Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-05-2024 11:11

General

  • Target

    dolphin.exe

  • Size

    49KB

  • MD5

    a8d122b4f018d69a87bfefac354dadec

  • SHA1

    ca065d08ed255fb72e3dc3f2ae76ad3d9a436875

  • SHA256

    8e0029263ffa6d3b6b2c4c762ce1d2cfd6042501e8e4cddf91aa2020dce15605

  • SHA512

    39732c7af6027b4de628c2f6ed6635c720e2a046d5b465759a43934723cd872b577cfb4d3d3d2489ff94d1a49441b14f7fda5500e0e3e7073450f16d1aa82e1c

  • SSDEEP

    768:jxEOjnLj98hUO47oKHLAPP3lLuzZPKq+kXKZHlm3o7L:znLWKd7bHkPP3lLuBZ+AKZFm3oP

Malware Config

Extracted

Family

metasploit

Version

windows/exec

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dolphin.exe
    "C:\Users\Admin\AppData\Local\Temp\dolphin.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c net localgroup administrators
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3888
      • C:\Windows\SysWOW64\net.exe
        net localgroup administrators
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4056
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 localgroup administrators
          4⤵
            PID:4904
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c systeminfo
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3504
        • C:\Windows\SysWOW64\systeminfo.exe
          systeminfo
          3⤵
          • Gathers system information
          PID:2880
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c whoami
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4000
        • C:\Windows\SysWOW64\whoami.exe
          whoami
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4532
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c tasklist
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:5020
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:1264
      • C:\Windows\SysWOW64\notepad.exe
        "C:\Windows\System32\notepad.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3068
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -w 1 "reg.exe save HKLM\SAM bin"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3396
          • C:\Windows\SysWOW64\reg.exe
            "C:\Windows\system32\reg.exe" save HKLM\SAM bin
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4836
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:2620

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vpqlahvd.1au.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • memory/2004-23-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

    • memory/3068-0-0x0000000002330000-0x0000000002331000-memory.dmp

      Filesize

      4KB

    • memory/3396-4-0x0000000004B10000-0x0000000004B46000-memory.dmp

      Filesize

      216KB

    • memory/3396-5-0x0000000005180000-0x00000000057A8000-memory.dmp

      Filesize

      6.2MB

    • memory/3396-6-0x00000000050F0000-0x0000000005112000-memory.dmp

      Filesize

      136KB

    • memory/3396-7-0x00000000058E0000-0x0000000005946000-memory.dmp

      Filesize

      408KB

    • memory/3396-8-0x0000000005950000-0x00000000059B6000-memory.dmp

      Filesize

      408KB

    • memory/3396-18-0x0000000005BD0000-0x0000000005F24000-memory.dmp

      Filesize

      3.3MB

    • memory/3396-19-0x0000000005F80000-0x0000000005F9E000-memory.dmp

      Filesize

      120KB

    • memory/3396-20-0x0000000006030000-0x000000000607C000-memory.dmp

      Filesize

      304KB