ssload | 73774861d946d62c2105fef4718683796cb77de7ed42edaec7affcee5eb0a0ee

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
19-06-2024 18:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-18-SSLoad-DLL.dll
Size

1.8MB
MD5

ca303668b5420c022ef9c78ce1f2bfb7
SHA1

959a727b907b395aec2b05e5892e2bf78cb5544b
SHA256

73774861d946d62c2105fef4718683796cb77de7ed42edaec7affcee5eb0a0ee
SHA512

a550f4f0487b0467ebf8827fa336c57368fe9debb68cda0b8b3f486d5189a5bbe1ed4c42ae4a6effc60dd6f5f65c6fef6e7ea9592aef2c121f9babc252c37c4d
SSDEEP

49152:XasPOtjnq0Fx47oxpxuZZFIGkTagevclh:XasPUjnqKIodcZYeTvclh

Score

10^/10

ssload loader

Malware Config

Signatures

SSLoad
SSLoad Unpacked DLL payload.
loader ssload

Detects SSLoad Unpacked payload 1 IoCs

loader

Processes:

resource	yara_rule
behavioral2/memory/1964-10-0x00000000037F0000-0x0000000003861000-memory.dmp	family_ssload

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

36 api.ipify.org
37 api.ipify.org
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

748 schtasks.exe

flow	ioc
36	api.ipify.org
37	api.ipify.org

pid	process
748	schtasks.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 1552 wrote to memory of 1964	1552	regsvr32.exe	regsvr32.exe
PID 1552 wrote to memory of 1964	1552	regsvr32.exe	regsvr32.exe
PID 1552 wrote to memory of 1964	1552	regsvr32.exe	regsvr32.exe
PID 1964 wrote to memory of 748	1964	regsvr32.exe	schtasks.exe
PID 1964 wrote to memory of 748	1964	regsvr32.exe	schtasks.exe
PID 1964 wrote to memory of 748	1964	regsvr32.exe	schtasks.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\2024-04-18-SSLoad-DLL.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\2024-04-18-SSLoad-DLL.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /sc minute /mo 10 /tn "EdgeUpdate" /tr "regsvr32.exe /s C:\Users\Admin\AppData\Local\Temp\2024-04-18-SSLoad-DLL.dll" /f
3⤵
- Scheduled Task/Job: Scheduled Task
PID:748

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1964-0-0x0000000010000000-0x00000000101DB000-memory.dmp

Filesize
1.9MB

Download
memory/1964-1-0x0000000002D90000-0x0000000002F1F000-memory.dmp

Filesize
1.6MB

Download
memory/1964-2-0x0000000002F20000-0x00000000030AC000-memory.dmp

Filesize
1.5MB

Download
memory/1964-10-0x00000000037F0000-0x0000000003861000-memory.dmp

Filesize
452KB

Download