Analysis
-
max time kernel
559s -
max time network
560s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
05-05-2021 14:40
Static task
static1
Behavioral task
behavioral1
Sample
svhost.dll
Resource
win7v20210410
General
-
Target
svhost.dll
-
Size
1006KB
-
MD5
5db0b77b9d1256aa8da7e50955897a41
-
SHA1
0936e308ce2b644c28000e52ab40b0a1158e6135
-
SHA256
7f139e55e24e25c6544a78d48a04400430a3431830e694ee0946d90075ec2a9c
-
SHA512
254e97e4e526b7750abc3619d78325a05fabeeef882b6d4fb623ef30aa00b66d102b49b706c8676be98c98afd8dd2dd1851e4b32aa375f98aba9c4f04a070ce3
Malware Config
Extracted
metasploit
windows/download_exec
http://silenceel.com:443/components/ml.ico
Extracted
cobaltstrike
1359593325
http://silenceel.com:443/r-arrow
-
access_type
512
-
beacon_type
2048
-
host
silenceel.com,/r-arrow
-
http_header1
AAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAcAAAAAAAAADwAAAAMAAAACAAAABUhTSUQ9AAAABgAAAAZDb29raWUAAAAJAAAACGxuZz10cnVlAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAAvQ29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQAAAAHAAAAAQAAAA8AAAADAAAAAgAAAAlpbnRlcnZhbD0AAAAEAAAABwAAAAAAAAADAAAAAgAAAA5fX3Nlc3Npb25fX2lkPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
10496
-
polling_time
55765
-
port_number
443
-
sc_process32
%windir%\syswow64\svchost.exe
-
sc_process64
%windir%\sysnative\svchost.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCg1s8nsVS0MGr4a72S/1h53pgJgOcCI/ILpy3XmwVUZkTkMTi0RMFTYEJ2k6YwvQMwlB1gXHJ/gzfurcgmIW1qLoGlTzCG1G52mWyBvpBN7DOycUxH3Ki8bwBN3q/OZdatBA+9XAPjy1x86ax5nBGQ0tZAtBRDzhLXPu3SZZu/yQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
7.8457344e+07
-
unknown2
AAAABAAAAAIAAAJYAAAAAwAAAAsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/fo
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64; WOW64.1 ) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.43 Safari/537.36
-
watermark
1359593325
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Blocklisted process makes network request 10 IoCs
Processes:
rundll32.exeflow pid process 7 2016 rundll32.exe 8 2016 rundll32.exe 9 2016 rundll32.exe 10 2016 rundll32.exe 11 2016 rundll32.exe 12 2016 rundll32.exe 13 2016 rundll32.exe 14 2016 rundll32.exe 15 2016 rundll32.exe 16 2016 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1268 wrote to memory of 2016 1268 rundll32.exe rundll32.exe PID 1268 wrote to memory of 2016 1268 rundll32.exe rundll32.exe PID 1268 wrote to memory of 2016 1268 rundll32.exe rundll32.exe PID 1268 wrote to memory of 2016 1268 rundll32.exe rundll32.exe PID 1268 wrote to memory of 2016 1268 rundll32.exe rundll32.exe PID 1268 wrote to memory of 2016 1268 rundll32.exe rundll32.exe PID 1268 wrote to memory of 2016 1268 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\svhost.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\svhost.dll,#12⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2016-59-0x0000000000000000-mapping.dmp
-
memory/2016-60-0x0000000075591000-0x0000000075593000-memory.dmpFilesize
8KB
-
memory/2016-61-0x00000000000B0000-0x00000000000B1000-memory.dmpFilesize
4KB
-
memory/2016-63-0x0000000002D40000-0x0000000003140000-memory.dmpFilesize
4.0MB