Analysis
-
max time kernel
144s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
05/04/2024, 01:58
Behavioral task
behavioral1
Sample
ed30e0b7070e46b93cbde82943ac8eb0174c55974a791e61922a304fdcf36db1.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ed30e0b7070e46b93cbde82943ac8eb0174c55974a791e61922a304fdcf36db1.dll
Resource
win10v2004-20240226-en
General
-
Target
ed30e0b7070e46b93cbde82943ac8eb0174c55974a791e61922a304fdcf36db1.dll
-
Size
9KB
-
MD5
1003fcb71b39ff9c861d006552eb5ef6
-
SHA1
d0e68865d51467c92aea7fb487620f9f4d6e8c1b
-
SHA256
ed30e0b7070e46b93cbde82943ac8eb0174c55974a791e61922a304fdcf36db1
-
SHA512
9c37f4c7c4d9d97c5caebd1f35cc1c51dc2e84706996c5e821643e89732ba383121d339f809b2cd0d0761dab54ed3fca91f6bceb369f1f241ac63e035dd74f89
-
SSDEEP
48:q0kV3zU9G4aNVh7XphlhEF57/nU02FSPQoY3B+sXvzWbOE:vDIK0gQHpXv
Malware Config
Extracted
metasploit
encoder/shikata_ga_nai
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4424 set thread context of 3136 4424 rundll32.exe 96 -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1744 wrote to memory of 4424 1744 rundll32.exe 93 PID 1744 wrote to memory of 4424 1744 rundll32.exe 93 PID 1744 wrote to memory of 4424 1744 rundll32.exe 93 PID 4424 wrote to memory of 3136 4424 rundll32.exe 96 PID 4424 wrote to memory of 3136 4424 rundll32.exe 96 PID 4424 wrote to memory of 3136 4424 rundll32.exe 96 PID 4424 wrote to memory of 3136 4424 rundll32.exe 96
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ed30e0b7070e46b93cbde82943ac8eb0174c55974a791e61922a304fdcf36db1.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ed30e0b7070e46b93cbde82943ac8eb0174c55974a791e61922a304fdcf36db1.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe3⤵PID:3136
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4232 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:81⤵PID:3252