Analysis
-
max time kernel
140s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
20-05-2024 11:11
Behavioral task
behavioral1
Sample
dolphin.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
dolphin.exe
Resource
win10v2004-20240508-en
General
-
Target
dolphin.exe
-
Size
49KB
-
MD5
a8d122b4f018d69a87bfefac354dadec
-
SHA1
ca065d08ed255fb72e3dc3f2ae76ad3d9a436875
-
SHA256
8e0029263ffa6d3b6b2c4c762ce1d2cfd6042501e8e4cddf91aa2020dce15605
-
SHA512
39732c7af6027b4de628c2f6ed6635c720e2a046d5b465759a43934723cd872b577cfb4d3d3d2489ff94d1a49441b14f7fda5500e0e3e7073450f16d1aa82e1c
-
SSDEEP
768:jxEOjnLj98hUO47oKHLAPP3lLuzZPKq+kXKZHlm3o7L:znLWKd7bHkPP3lLuBZ+AKZFm3oP
Malware Config
Extracted
metasploit
windows/exec
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
dolphin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\dolphin.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dolphin.exe" dolphin.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
dolphin.exepowershell.exepid process 2316 dolphin.exe 2596 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
whoami.exetasklist.exepowershell.exereg.exedescription pid process Token: SeDebugPrivilege 3052 whoami.exe Token: SeDebugPrivilege 2620 tasklist.exe Token: SeDebugPrivilege 2596 powershell.exe Token: SeBackupPrivilege 2532 reg.exe -
Suspicious use of WriteProcessMemory 49 IoCs
Processes:
dolphin.execmd.exenet.execmd.execmd.execmd.exenotepad.exepowershell.exedescription pid process target process PID 2316 wrote to memory of 2196 2316 dolphin.exe cmd.exe PID 2316 wrote to memory of 2196 2316 dolphin.exe cmd.exe PID 2316 wrote to memory of 2196 2316 dolphin.exe cmd.exe PID 2316 wrote to memory of 2196 2316 dolphin.exe cmd.exe PID 2196 wrote to memory of 2216 2196 cmd.exe net.exe PID 2196 wrote to memory of 2216 2196 cmd.exe net.exe PID 2196 wrote to memory of 2216 2196 cmd.exe net.exe PID 2196 wrote to memory of 2216 2196 cmd.exe net.exe PID 2216 wrote to memory of 3040 2216 net.exe net1.exe PID 2216 wrote to memory of 3040 2216 net.exe net1.exe PID 2216 wrote to memory of 3040 2216 net.exe net1.exe PID 2216 wrote to memory of 3040 2216 net.exe net1.exe PID 2316 wrote to memory of 2064 2316 dolphin.exe cmd.exe PID 2316 wrote to memory of 2064 2316 dolphin.exe cmd.exe PID 2316 wrote to memory of 2064 2316 dolphin.exe cmd.exe PID 2316 wrote to memory of 2064 2316 dolphin.exe cmd.exe PID 2064 wrote to memory of 3048 2064 cmd.exe systeminfo.exe PID 2064 wrote to memory of 3048 2064 cmd.exe systeminfo.exe PID 2064 wrote to memory of 3048 2064 cmd.exe systeminfo.exe PID 2064 wrote to memory of 3048 2064 cmd.exe systeminfo.exe PID 2316 wrote to memory of 2464 2316 dolphin.exe cmd.exe PID 2316 wrote to memory of 2464 2316 dolphin.exe cmd.exe PID 2316 wrote to memory of 2464 2316 dolphin.exe cmd.exe PID 2316 wrote to memory of 2464 2316 dolphin.exe cmd.exe PID 2464 wrote to memory of 3052 2464 cmd.exe whoami.exe PID 2464 wrote to memory of 3052 2464 cmd.exe whoami.exe PID 2464 wrote to memory of 3052 2464 cmd.exe whoami.exe PID 2464 wrote to memory of 3052 2464 cmd.exe whoami.exe PID 2316 wrote to memory of 2760 2316 dolphin.exe cmd.exe PID 2316 wrote to memory of 2760 2316 dolphin.exe cmd.exe PID 2316 wrote to memory of 2760 2316 dolphin.exe cmd.exe PID 2316 wrote to memory of 2760 2316 dolphin.exe cmd.exe PID 2760 wrote to memory of 2620 2760 cmd.exe tasklist.exe PID 2760 wrote to memory of 2620 2760 cmd.exe tasklist.exe PID 2760 wrote to memory of 2620 2760 cmd.exe tasklist.exe PID 2760 wrote to memory of 2620 2760 cmd.exe tasklist.exe PID 2316 wrote to memory of 2820 2316 dolphin.exe notepad.exe PID 2316 wrote to memory of 2820 2316 dolphin.exe notepad.exe PID 2316 wrote to memory of 2820 2316 dolphin.exe notepad.exe PID 2316 wrote to memory of 2820 2316 dolphin.exe notepad.exe PID 2316 wrote to memory of 2820 2316 dolphin.exe notepad.exe PID 2820 wrote to memory of 2596 2820 notepad.exe powershell.exe PID 2820 wrote to memory of 2596 2820 notepad.exe powershell.exe PID 2820 wrote to memory of 2596 2820 notepad.exe powershell.exe PID 2820 wrote to memory of 2596 2820 notepad.exe powershell.exe PID 2596 wrote to memory of 2532 2596 powershell.exe reg.exe PID 2596 wrote to memory of 2532 2596 powershell.exe reg.exe PID 2596 wrote to memory of 2532 2596 powershell.exe reg.exe PID 2596 wrote to memory of 2532 2596 powershell.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dolphin.exe"C:\Users\Admin\AppData\Local\Temp\dolphin.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup administrators2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet localgroup administrators3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup administrators4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c systeminfo2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo3⤵
- Gathers system information
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c whoami2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\whoami.exewhoami3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -w 1 "reg.exe save HKLM\SAM bin"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" save HKLM\SAM bin4⤵
- Suspicious use of AdjustPrivilegeToken