Resubmissions
01-05-2024 18:06
240501-wp7pzscg9x 1018-04-2024 14:15
240418-rkp7xsfd39 1017-04-2024 14:48
240417-r6e9vacg64 8Analysis
-
max time kernel
450s -
max time network
495s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
01-05-2024 18:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
forcedelctl.dll
Resource
win7-20240221-en
windows7-x64
5 signatures
600 seconds
General
-
Target
forcedelctl.dll
-
Size
956KB
-
MD5
b28a478eb5b99efcdc7caf428bffb89a
-
SHA1
d394c7b8fe15753bfbff79fb4f648f6f8bae70f9
-
SHA256
3bca1dcaef4430272b9029c9a4bc8be0d45ecff66e8de8679ed30d8afab00f6f
-
SHA512
decb2581f64949bfaaaf0368917f0705d7a4b7392ec272eda025cf06a4384ec4cdd5202081c2e085f00645029dd96bfef262e8628bed1861185adf6281c1cc88
-
SSDEEP
24576:rs6ZRS5J3ifJvlxfcdaeti7w+0bf0XznPMvPD:Yni8dK9CEMXD
Malware Config
Signatures
-
Detects SSLoad Unpacked payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4944-2-0x0000000002D70000-0x0000000002DE3000-memory.dmp family_ssload behavioral2/memory/4944-4-0x0000000002C90000-0x0000000002D05000-memory.dmp family_ssload -
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 5 4944 rundll32.exe 30 4944 rundll32.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1824 wrote to memory of 4944 1824 rundll32.exe rundll32.exe PID 1824 wrote to memory of 4944 1824 rundll32.exe rundll32.exe PID 1824 wrote to memory of 4944 1824 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\forcedelctl.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\forcedelctl.dll,#12⤵
- Blocklisted process makes network request
PID:4944
-