Overview

overview

10

Static

static

DocuSign.html

windows7_x64

1

DocuSign.html

windows10_x64

10

Analysis

  • max time kernel
    139s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    20-04-2021 16:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DocuSign.html

  • Size

    151KB

  • MD5

    9b9ad81357a59408205adf90a0ecfd77

  • SHA1

    dc29234044025144428d9fa5a7b2a7881e7fcd81

  • SHA256

    2d33b98c1750589a3361aaab5533d224f76b2972f6fca27978f09805ae9b8512

  • SHA512

    961ebffffdb0e694cc51ba1831bdb9b3e63ff14b01745f342964974b6b495806f98083586be769d8e795b0f692a22013503129c8feb75ec85fef5e47ebee9250

Score
10/10
cobaltstrikebackdoorpersistencetrojan

Malware Config

Extracted

Family

cobaltstrike

Version

windows/download_exec

C2

http://0x142f6ca3:443/images/IT_Showcase_Webinar_Security_3000x300.jpg

Extracted

Family

cobaltstrike

C2

http://0x142f6ca3:443/munchkin.js

Attributes
  • access_type

    256

  • beacon_type

    2048

  • create_remote_thread

    0

  • day

    0

  • dns_idle

    0

  • dns_sleep

    0

  • host

    0x142f6ca3,/munchkin.js

  • http_header1

    AAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAcAAAAAAAAACwAAAAMAAAACAAAABU1VSUQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAAvQ29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQAAAAHAAAAAQAAAA8AAAADAAAAAgAAAAlta3RvbmFtZT0AAAAEAAAABwAAAAAAAAADAAAAAgAAAANpZD0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • injection_process

  • jitter

    9984

  • maxdns

    0

  • month

    0

  • pipe_name

  • polling_time

    59069

  • port_number

    443

  • proxy_password

  • proxy_server

  • proxy_username

  • sc_process32

    %windir%\syswow64\mobsync.exe

  • sc_process64

    %windir%\sysnative\mobsync.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC6O3B28PchczaYlnPWJYrGrCrx6yFYBpvcCVn8LzaF/Ma6fdTr586chcbQgmWYXFUe1NuCgfalGftLZgQB5oDcpcMyWB7MRLMY0BKmF1gpuDHL3FuCOrDVYNFjYPsYTOEENhUv2HRxAo5Z6UXjHf4tTwJSprk7IHUHiRKJ7CXV3wIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    1.852972032e+09

  • unknown2

    AAAABAAAAAIAAACmAAAAAwAAAA0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown3

    0

  • unknown4

    0

  • unknown5

    1.841236305e+09

  • uri

    /munchkin.marketo.net

  • user_agent

    Mozilla/5.0 (Windows Phone 10.0; Android 6.0.1; Microsoft; RM-1152) AppleWebKit/537.36 (KHTML, like Gecko)

