Analysis
-
max time kernel
143s -
max time network
144s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
13-11-2020 19:31
Static task
static1
Behavioral task
behavioral1
Sample
PL64.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
PL64.dll
Resource
win10v20201028
General
-
Target
PL64.dll
-
Size
192KB
-
MD5
5a710e940d55b74ddba422b0721a073a
-
SHA1
c206d9d1cfa9dda15c89dade8725549eb9c50627
-
SHA256
779f5fa30734c1e35d61d0bad3961c60acd3553c33d91f057115be823ab54927
-
SHA512
227a35b52c4c82962b18b5981a74e73e24ee49530bede8a3ae6c5228b92829c993454bf6c2f76f3559bed357302ca4ddaa184207eed5970c1cf1f49e11a2b42a
Malware Config
Extracted
metasploit
windows/download_exec
http://driversna.com:443/files/tab_shop.png
Extracted
cobaltstrike
http://er.driversna.com:443/fo
http://df.driversna.com:443/fo
http://cv.driversna.com:443/fo
-
access_type
512
-
beacon_type
2048
-
create_remote_thread
0
-
day
0
-
dns_idle
4.5673843e+07
-
dns_sleep
1.694498816e+09
-
host
er.driversna.com,/fo,df.driversna.com,/fo,cv.driversna.com,/fo
-
http_header1
AAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAcAAAAAAAAACwAAAAMAAAACAAAABUhTSUQ9AAAABgAAAAZDb29raWUAAAAJAAAADmRicHJlZml4PWZhbHNlAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAAVQWNjZXB0LUVuY29kaW5nOiBnemlwAAAACgAAAC9Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZAAAAAcAAAABAAAACAAAAAMAAAACAAAACWRicHJlZml4PQAAAAQAAAAHAAAAAAAAAAMAAAACAAAADl9fc2Vzc2lvbl9faWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
- injection_process
-
jitter
10496
-
maxdns
255
-
month
0
- pipe_name
-
polling_time
59957
-
port_number
443
- proxy_password
- proxy_server
- proxy_username
-
sc_process32
%windir%\syswow64\regsvr32.exe
-
sc_process64
%windir%\sysnative\regsvr32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCjAX68sewYZJjpqnXffGvEpuKnWAUCV3KlxJ4CoM+2HFSmT00/IHjJUOYEXMrClE5CUDj2v8aGxUtojZBY8FlfcpQ3e57Qu70ZSp2CoiGaMF9vRza/16UqA1giNQESZorQf962VJoNg/SKqWaZC+nFzkaUbDRebBcHK5lCw4qjbwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4.272630272e+09
-
unknown2
AAAABAAAAAIAAAFSAAAAAwAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown3
0
-
unknown4
0
-
unknown5
0
-
uri
/eo
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9
-
year
0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
regsvr32.execmd.exedescription pid process target process PID 4796 wrote to memory of 3192 4796 regsvr32.exe cmd.exe PID 4796 wrote to memory of 3192 4796 regsvr32.exe cmd.exe PID 3192 wrote to memory of 684 3192 cmd.exe nltest.exe PID 3192 wrote to memory of 684 3192 cmd.exe nltest.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\PL64.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C nltest /domain_trusts /all_trusts2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\nltest.exenltest /domain_trusts /all_trusts3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/684-7-0x0000000000000000-mapping.dmp
-
memory/3192-6-0x0000000000000000-mapping.dmp
-
memory/4796-0-0x00000000026F0000-0x00000000026FD000-memory.dmpFilesize
52KB
-
memory/4796-1-0x0000000002700000-0x000000000270A000-memory.dmpFilesize
40KB
-
memory/4796-2-0x000000006BAC0000-0x000000006BACD000-memory.dmpFilesize
52KB
-
memory/4796-3-0x0000000002B00000-0x0000000002B01000-memory.dmpFilesize
4KB
-
memory/4796-4-0x0000000003080000-0x00000000030FF000-memory.dmpFilesize
508KB
-
memory/4796-5-0x0000000003080000-0x00000000030FF000-memory.dmpFilesize
508KB