Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 12:26
Behavioral task
behavioral1
Sample
1.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
1.dll
Resource
win10v2004-20240508-en
General
-
Target
1.dll
-
Size
9KB
-
MD5
1ec16da98fa7190204bdd8c7bebfccdf
-
SHA1
2e6922fdc24cfab4e249e54412a79417ceff84cb
-
SHA256
11b68c12632d90ab188f87bcf5dbd8ad054838a25bdd9438fcf88a2e01e5dc33
-
SHA512
b26bd70d59805ab7d185d7c6a84360954295b1ed1dcf9f19c2c220cbcaced9314def262a3b54e94b1b36b5a3a57a680a57df0f7a2501008639ed0b4a2e1136b9
-
SSDEEP
48:q0kV3zU9G4aNVh7XphlhEF57/nc6aZrCO1Jzh7xxwvPbOE:vDIKkjBbLxwv
Malware Config
Extracted
metasploit
windows/reverse_http
http://74.48.220.31:8632/DcTIHAkb/1Q9Al5hrrEAhwCDBRCiYGggPZcyiBi_xKi-9qEZ3QhAONrkh9Ts8sac7OLknj_rtSpHvewsrpGalKTjp2-2I_5_pbm2tf36g09eRXRhNxWMR0xZ-A1eGng9-AoB9VMAn0rI92zd8GxT6zYg1eBKt24C6mvr3BBuYBRZYgpXmkV7oFxt-d
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Blocklisted process makes network request 20 IoCs
Processes:
rundll32.exeflow pid process 3 2124 rundll32.exe 5 2124 rundll32.exe 6 2124 rundll32.exe 7 2124 rundll32.exe 8 2124 rundll32.exe 9 2124 rundll32.exe 11 2124 rundll32.exe 12 2124 rundll32.exe 13 2124 rundll32.exe 14 2124 rundll32.exe 15 2124 rundll32.exe 16 2124 rundll32.exe 18 2124 rundll32.exe 19 2124 rundll32.exe 20 2124 rundll32.exe 21 2124 rundll32.exe 22 2124 rundll32.exe 23 2124 rundll32.exe 25 2124 rundll32.exe 26 2124 rundll32.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 2112 set thread context of 2124 2112 rundll32.exe rundll32.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3024 wrote to memory of 2112 3024 rundll32.exe rundll32.exe PID 3024 wrote to memory of 2112 3024 rundll32.exe rundll32.exe PID 3024 wrote to memory of 2112 3024 rundll32.exe rundll32.exe PID 3024 wrote to memory of 2112 3024 rundll32.exe rundll32.exe PID 3024 wrote to memory of 2112 3024 rundll32.exe rundll32.exe PID 3024 wrote to memory of 2112 3024 rundll32.exe rundll32.exe PID 3024 wrote to memory of 2112 3024 rundll32.exe rundll32.exe PID 2112 wrote to memory of 2124 2112 rundll32.exe rundll32.exe PID 2112 wrote to memory of 2124 2112 rundll32.exe rundll32.exe PID 2112 wrote to memory of 2124 2112 rundll32.exe rundll32.exe PID 2112 wrote to memory of 2124 2112 rundll32.exe rundll32.exe PID 2112 wrote to memory of 2124 2112 rundll32.exe rundll32.exe PID 2112 wrote to memory of 2124 2112 rundll32.exe rundll32.exe PID 2112 wrote to memory of 2124 2112 rundll32.exe rundll32.exe PID 2112 wrote to memory of 2124 2112 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe3⤵
- Blocklisted process makes network request