Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
15-11-2020 22:46
Static task
static1
Behavioral task
behavioral1
Sample
1fdcf7204710c6f9e870914d6e692b2b748310a5c5ef1795ef0b3bfa003d44a2.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
1fdcf7204710c6f9e870914d6e692b2b748310a5c5ef1795ef0b3bfa003d44a2.dll
Resource
win10v20201028
General
-
Target
1fdcf7204710c6f9e870914d6e692b2b748310a5c5ef1795ef0b3bfa003d44a2.dll
-
Size
202KB
-
MD5
4365a73b7ddbdff6e25bfcbb3778918b
-
SHA1
5bb622f8e35dcad4bf939884b5e62a76f4cebfc1
-
SHA256
1fdcf7204710c6f9e870914d6e692b2b748310a5c5ef1795ef0b3bfa003d44a2
-
SHA512
0bac9b01bd02336b0d9e72dc75a2ec374cd41a4e40f3566a35002ab968cbc230afaeac8a32a43768288a8698ba3769bb3e457e22271bb0f86bdfc5fa2b8007d8
Malware Config
Extracted
cobaltstrike
http://ns.2018test.com:80/ca
http://ns1.2018test.com:80/ga.js
-
access_type
512
-
beacon_type
256
-
create_remote_thread
256
-
day
0
-
dns_idle
0
-
dns_sleep
0
-
host
ns.2018test.com,/ca,ns1.2018test.com,/ga.js
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
- injection_process
-
jitter
0
-
maxdns
255
-
month
0
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
60000
-
port_number
80
- proxy_password
- proxy_server
- proxy_username
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCgNfIU8hRaf78nQi6sA2J+cdQ2zlAluBmtXKo90Lnri1l6cI2PzT4pncx1dyOe2SHQLEN8jx5j3b88Q64TirXQ7jgt+oLQcU8S5qt3tbflGp8mz6sI4WPwtp8ZgUctyPPYD1PPXRop/GCoJw1G6MOusZo+jCChd2PDYQ+KAN+c8QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown3
0
-
unknown4
256
-
unknown5
0
-
uri
/submit.php
-
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; LBBROWSER)
-
year
0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
ServiceHost packer 4 IoCs
Detects ServiceHost packer used for .NET malware
Processes:
resource yara_rule behavioral2/memory/1048-2-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/1048-3-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/1048-4-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/1048-5-0x0000000000000000-mapping.dmp servicehost -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2136 1048 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 2136 WerFault.exe 2136 WerFault.exe 2136 WerFault.exe 2136 WerFault.exe 2136 WerFault.exe 2136 WerFault.exe 2136 WerFault.exe 2136 WerFault.exe 2136 WerFault.exe 2136 WerFault.exe 2136 WerFault.exe 2136 WerFault.exe 2136 WerFault.exe 2136 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2136 WerFault.exe Token: SeBackupPrivilege 2136 WerFault.exe Token: SeDebugPrivilege 2136 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 936 wrote to memory of 1048 936 rundll32.exe rundll32.exe PID 936 wrote to memory of 1048 936 rundll32.exe rundll32.exe PID 936 wrote to memory of 1048 936 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1fdcf7204710c6f9e870914d6e692b2b748310a5c5ef1795ef0b3bfa003d44a2.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1fdcf7204710c6f9e870914d6e692b2b748310a5c5ef1795ef0b3bfa003d44a2.dll,#12⤵PID:1048
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 6603⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2136
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1048-0-0x0000000000000000-mapping.dmp
-
memory/1048-2-0x0000000000000000-mapping.dmp
-
memory/1048-3-0x0000000000000000-mapping.dmp
-
memory/1048-4-0x0000000000000000-mapping.dmp
-
memory/1048-5-0x0000000000000000-mapping.dmp
-
memory/2136-1-0x00000000049B0000-0x00000000049B1000-memory.dmpFilesize
4KB
-
memory/2136-6-0x0000000004EE0000-0x0000000004EE1000-memory.dmpFilesize
4KB