Analysis
-
max time kernel
131s -
max time network
132s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
20-04-2021 19:51
Behavioral task
behavioral1
Sample
4b792c505b6dedad9f2a21c866212e96ae12c8415e3e9b249fa235e63398c2c8.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
4b792c505b6dedad9f2a21c866212e96ae12c8415e3e9b249fa235e63398c2c8.exe
Resource
win10v20210408
General
-
Target
4b792c505b6dedad9f2a21c866212e96ae12c8415e3e9b249fa235e63398c2c8.exe
-
Size
844KB
-
MD5
3dfc20d3780cb61f0654ef3116bdc8bb
-
SHA1
5efe6acfb7e80c23f5734b020578f032342fc77d
-
SHA256
4b792c505b6dedad9f2a21c866212e96ae12c8415e3e9b249fa235e63398c2c8
-
SHA512
227904c9efe3ded15599ab1a555aee56721fc0059a0c8b4c42dee5c8c6208434b4ed72c0d878c98c21fec0695569e98fb99fb4781f88fa3eca7256bb560abd90
Malware Config
Extracted
cobaltstrike
http://fashmie.com:443/assets/environment-f0a84e0c1.js
-
access_type
512
-
beacon_type
2048
-
create_remote_thread
0
-
day
0
-
dns_idle
0
-
dns_sleep
0
-
host
fashmie.com,/assets/environment-f0a84e0c1.js
-
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAbUmVmZXJlcjogaHR0cDovL2dvb2dsZS5jb20vAAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAHAAAAAAAAAA0AAAACAAAAE19fQ2h1bmtTZXNzaW9uRGF0YT0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAfUmVmZXJlcjogaHR0cDovL3d3dy5nb29nbGUuY29tLwAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAAPAAAADQAAAAUAAAAQX19DaHVua0F1dGhUb2tlbgAAAAcAAAABAAAADwAAAA0AAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
- injection_process
-
jitter
9472
-
maxdns
0
-
month
0
- pipe_name
-
polling_time
25000
-
port_number
443
- proxy_password
- proxy_server
- proxy_username
-
sc_process32
%windir%\syswow64\dllhost1.exe
-
sc_process64
%windir%\sysnative\dllhost1.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDa14pI+KHc4hacVJaYyMZHO0bzpDtNhP+JNn5mApEDAj9xpSHnp8rVq0Ekc9691bMZnfxnHdhxmXcSdPtBtI/nTtBlOnO/FZx9YuRssfXOP63XJ5eosw0DH6V5MM5EtAGUAlxGRS0okFP14AH9ACPjPhNXKgUhfGoWfDbnpwJnQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
3.3969984e+09
-
unknown2
AAAABAAAAAEAAAAyAAAAAgAAACQAAAACAAAlGQAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown3
0
-
unknown4
0
-
unknown5
0
-
uri
/assets/chunk-vendor-4c69db4f.js
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36
-
year
0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
4b792c505b6dedad9f2a21c866212e96ae12c8415e3e9b249fa235e63398c2c8.exedescription pid process target process PID 1080 wrote to memory of 2024 1080 4b792c505b6dedad9f2a21c866212e96ae12c8415e3e9b249fa235e63398c2c8.exe upnpcont.exe PID 1080 wrote to memory of 2024 1080 4b792c505b6dedad9f2a21c866212e96ae12c8415e3e9b249fa235e63398c2c8.exe upnpcont.exe PID 1080 wrote to memory of 2024 1080 4b792c505b6dedad9f2a21c866212e96ae12c8415e3e9b249fa235e63398c2c8.exe upnpcont.exe PID 1080 wrote to memory of 2024 1080 4b792c505b6dedad9f2a21c866212e96ae12c8415e3e9b249fa235e63398c2c8.exe upnpcont.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b792c505b6dedad9f2a21c866212e96ae12c8415e3e9b249fa235e63398c2c8.exe"C:\Users\Admin\AppData\Local\Temp\4b792c505b6dedad9f2a21c866212e96ae12c8415e3e9b249fa235e63398c2c8.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\upnpcont.exeupnpcont.exe2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1080-60-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/1080-63-0x0000000001D60000-0x0000000001E1F000-memory.dmpFilesize
764KB
-
memory/2024-61-0x0000000000000000-mapping.dmp
-
memory/2024-62-0x0000000001C90000-0x0000000002102000-memory.dmpFilesize
4.4MB
-
memory/2024-64-0x0000000000060000-0x00000000000A0000-memory.dmpFilesize
256KB
-
memory/2024-65-0x000007FEFB631000-0x000007FEFB633000-memory.dmpFilesize
8KB
-
memory/2024-66-0x0000000001C90000-0x0000000002102000-memory.dmpFilesize
4.4MB