  • year

    0

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 1 IoCs
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 52 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\DocuSign.html
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1000
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1000 CREDAT:82945 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2216
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3924
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • NTFS ADS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2476
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2476.0.1744565455\2082088006" -parentBuildID 20200403170909 -prefsHandle 1524 -prefMapHandle 1516 -prefsLen 1 -prefMapSize 219680 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2476 "\\.\pipe\gecko-crash-server-pipe.2476" 1604 gpu
        3⤵
          PID:4032
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2476.3.1070184198\223735954" -childID 1 -isForBrowser -prefsHandle 2192 -prefMapHandle 2188 -prefsLen 122 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2476 "\\.\pipe\gecko-crash-server-pipe.2476" 2204 tab
          3⤵
            PID:4116
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2476.13.856203944\1219648014" -childID 2 -isForBrowser -prefsHandle 3436 -prefMapHandle 3432 -prefsLen 6979 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2476 "\\.\pipe\gecko-crash-server-pipe.2476" 3448 tab
            3⤵
              PID:4380
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2476.20.1512421742\345180672" -childID 3 -isForBrowser -prefsHandle 4104 -prefMapHandle 4100 -prefsLen 7750 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2476 "\\.\pipe\gecko-crash-server-pipe.2476" 4064 tab
              3⤵
                PID:4756
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2476.27.844141439\1961740334" -childID 4 -isForBrowser -prefsHandle 4528 -prefMapHandle 4316 -prefsLen 8061 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2476 "\\.\pipe\gecko-crash-server-pipe.2476" 4540 tab
                3⤵
                  PID:4864
            • C:\Windows\System32\rundll32.exe
              C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
              1⤵
                PID:5100
              • C:\Users\Admin\AppData\Local\Temp\Temp1_YourTestResult.zip\COVID19OnlineView_PDF_;.exe
                "C:\Users\Admin\AppData\Local\Temp\Temp1_YourTestResult.zip\COVID19OnlineView_PDF_;.exe"
                1⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2224
                • C:\Windows\system32\reg.exe
                  "C:\Windows\system32\reg.exe" add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v john /t REG_SZ /d C:\Users\Admin\AppData\Roaming\john.exe
                  2⤵
                  • Adds Run key to start application
                  PID:5608
                • C:\Users\Admin\AppData\Roaming\john.exe
                  "C:\Users\Admin\AppData\Roaming\john.exe"
                  2⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:5660
                  • C:\Windows\System32\DWWIN.EXE
                    "C:\Windows\System32\DWWIN.EXE"
                    3⤵
                      PID:5740
                • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                  "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                  1⤵
                  • Drops file in Windows directory
                  • Modifies Internet Explorer settings
                  • Modifies registry class
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  PID:4456
                • C:\Windows\system32\browser_broker.exe
                  C:\Windows\system32\browser_broker.exe -Embedding
                  1⤵
                  • Modifies Internet Explorer settings
                  PID:4404
                • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                  "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                  1⤵
                  • Modifies registry class
                  • Suspicious behavior: MapViewOfSection
                  • Suspicious use of SetWindowsHookEx
                  PID:4200
                • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                  "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                  1⤵
                  • Modifies Internet Explorer settings
                  • Modifies registry class
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2876

                Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                  MD5

                  b8c8b0ee955b46a4df1dd71c75753947

                  SHA1

                  0e023de5f301a023eb9b130dc8c0ee6812b1b77f

                  SHA256

                  05e68df5ac57af6fef221d1431996178da03315ea5c9fe26d9fc624aa8078ebf

                  SHA512

                  f844fa669fbf9417cb8c5689957e2981fe40f94e800159656211b170f595aadf563446e6fb0b37ff7d788bde28233591d8d837d16f0e3c80459c4223112c6720

                  Download Submit

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                  MD5

                  954d09b259ee073ab2c47138854add44

                  SHA1

                  33d733e0e5337eef1a34261d616842386d6afde2

                  SHA256

                  7360809a0395efd1773021f62dcedc252c239b09e49565c1c8a4510693e08aa8

                  SHA512

                  67ee5533ae2fb1b1c16db3b9d818a96d929977324f9ffd4d39f35ac17b762047baa9a5ba43579241f0d8bf3f88f646ead67bba0f319b1083ce65ea88e49d87c2

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\85VJO7BZ.cookie
                  MD5

                  c36b34f9fca365878189af38d589719c

                  SHA1

                  a1ada6ff1f094da621a0fcf4e9f73d7cd61b60ec

                  SHA256

                  9ddc9e1c6786b60f714f8b966f34a7660873e69a8c7f1b01e49da68662693dce

                  SHA512

                  0a80ad8c2932c4e0d7a1a5b96735291d9bbcf7f25b486ccc00c22dcd0fd80da74d62a4aaadee087072349d33abea0e298320090d673273bb07f3dc4ac1e1340b

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\9U0IOVS2.cookie
                  MD5

