Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
16/01/2024, 10:27
Behavioral task
behavioral1
Sample
5fa9d20296121bb0d6dfbf9994683f43.dll
Resource
win7-20231215-en
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
5fa9d20296121bb0d6dfbf9994683f43.dll
Resource
win10v2004-20231215-en
3 signatures
150 seconds
General
-
Target
5fa9d20296121bb0d6dfbf9994683f43.dll
-
Size
8KB
-
MD5
5fa9d20296121bb0d6dfbf9994683f43
-
SHA1
614cda8b624a35e636b6b28dc42206511725e81b
-
SHA256
9785c012a9d8f1f7682276ba3d8175ed4a613f1cb279370cea773b45d68a95cb
-
SHA512
26d6d5dee54d24a818d41f3053bcf5b64b943f4c6adb1f4f1cb08032523e2095db5b5c0f5499bbb86640dfe66a4b5b2c2169f5ef7ecf0f1c99769aa7c607fbf9
-
SSDEEP
48:id+P3zSSxPIux486DhFhklWqJ1ATDhZoEuYxf:QvSx335JOLoE
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
windows/exec
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1096 set thread context of 1012 1096 rundll32.exe 29 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2460 whoami.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2436 wrote to memory of 1096 2436 rundll32.exe 28 PID 2436 wrote to memory of 1096 2436 rundll32.exe 28 PID 2436 wrote to memory of 1096 2436 rundll32.exe 28 PID 2436 wrote to memory of 1096 2436 rundll32.exe 28 PID 2436 wrote to memory of 1096 2436 rundll32.exe 28 PID 2436 wrote to memory of 1096 2436 rundll32.exe 28 PID 2436 wrote to memory of 1096 2436 rundll32.exe 28 PID 1096 wrote to memory of 1012 1096 rundll32.exe 29 PID 1096 wrote to memory of 1012 1096 rundll32.exe 29 PID 1096 wrote to memory of 1012 1096 rundll32.exe 29 PID 1096 wrote to memory of 1012 1096 rundll32.exe 29 PID 1096 wrote to memory of 1012 1096 rundll32.exe 29 PID 1096 wrote to memory of 1012 1096 rundll32.exe 29 PID 1096 wrote to memory of 1012 1096 rundll32.exe 29 PID 1096 wrote to memory of 1012 1096 rundll32.exe 29 PID 1012 wrote to memory of 2460 1012 rundll32.exe 30 PID 1012 wrote to memory of 2460 1012 rundll32.exe 30 PID 1012 wrote to memory of 2460 1012 rundll32.exe 30 PID 1012 wrote to memory of 2460 1012 rundll32.exe 30
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5fa9d20296121bb0d6dfbf9994683f43.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5fa9d20296121bb0d6dfbf9994683f43.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe3⤵
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\SysWOW64\whoami.exewhoami4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2460
-
-
-