Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 11:11
Behavioral task
behavioral1
Sample
dolphin.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
dolphin.exe
Resource
win10v2004-20240508-en
General
-
Target
dolphin.exe
-
Size
49KB
-
MD5
a8d122b4f018d69a87bfefac354dadec
-
SHA1
ca065d08ed255fb72e3dc3f2ae76ad3d9a436875
-
SHA256
8e0029263ffa6d3b6b2c4c762ce1d2cfd6042501e8e4cddf91aa2020dce15605
-
SHA512
39732c7af6027b4de628c2f6ed6635c720e2a046d5b465759a43934723cd872b577cfb4d3d3d2489ff94d1a49441b14f7fda5500e0e3e7073450f16d1aa82e1c
-
SSDEEP
768:jxEOjnLj98hUO47oKHLAPP3lLuzZPKq+kXKZHlm3o7L:znLWKd7bHkPP3lLuBZ+AKZFm3oP
Malware Config
Extracted
metasploit
windows/exec
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
dolphin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dolphin.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dolphin.exe" dolphin.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
dolphin.exepowershell.exepid process 2004 dolphin.exe 2004 dolphin.exe 3396 powershell.exe 3396 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
whoami.exetasklist.exepowershell.exereg.exedescription pid process Token: SeDebugPrivilege 4532 whoami.exe Token: SeDebugPrivilege 1264 tasklist.exe Token: SeDebugPrivilege 3396 powershell.exe Token: SeBackupPrivilege 4836 reg.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
OpenWith.exepid process 2620 OpenWith.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
dolphin.execmd.exenet.execmd.execmd.execmd.exenotepad.exepowershell.exedescription pid process target process PID 2004 wrote to memory of 3888 2004 dolphin.exe cmd.exe PID 2004 wrote to memory of 3888 2004 dolphin.exe cmd.exe PID 2004 wrote to memory of 3888 2004 dolphin.exe cmd.exe PID 3888 wrote to memory of 4056 3888 cmd.exe net.exe PID 3888 wrote to memory of 4056 3888 cmd.exe net.exe PID 3888 wrote to memory of 4056 3888 cmd.exe net.exe PID 4056 wrote to memory of 4904 4056 net.exe net1.exe PID 4056 wrote to memory of 4904 4056 net.exe net1.exe PID 4056 wrote to memory of 4904 4056 net.exe net1.exe PID 2004 wrote to memory of 3504 2004 dolphin.exe cmd.exe PID 2004 wrote to memory of 3504 2004 dolphin.exe cmd.exe PID 2004 wrote to memory of 3504 2004 dolphin.exe cmd.exe PID 3504 wrote to memory of 2880 3504 cmd.exe systeminfo.exe PID 3504 wrote to memory of 2880 3504 cmd.exe systeminfo.exe PID 3504 wrote to memory of 2880 3504 cmd.exe systeminfo.exe PID 2004 wrote to memory of 4000 2004 dolphin.exe cmd.exe PID 2004 wrote to memory of 4000 2004 dolphin.exe cmd.exe PID 2004 wrote to memory of 4000 2004 dolphin.exe cmd.exe PID 4000 wrote to memory of 4532 4000 cmd.exe whoami.exe PID 4000 wrote to memory of 4532 4000 cmd.exe whoami.exe PID 4000 wrote to memory of 4532 4000 cmd.exe whoami.exe PID 2004 wrote to memory of 5020 2004 dolphin.exe cmd.exe PID 2004 wrote to memory of 5020 2004 dolphin.exe cmd.exe PID 2004 wrote to memory of 5020 2004 dolphin.exe cmd.exe PID 5020 wrote to memory of 1264 5020 cmd.exe tasklist.exe PID 5020 wrote to memory of 1264 5020 cmd.exe tasklist.exe PID 5020 wrote to memory of 1264 5020 cmd.exe tasklist.exe PID 2004 wrote to memory of 3068 2004 dolphin.exe notepad.exe PID 2004 wrote to memory of 3068 2004 dolphin.exe notepad.exe PID 2004 wrote to memory of 3068 2004 dolphin.exe notepad.exe PID 2004 wrote to memory of 3068 2004 dolphin.exe notepad.exe PID 3068 wrote to memory of 3396 3068 notepad.exe powershell.exe PID 3068 wrote to memory of 3396 3068 notepad.exe powershell.exe PID 3068 wrote to memory of 3396 3068 notepad.exe powershell.exe PID 3396 wrote to memory of 4836 3396 powershell.exe reg.exe PID 3396 wrote to memory of 4836 3396 powershell.exe reg.exe PID 3396 wrote to memory of 4836 3396 powershell.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dolphin.exe"C:\Users\Admin\AppData\Local\Temp\dolphin.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup administrators2⤵
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Windows\SysWOW64\net.exenet localgroup administrators3⤵
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup administrators4⤵PID:4904
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c systeminfo2⤵
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\SysWOW64\systeminfo.exesysteminfo3⤵
- Gathers system information
PID:2880 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c whoami2⤵
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Windows\SysWOW64\whoami.exewhoami3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4532 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist2⤵
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1264 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -w 1 "reg.exe save HKLM\SAM bin"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" save HKLM\SAM bin4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4836
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:2620
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82