020 14:13
Static task
static1
Behavioral task
behavioral1
Sample
c9a4b69fd8936fabe1d044c35baaa28e4bd0aa563769a76d4dba7c16e6fc3009.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
c9a4b69fd8936fabe1d044c35baaa28e4bd0aa563769a76d4dba7c16e6fc3009.dll
Resource
win10v20201028
General
-
Target
c9a4b69fd8936fabe1d044c35baaa28e4bd0aa563769a76d4dba7c16e6fc3009.dll
-
Size
5KB
-
MD5
a3bfdf001d9e5e1276b95a112b74d37f
-
SHA1
cba777ad1363ad2840d43cfff8833ca22ff8c0d0
-
SHA256
c9a4b69fd8936fabe1d044c35baaa28e4bd0aa563769a76d4dba7c16e6fc3009
-
SHA512
4a48b115adaf593997f73c16c3424eb461b752ea39e5247e8252e1b92c02b5d9b0ba42da2cb63fc8592b52116786cf1631608105bf29c617f223c9d13e48fcbc
Malware Config
Extracted
metasploit
windows/download_exec
http://example.com:80/hop.php?/12345
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Blacklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 6 832 rundll32.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1768 set thread context of 832 1768 rundll32.exe rundll32.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 364 wrote to memory of 1768 364 rundll32.exe rundll32.exe PID 364 wrote to memory of 1768 364 rundll32.exe rundll32.exe PID 364 wrote to memory of 1768 364 rundll32.exe rundll32.exe PID 364 wrote to memory of 1768 364 rundll32.exe rundll32.exe PID 364 wrote to memory of 1768 364 rundll32.exe rundll32.exe PID 364 wrote to memory of 1768 364 rundll32.exe rundll32.exe PID 364 wrote to memory of 1768 364 rundll32.exe rundll32.exe PID 1768 wrote to memory of 832 1768 rundll32.exe rundll32.exe PID 1768 wrote to memory of 832 1768 rundll32.exe rundll32.exe PID 1768 wrote to memory of 832 1768 rundll32.exe rundll32.exe PID 1768 wrote to memory of 832 1768 rundll32.exe rundll32.exe PID 1768 wrote to memory of 832 1768 rundll32.exe rundll32.exe PID 1768 wrote to memory of 832 1768 rundll32.exe rundll32.exe PID 1768 wrote to memory of 832 1768 rundll32.exe rundll32.exe PID 1768 wrote to memory of 832 1768 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c9a4b69fd8936fabe1d044c35baaa28e4bd0aa563769a76d4dba7c16e6fc3009.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c9a4b69fd8936fabe1d044c35baaa28e4bd0aa563769a76d4dba7c16e6fc3009.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe3⤵
- Blacklisted process makes network request