Analysis

  • max time kernel
    94s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2024 01:57

General

  • Target

    连力晋-中央财经大学-金融科技-2022.6-5天-2021.5.4/list2.jpg.dll

  • Size

    176KB

  • MD5

    081bd2c1ce9df69f5b6c6abacb75f403

  • SHA1

    f1ae82059e950ae39f697fcffc20b2795d4ec991

  • SHA256

    8b1d19a05dc2f30b8f876b2abf3651bae6f61cc425fbd6be2c5e0662981bf79e

  • SHA512

    339be9bf9b0510d0011233a02d40623b3aa652c447306df5645ac1c43f57cfa28afa5883ce9b9606a7d8bd524cc7df76fed346563b873298eca80c4fb9f3075c

  • SSDEEP

    3072:UeGfFChEXD/7J/pwiC9JJJoyPf/UREvu2HLJzodzCFZ/xAg0FujKSSaGwq2Ox:U/COz/t/Ki8bDnURAu2HacfAOfBq2Ox

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://110.157.231.33:80/css/_utf.gif?id=18721

Attributes
  • headers Host: picc.com.cn Cookie: QiHooGUID=C9FA6432AF75.1573373412127; User-Agent: Mozilla/5.0 (Linux; Android 4.1.1; Nexus 7 Build/JRO03D) AppleWebKit/535.19 (KHTML, like Gecko)

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

  • Metasploit family
  • Blocklisted process makes network request 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\连力晋-中央财经大学-金融科技-2022.6-5天-2021.5.4\list2.jpg.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3016
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\连力晋-中央财经大学-金融科技-2022.6-5天-2021.5.4\list2.jpg.dll,#1
      2⤵
      • Blocklisted process makes network request
      • System Location Discovery: System Language Discovery
      PID:3292

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3292-0-0x0000000001450000-0x0000000001451000-memory.dmp

    Filesize

    4KB