Analysis

  • max time kernel
    135s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    21-07-2022 19:17

General

  • Target

    msword.dll

  • Size

    8KB

  • MD5

    9c4ca241b15fd2e220d96eb3886b0083

  • SHA1

    6547058a524b3a6cc8fff2eca9fca565a6f1575e

  • SHA256

    800d9f3d161f9ee7b11f7e32694ce01d74b7380849fe09ab2c6387a356ae3bd1

  • SHA512

    fe1305b8ed517612e28a824daaf2f35fe00a022a2c1aae05a19187a587d63171feabb931df9f4a2a90706afecf24398426a10701f23e7faf22f7e8ff3537a89e

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

metasploit_stager

C2

183.191.40.147:16406

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

  • Blocklisted process makes network request 7 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\msword.dll,#1
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:908
    • C:\Windows\system32\rundll32.exe
      rundll32.exe
      2⤵
      • Blocklisted process makes network request
      PID:1444

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1444-54-0x00000000FF3D3CEC-mapping.dmp