Analysis
-
max time kernel
124s -
max time network
123s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
14-12-2021 13:51
Static task
static1
Behavioral task
behavioral1
Sample
oben32.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
oben32.dll
Resource
win10-en-20211208
General
-
Target
oben32.dll
-
Size
354KB
-
MD5
b873bfa8dec8c3a1f62c30903e59e849
-
SHA1
2c4aaefe0c20843db9b9f4996d42c7563b081097
-
SHA256
fba9dd0ebb8d838fa394cda10dca50450d8c0fc6158deff38904072140d64507
-
SHA512
a8c0a467788335297f34b9a60401b0ef50e023d0efc0b77eaf560decc785ed2c2b79534e14451aab747e307baa057fad0956e2941ff28b9995d4dbbd6e762457
Malware Config
Extracted
cobaltstrike
http://api.musicbee.getlist.destinycraftpe.com:443/azure/v2/api
-
user_agent
Content-Type: application/json accept: */* cookie: HSID=cl0gxhLgPAirQvdbj sec-ch-ua: Chromium;v=91 sec-ch-ua-mobile: ?0 sec-fetch-site: same-site sec-fetch-mode: cors sec-fetch-dest: empty accept-encoding: gzip, deflate accept-language: en X-Amz-Cf-Pop: HTL55-C2 User-Agent: MusicBee/3.4
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
description pid Process procid_target PID 652 created 2756 652 WerFault.exe 11 -
Program crash 1 IoCs
pid pid_target Process procid_target 652 2756 WerFault.exe 11 -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 652 WerFault.exe 652 WerFault.exe 652 WerFault.exe 652 WerFault.exe 652 WerFault.exe 652 WerFault.exe 652 WerFault.exe 652 WerFault.exe 652 WerFault.exe 652 WerFault.exe 652 WerFault.exe 652 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 652 WerFault.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\oben32.dll1⤵PID:2756
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2756 -s 11802⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:652
-