Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
21-10-2021 17:40
Static task
static1
Behavioral task
behavioral1
Sample
gls.js
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
gls.js
Resource
win10-en-20211014
General
-
Target
gls.js
-
Size
4.1MB
-
MD5
2103be68824b34dfb74873364d23f74b
-
SHA1
ebcc88331a1cbc3b73098c2245a8a81840703b0e
-
SHA256
3015444a70483b5abccb2d4f11a2de348dd6bb00614300b0058c761c0993d818
-
SHA512
5e47ef58756a739df8edf694efb672eea94abcae2c14ff306c7328b0ce2679a8ec10290d76b1586b1dd60337062270262d5b088f233ba2e82497311ff7b5545a
Malware Config
Extracted
cobaltstrike
651348195
http://glsllc.365updates.workers.dev:443/safebrowsing/fp/aTwivgcwHXjqy4NYQq2E
-
access_type
512
-
beacon_type
2048
-
host
glsllc.365updates.workers.dev,/safebrowsing/fp/aTwivgcwHXjqy4NYQq2E
-
http_header1
AAAACgAAABZYLUN1c3RvbS1QU0s6IFJlZGlyZWN0AAAAEAAAACNIb3N0OiBnbHNsbGMuMzY1dXBkYXRlcy53b3JrZXJzLmRldgAAAAoAAABHQWNjZXB0OiB0ZXh0L2h0bWwsYXBwbGljYXRpb24veGh0bWwreG1sLGFwcGxpY2F0aW9uL3htbDtxPTAuOSwqLyo7cT0wLjgAAAAKAAAAH0FjY2VwdC1MYW5ndWFnZTogZW4tVVMsZW47cT0wLjUAAAAHAAAAAAAAAAgAAAACAAAAB1JFRj1JRD0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAABZYLUN1c3RvbS1QU0s6IFJlZGlyZWN0AAAAEAAAACNIb3N0OiBnbHNsbGMuMzY1dXBkYXRlcy53b3JrZXJzLmRldgAAAAoAAABHQWNjZXB0OiB0ZXh0L2h0bWwsYXBwbGljYXRpb24veGh0bWwreG1sLGFwcGxpY2F0aW9uL3htbDtxPTAuOSwqLyo7cT0wLjgAAAAKAAAAH0FjY2VwdC1MYW5ndWFnZTogZW4tVVMsZW47cT0wLjUAAAAHAAAAAAAAAAgAAAACAAAAC1U9MTkzdTgxMTQxAAAAAgAAAAdSRUY9SUQ9AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
3072
-
polling_time
11000
-
port_number
443
-
sc_process32
%windir%\syswow64\gpupdate.exe
-
sc_process64
%windir%\sysnative\gpupdate.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCklx/5IbNxgw3DRlfvPGUMcyNsfswv9wTzv7fQz2kiQNoQNRNRd+g+cZ2TGh73dFDTBQB9QCejuHNGHgm9H90yJ2/FHM4VxE3IfUCpelyGnekC8A33Szkjqt9ltmaWqBfwLNlPa8/32FPuKrFNr4BDfbKSZN5x8Ejcnt6zsRNu+QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/safebrowsing/fp/ebVBJhc6PlHSKNZI1Ojpt69M23VxN
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82 Safari/537.36
-
watermark
651348195
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Blocklisted process makes network request 14 IoCs
Processes:
wscript.exeflow pid process 17 2700 wscript.exe 31 2700 wscript.exe 34 2700 wscript.exe 37 2700 wscript.exe 38 2700 wscript.exe 39 2700 wscript.exe 40 2700 wscript.exe 41 2700 wscript.exe 42 2700 wscript.exe 43 2700 wscript.exe 44 2700 wscript.exe 45 2700 wscript.exe 46 2700 wscript.exe 47 2700 wscript.exe -
Loads dropped DLL 1 IoCs
Processes:
wscript.exepid process 2700 wscript.exe
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\btpanui.dllMD5
9420a61d40ef65b845c426388644b97c
SHA116ac747bd0f37395c64d16ee860bb8799b567b5a
SHA2560e2024c362a053bbe27680b867efd2528c3f3a877c85360a18920d7f7a954f93
SHA512ea3964a6eb927c71ec2bed1b22f84b2ed07437822ee52580867bb1218179a6b1ba200c5dd35c3bebba1090db8e5a64f07ffe2e311636f69743b9e7d4423a9e4b
-
memory/2700-118-0x00007FF856B90000-0x00007FF856C3E000-memory.dmpFilesize
696KB
-
memory/2700-119-0x00007FF854770000-0x00007FF8549B9000-memory.dmpFilesize
2.3MB
-
memory/2700-120-0x00007FF8574D0000-0x00007FF8576AB000-memory.dmpFilesize
1.9MB
-
memory/2700-122-0x000001DB95790000-0x000001DB957DE000-memory.dmpFilesize
312KB
-
memory/2700-121-0x000001DB95740000-0x000001DB95781000-memory.dmpFilesize
260KB