Analysis
-
max time kernel
139s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
04-06-2022 07:51
Static task
static1
Behavioral task
behavioral1
Sample
113880f0ac34edce7cdc19fc151d4d974c4c0b39991ff2bc4cd6f62648d48e37.dll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
113880f0ac34edce7cdc19fc151d4d974c4c0b39991ff2bc4cd6f62648d48e37.dll
Resource
win10v2004-20220414-en
General
-
Target
113880f0ac34edce7cdc19fc151d4d974c4c0b39991ff2bc4cd6f62648d48e37.dll
-
Size
242KB
-
MD5
4aeeb8d5f73f841fcf29d1f0e7565453
-
SHA1
d093748ddd86667566c9ecfa9717e35af97c3a8b
-
SHA256
113880f0ac34edce7cdc19fc151d4d974c4c0b39991ff2bc4cd6f62648d48e37
-
SHA512
af1aa8d345225153da32b99ca2ea1a4a76f5fd4a6e1b88bc5e739bbc6d63743cb2749d70091cbd0fa81660bc07c0c01c4fe1af8de7518bad677cb51d815690dd
Malware Config
Extracted
metasploit
encoder/fnstenv_mov
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 14 3424 rundll32.exe 16 3424 rundll32.exe 17 3424 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4140 3424 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3408 wrote to memory of 3424 3408 rundll32.exe rundll32.exe PID 3408 wrote to memory of 3424 3408 rundll32.exe rundll32.exe PID 3408 wrote to memory of 3424 3408 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\113880f0ac34edce7cdc19fc151d4d974c4c0b39991ff2bc4cd6f62648d48e37.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\113880f0ac34edce7cdc19fc151d4d974c4c0b39991ff2bc4cd6f62648d48e37.dll,#12⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 18483⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3424 -ip 34241⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3424-130-0x0000000000000000-mapping.dmp
-
memory/3424-131-0x0000000010000000-0x0000000010091000-memory.dmpFilesize
580KB
-
memory/3424-133-0x0000000000AF0000-0x0000000000B14000-memory.dmpFilesize
144KB
-
memory/3424-132-0x0000000010000000-0x0000000010091000-memory.dmpFilesize
580KB
-
memory/3424-134-0x0000000010000000-0x0000000010091000-memory.dmpFilesize
580KB
-
memory/3424-136-0x0000000010000000-0x0000000010091000-memory.dmpFilesize
580KB
-
memory/3424-137-0x0000000010000000-0x0000000010091000-memory.dmpFilesize
580KB
-
memory/3424-138-0x0000000010000000-0x0000000010091000-memory.dmpFilesize
580KB
-
memory/3424-139-0x0000000000AF0000-0x0000000000B14000-memory.dmpFilesize
144KB