Analysis
-
max time kernel
141s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 18:21
Behavioral task
behavioral1
Sample
1.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1.dll
Resource
win10v2004-20240226-en
General
-
Target
1.dll
-
Size
9KB
-
MD5
1ec16da98fa7190204bdd8c7bebfccdf
-
SHA1
2e6922fdc24cfab4e249e54412a79417ceff84cb
-
SHA256
11b68c12632d90ab188f87bcf5dbd8ad054838a25bdd9438fcf88a2e01e5dc33
-
SHA512
b26bd70d59805ab7d185d7c6a84360954295b1ed1dcf9f19c2c220cbcaced9314def262a3b54e94b1b36b5a3a57a680a57df0f7a2501008639ed0b4a2e1136b9
-
SSDEEP
48:q0kV3zU9G4aNVh7XphlhEF57/nc6aZrCO1Jzh7xxwvPbOE:vDIKkjBbLxwv
Malware Config
Extracted
metasploit
windows/reverse_http
http://74.48.220.31:8632/DcTIHAkb/1Q9Al5hrrEAhwCDBRCiYGggPZcyiBi_xKi-9qEZ3QhAONrkh9Ts8sac7OLknj_rtSpHvewsrpGalKTjp2-2I_5_pbm2tf36g09eRXRhNxWMR0xZ-A1eGng9-AoB9VMAn0rI92zd8GxT6zYg1eBKt24C6mvr3BBuYBRZYgpXmkV7oFxt-d
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Blocklisted process makes network request 10 IoCs
Processes:
rundll32.exeflow pid process 5 5012 rundll32.exe 20 5012 rundll32.exe 28 5012 rundll32.exe 44 5012 rundll32.exe 45 5012 rundll32.exe 46 5012 rundll32.exe 47 5012 rundll32.exe 49 5012 rundll32.exe 53 5012 rundll32.exe 54 5012 rundll32.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1712 set thread context of 5012 1712 rundll32.exe rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3932 wrote to memory of 1712 3932 rundll32.exe rundll32.exe PID 3932 wrote to memory of 1712 3932 rundll32.exe rundll32.exe PID 3932 wrote to memory of 1712 3932 rundll32.exe rundll32.exe PID 1712 wrote to memory of 5012 1712 rundll32.exe rundll32.exe PID 1712 wrote to memory of 5012 1712 rundll32.exe rundll32.exe PID 1712 wrote to memory of 5012 1712 rundll32.exe rundll32.exe PID 1712 wrote to memory of 5012 1712 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe3⤵
- Blocklisted process makes network request
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4088 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/5012-0-0x0000000001200000-0x0000000001201000-memory.dmpFilesize
4KB