Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 12:26
Behavioral task
behavioral1
Sample
1.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
1.dll
Resource
win10v2004-20240508-en
General
-
Target
1.dll
-
Size
9KB
-
MD5
1ec16da98fa7190204bdd8c7bebfccdf
-
SHA1
2e6922fdc24cfab4e249e54412a79417ceff84cb
-
SHA256
11b68c12632d90ab188f87bcf5dbd8ad054838a25bdd9438fcf88a2e01e5dc33
-
SHA512
b26bd70d59805ab7d185d7c6a84360954295b1ed1dcf9f19c2c220cbcaced9314def262a3b54e94b1b36b5a3a57a680a57df0f7a2501008639ed0b4a2e1136b9
-
SSDEEP
48:q0kV3zU9G4aNVh7XphlhEF57/nc6aZrCO1Jzh7xxwvPbOE:vDIKkjBbLxwv
Malware Config
Extracted
metasploit
windows/reverse_http
http://74.48.220.31:8632/DcTIHAkb/1Q9Al5hrrEAhwCDBRCiYGggPZcyiBi_xKi-9qEZ3QhAONrkh9Ts8sac7OLknj_rtSpHvewsrpGalKTjp2-2I_5_pbm2tf36g09eRXRhNxWMR0xZ-A1eGng9-AoB9VMAn0rI92zd8GxT6zYg1eBKt24C6mvr3BBuYBRZYgpXmkV7oFxt-d
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Blocklisted process makes network request 10 IoCs
Processes:
rundll32.exeflow pid process 4 1976 rundll32.exe 23 1976 rundll32.exe 30 1976 rundll32.exe 31 1976 rundll32.exe 39 1976 rundll32.exe 46 1976 rundll32.exe 47 1976 rundll32.exe 48 1976 rundll32.exe 50 1976 rundll32.exe 57 1976 rundll32.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 4520 set thread context of 1976 4520 rundll32.exe rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3076 wrote to memory of 4520 3076 rundll32.exe rundll32.exe PID 3076 wrote to memory of 4520 3076 rundll32.exe rundll32.exe PID 3076 wrote to memory of 4520 3076 rundll32.exe rundll32.exe PID 4520 wrote to memory of 1976 4520 rundll32.exe rundll32.exe PID 4520 wrote to memory of 1976 4520 rundll32.exe rundll32.exe PID 4520 wrote to memory of 1976 4520 rundll32.exe rundll32.exe PID 4520 wrote to memory of 1976 4520 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe3⤵
- Blocklisted process makes network request
PID:1976
-
-