                  2b4751c09807c17998f9f9ed1f91a2a5

                  SHA1

                  dc9ce8364499b7fa4543236384fd810ce75e8b8b

                  SHA256

                  b959aca0fb89bd93257d2037e82ef65f5840790082d7aeb9f0d6e20c60679fbd

                  SHA512

                  1ed209ca2a0565c8a8ed40b3bc7eed677c96d43b30e761f5ccd054a38dfb4ea6e5b9cbc9b11ea5634c6bbcacf25107d3a6c4304c9115746cdffd452ac7ce43bc

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\john.exe
                  MD5

                  201fc10e35608cce51742477d5a3f2c0

                  SHA1

                  711e76a53bc518fab8bd4276aa533a3a01df0c50

                  SHA256

                  e0f0a43ffc60f847231853ebe137e9d93f415ce52cc99b8edd1038bd9c5001e2

                  SHA512

                  79fd6d508a6a3fb9af2b4fb8f1b2e98e6c434ca100f25df75dbd60e6f7237a39f4153608d3ec832039cf0e933f101c8b712dec80998a655154a70201f811713a

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\john.exe
                  MD5

                  201fc10e35608cce51742477d5a3f2c0

                  SHA1

                  711e76a53bc518fab8bd4276aa533a3a01df0c50

                  SHA256

                  e0f0a43ffc60f847231853ebe137e9d93f415ce52cc99b8edd1038bd9c5001e2

                  SHA512

                  79fd6d508a6a3fb9af2b4fb8f1b2e98e6c434ca100f25df75dbd60e6f7237a39f4153608d3ec832039cf0e933f101c8b712dec80998a655154a70201f811713a

                  Download Submit

                • memory/1000-114-0x00007FF895BE0000-0x00007FF895C4B000-memory.dmp

                  Filesize

                  428KB

                  Download

                • memory/2216-115-0x0000000000000000-mapping.dmp

                  Download

                • memory/2224-140-0x000000001B673000-0x000000001B675000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/2224-143-0x000000001B675000-0x000000001B677000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/2224-133-0x0000000000A70000-0x0000000000A71000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2224-135-0x00000000011A0000-0x00000000011C9000-memory.dmp

                  Filesize

                  164KB

                  Download

                • memory/2224-136-0x0000000001180000-0x0000000001181000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2224-137-0x000000001B670000-0x000000001B672000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/2224-138-0x000000001B5B0000-0x000000001B5B1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2224-139-0x000000001C7D0000-0x000000001C7D1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2476-116-0x0000000000000000-mapping.dmp

                  Download

                • memory/4032-118-0x0000000000000000-mapping.dmp

                  Download

                • memory/4116-123-0x0000000000000000-mapping.dmp

                  Download

                • memory/4380-126-0x0000000000000000-mapping.dmp

                  Download

                • memory/4756-128-0x0000000000000000-mapping.dmp

                  Download

                • memory/4864-130-0x0000000000000000-mapping.dmp

                  Download

                • memory/5608-142-0x0000000000000000-mapping.dmp

                  Download

                • memory/5660-147-0x00000000000E0000-0x00000000000E1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/5660-149-0x0000000000500000-0x000000000050F000-memory.dmp

                  Filesize

                  60KB

                  Download

                • memory/5660-150-0x0000000000510000-0x0000000000511000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/5660-144-0x0000000000000000-mapping.dmp

                  Download

                • memory/5660-153-0x000000001AE60000-0x000000001AE62000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/5740-151-0x000001BCB4880000-0x000001BCB4881000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/5740-155-0x000001BCB4B30000-0x000001BCB4BBD000-memory.dmp

                  Filesize

                  564KB

                  Download

                • memory/5740-156-0x000001BCB66D0000-0x000001BCB6AD0000-memory.dmp

                  Filesize

                  4.0MB

                  Download

                • memory/5740-154-0x000001BCB4B30000-0x000001BCB4BBD000-memory.dmp

                  Filesize

                  564KB

                  Download

                • memory/5740-152-0x0000000000000000-mapping.dmp

                  Download