Analysis
-
max time kernel
140s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
19-04-2024 18:20
Behavioral task
behavioral1
Sample
de64f766c5148db03d216ee7b88ba1ab51b74e4b34aa6ef7315882d0881c71eb.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
de64f766c5148db03d216ee7b88ba1ab51b74e4b34aa6ef7315882d0881c71eb.dll
Resource
win10v2004-20240412-en
General
-
Target
de64f766c5148db03d216ee7b88ba1ab51b74e4b34aa6ef7315882d0881c71eb.dll
-
Size
71KB
-
MD5
05d0dbfe2b283d68835bad401b2d1f29
-
SHA1
f05d782d30707b43e924a3839aeaa93aea64e77a
-
SHA256
de64f766c5148db03d216ee7b88ba1ab51b74e4b34aa6ef7315882d0881c71eb
-
SHA512
a22d84d88cf938fe421e43e02be54449d99926de00664cd20d4d2aa6f5206789c69177db891169f2597a1648e28bddbdbd2c345df51c2f075698a0213773809e
-
SSDEEP
1536:otNzVQFop4QflDN7rdWkfrZZgsWccdl/AToP08Y:yDRptlDN7Jfrjcl/ATc08Y
Malware Config
Extracted
metasploit
windows/download_exec
http://90aaaeb62492.ngrok.io:80/Th2n
- headers User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Blocklisted process makes network request 4 IoCs
Processes:
rundll32.exeflow pid process 8 748 rundll32.exe 11 748 rundll32.exe 14 748 rundll32.exe 17 748 rundll32.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3436 748 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1800 wrote to memory of 748 1800 rundll32.exe rundll32.exe PID 1800 wrote to memory of 748 1800 rundll32.exe rundll32.exe PID 1800 wrote to memory of 748 1800 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\de64f766c5148db03d216ee7b88ba1ab51b74e4b34aa6ef7315882d0881c71eb.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\de64f766c5148db03d216ee7b88ba1ab51b74e4b34aa6ef7315882d0881c71eb.dll,#12⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 17963⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 748 -ip 7481⤵