Analysis
-
max time kernel
43s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
04-06-2022 07:51
Static task
static1
Behavioral task
behavioral1
Sample
113880f0ac34edce7cdc19fc151d4d974c4c0b39991ff2bc4cd6f62648d48e37.dll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
113880f0ac34edce7cdc19fc151d4d974c4c0b39991ff2bc4cd6f62648d48e37.dll
Resource
win10v2004-20220414-en
General
-
Target
113880f0ac34edce7cdc19fc151d4d974c4c0b39991ff2bc4cd6f62648d48e37.dll
-
Size
242KB
-
MD5
4aeeb8d5f73f841fcf29d1f0e7565453
-
SHA1
d093748ddd86667566c9ecfa9717e35af97c3a8b
-
SHA256
113880f0ac34edce7cdc19fc151d4d974c4c0b39991ff2bc4cd6f62648d48e37
-
SHA512
af1aa8d345225153da32b99ca2ea1a4a76f5fd4a6e1b88bc5e739bbc6d63743cb2749d70091cbd0fa81660bc07c0c01c4fe1af8de7518bad677cb51d815690dd
Malware Config
Extracted
metasploit
encoder/fnstenv_mov
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 4 112 rundll32.exe 6 112 rundll32.exe 8 112 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 568 112 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 552 wrote to memory of 112 552 rundll32.exe rundll32.exe PID 552 wrote to memory of 112 552 rundll32.exe rundll32.exe PID 552 wrote to memory of 112 552 rundll32.exe rundll32.exe PID 552 wrote to memory of 112 552 rundll32.exe rundll32.exe PID 552 wrote to memory of 112 552 rundll32.exe rundll32.exe PID 552 wrote to memory of 112 552 rundll32.exe rundll32.exe PID 552 wrote to memory of 112 552 rundll32.exe rundll32.exe PID 112 wrote to memory of 568 112 rundll32.exe WerFault.exe PID 112 wrote to memory of 568 112 rundll32.exe WerFault.exe PID 112 wrote to memory of 568 112 rundll32.exe WerFault.exe PID 112 wrote to memory of 568 112 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\113880f0ac34edce7cdc19fc151d4d974c4c0b39991ff2bc4cd6f62648d48e37.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\113880f0ac34edce7cdc19fc151d4d974c4c0b39991ff2bc4cd6f62648d48e37.dll,#12⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 112 -s 13763⤵
- Program crash
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/112-54-0x0000000000000000-mapping.dmp
-
memory/112-55-0x0000000075451000-0x0000000075453000-memory.dmpFilesize
8KB
-
memory/112-56-0x0000000010000000-0x0000000010091000-memory.dmpFilesize
580KB
-
memory/112-57-0x0000000000250000-0x0000000000274000-memory.dmpFilesize
144KB
-
memory/112-59-0x0000000010000000-0x0000000010091000-memory.dmpFilesize
580KB
-
memory/112-60-0x0000000000250000-0x0000000000274000-memory.dmpFilesize
144KB
-
memory/568-58-0x0000000000000000-mapping.dmp