Overview

overview

10

Static

static

10

dll/socks32.dll

windows7_x64

8

dll/socks32.dll

windows10_x64

8

dll/socks64.dll

windows7_x64

8

dll/socks64.dll

windows10_x64

8

server.exe

windows7_x64

8

server.exe

windows10_x64

8

server.out

linux_amd64

server.out

linux_mipsel

server.out

linux_mips

socks.exe

windows7_x64

4

socks.exe

windows10_x64

4

www/system...har.js

windows7_x64

1

www/system...har.js

windows10_x64

1

www/system...x.html

windows7_x64

1

www/system...x.html

windows10_x64

1

www/system...php.js

windows7_x64

1

www/system...php.js

windows10_x64

1

Analysis

  • max time kernel
    147s
  • max time network
    154s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    13-07-2021 14:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dll/socks32.dll

  • Size

    13KB

  • MD5

    65c17c463e5b6aa86563ddc2d1cc7d94

  • SHA1

    5d2de9c471fccac50d001ba2ccc9904545b712fd

  • SHA256

    683e6f42222caf44fdc3917be95d55a3f2213c5e3f966e33996ecd1f0743197f

  • SHA512

    b31577aee0c3f40167f9956d09ba9090cc75ac037712daf73528896f067cebdcc5e9bd7be92992ea7169750d4363d572ca87a7a692dcbf0292348c900a09efb8

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 14 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\socks32.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:800
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\socks32.dll,#1
      2⤵
      • Blocklisted process makes network request
      PID:1400

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1400-114-0x0000000000000000-mapping.dmp

    Download