Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
24-12-2024 10:01
General
-
Target
һ֪ͨ/list3.dll
-
Size
177KB
-
MD5
e6879ea2d9819ec65acca8733725b02b
-
SHA1
fb3366220304a3a046ff4036f76f533bb4ab757a
-
SHA256
786773e8633643ee68da5ecbb559b8dda6505b3290a3875a1dcef6ddb873e5fa
-
SHA512
9050922eab7fe05b1476252aba8e841a519d39446bd59ae67184463151e36d156ddb81fc354d6aa36dedcb395016b0d81b299c78d604ae0405eafecdacef35d3
-
SSDEEP
3072:A1RctNPecymFXIFVuiCfdJ63nD6vNpNu2Hx0G8dLfJN/xAg0FujtuSta+01UOxcH:AmNGhmJIF4imPK6lTu2HePrAOwR/1UOO
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
windows/download_exec
C2
http://42.56.76.11:80/apich/_utf.gif?id=18721
Attributes
- headers Host: ctg.com.cn Cookie: QiHooGUID=C9FA6432AF75.1573373412127; User-Agent: Mozilla/5.0 (Linux; Android 4.1.1; Nexus 7 Build/JRO03D) AppleWebKit/535.19 (KHTML, like Gecko)
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Blocklisted process makes network request 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\һ֪ͨ\list3.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\һ֪ͨ\list3.dll,#12⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB