ssload | 3bca1dcaef4430272b9029c9a4bc8be0d45ecff66e8de8679ed30d8afab00f6f | Triage

Analysis

max time kernel
144s
max time network
149s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
19-06-2024 18:18

Sharing

Report Analysis Logs

General

Target

forcedelctl.dll
Size

956KB
MD5

b28a478eb5b99efcdc7caf428bffb89a
SHA1

d394c7b8fe15753bfbff79fb4f648f6f8bae70f9
SHA256

3bca1dcaef4430272b9029c9a4bc8be0d45ecff66e8de8679ed30d8afab00f6f
SHA512

decb2581f64949bfaaaf0368917f0705d7a4b7392ec272eda025cf06a4384ec4cdd5202081c2e085f00645029dd96bfef262e8628bed1861185adf6281c1cc88
SSDEEP

24576:rs6ZRS5J3ifJvlxfcdaeti7w+0bf0XznPMvPD:Yni8dK9CEMXD

Score

10^/10

ssload loader

Malware Config

Signatures

SSLoad
SSLoad Unpacked DLL payload.
loader ssload

Detects SSLoad Unpacked payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1896-1-0x0000000001E60000-0x0000000001ED3000-memory.dmp	family_ssload
behavioral1/memory/1896-4-0x00000000008F0000-0x0000000000965000-memory.dmp	family_ssload

Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

3 1896 rundll32.exe
4 1896 rundll32.exe
5 1896 rundll32.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 api.ipify.org
3 api.ipify.org

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2208 wrote to memory of 1896	2208	rundll32.exe	rundll32.exe
PID 2208 wrote to memory of 1896	2208	rundll32.exe	rundll32.exe
PID 2208 wrote to memory of 1896	2208	rundll32.exe	rundll32.exe
PID 2208 wrote to memory of 1896	2208	rundll32.exe	rundll32.exe
PID 2208 wrote to memory of 1896	2208	rundll32.exe	rundll32.exe
PID 2208 wrote to memory of 1896	2208	rundll32.exe	rundll32.exe
PID 2208 wrote to memory of 1896	2208	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\forcedelctl.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\forcedelctl.dll,#1
  2⤵
  - Blocklisted process makes network request
  PID:1896

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1896-0-0x0000000010000000-0x00000000100F9000-memory.dmp

Filesize
996KB

Download
memory/1896-1-0x0000000001E60000-0x0000000001ED3000-memory.dmp

Filesize
460KB

Download
memory/1896-4-0x00000000008F0000-0x0000000000965000-memory.dmp

Filesize
468KB

Download
memory/1896-5-0x0000000010000000-0x00000000100F9000-memory.dmp

Filesize
996KB

Download