Analysis
-
max time kernel
1773s -
max time network
1775s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
16-11-2020 20:26
Static task
static1
Behavioral task
behavioral1
Sample
PL64.dll
Resource
win10v20201028
Behavioral task
behavioral2
Sample
PL64.dll
Resource
win10v20201028
Behavioral task
behavioral3
Sample
PL64.dll
Resource
android-x86-avd1
Behavioral task
behavioral4
Sample
PL64.dll
Resource
win10v20201028
Behavioral task
behavioral5
Sample
PL64.dll
Resource
win7v20201028
General
-
Target
PL64.dll
-
Size
192KB
-
MD5
5a710e940d55b74ddba422b0721a073a
-
SHA1
c206d9d1cfa9dda15c89dade8725549eb9c50627
-
SHA256
779f5fa30734c1e35d61d0bad3961c60acd3553c33d91f057115be823ab54927
-
SHA512
227a35b52c4c82962b18b5981a74e73e24ee49530bede8a3ae6c5228b92829c993454bf6c2f76f3559bed357302ca4ddaa184207eed5970c1cf1f49e11a2b42a
Malware Config
Extracted
metasploit
windows/download_exec
http://driversna.com:443/files/tab_shop.png
Extracted
cobaltstrike
http://er.driversna.com:443/fo
http://df.driversna.com:443/fo
http://cv.driversna.com:443/fo
-
access_type
512
-
beacon_type
2048
-
create_remote_thread
0
-
day
0
-
dns_idle
4.5673843e+07
-
dns_sleep
1.694498816e+09
-
host
er.driversna.com,/fo,df.driversna.com,/fo,cv.driversna.com,/fo
-
http_header1
AAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAcAAAAAAAAACwAAAAMAAAACAAAABUhTSUQ9AAAABgAAAAZDb29raWUAAAAJAAAADmRicHJlZml4PWZhbHNlAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAAVQWNjZXB0LUVuY29kaW5nOiBnemlwAAAACgAAAC9Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZAAAAAcAAAABAAAACAAAAAMAAAACAAAACWRicHJlZml4PQAAAAQAAAAHAAAAAAAAAAMAAAACAAAADl9fc2Vzc2lvbl9faWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
- injection_process
-
jitter
10496
-
maxdns
255
-
month
0
- pipe_name
-
polling_time
59957
-
port_number
443
- proxy_password
- proxy_server
- proxy_username
-
sc_process32
%windir%\syswow64\regsvr32.exe
-
sc_process64
%windir%\sysnative\regsvr32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCjAX68sewYZJjpqnXffGvEpuKnWAUCV3KlxJ4CoM+2HFSmT00/IHjJUOYEXMrClE5CUDj2v8aGxUtojZBY8FlfcpQ3e57Qu70ZSp2CoiGaMF9vRza/16UqA1giNQESZorQf962VJoNg/SKqWaZC+nFzkaUbDRebBcHK5lCw4qjbwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4.272630272e+09
-
unknown2
AAAABAAAAAIAAAFSAAAAAwAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown3
0
-
unknown4
0
-
unknown5
0
-
uri
/eo
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9
-
year
0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1304-0-0x0000000002930000-0x000000000293D000-memory.dmpFilesize
52KB
-
memory/1304-2-0x000000006BAC0000-0x000000006BACD000-memory.dmpFilesize
52KB
-
memory/1304-1-0x0000000002940000-0x000000000294A000-memory.dmpFilesize
40KB
-
memory/1304-3-0x00000000029F0000-0x00000000029F1000-memory.dmpFilesize
4KB
-
memory/1304-4-0x0000000002D70000-0x0000000002DEF000-memory.dmpFilesize
508KB
-
memory/1304-5-0x0000000002D70000-0x0000000002DEF000-memory.dmpFilesize
508KB