Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
04-01-2022 00:11
Static task
static1
Behavioral task
behavioral1
Sample
48951d50abf8359aad5a14d14d4bd4f442ce55f21da1e1f8bd4116be41fa5daf.bin.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
48951d50abf8359aad5a14d14d4bd4f442ce55f21da1e1f8bd4116be41fa5daf.bin.dll
Resource
win10-en-20211208
General
-
Target
48951d50abf8359aad5a14d14d4bd4f442ce55f21da1e1f8bd4116be41fa5daf.bin.dll
-
Size
383KB
-
MD5
6899a309b7e298f7879ff75cce5ff6c6
-
SHA1
b3e4cc5e8599b1d3ead601f41558f803b8db308d
-
SHA256
48951d50abf8359aad5a14d14d4bd4f442ce55f21da1e1f8bd4116be41fa5daf
-
SHA512
6843403496c69c16f0bd5088f6c9504a509f77cbba0530903124bf90dc0c9fa49a129e7fca6c0055c8aa0fb1453d63066aaa2b8ad6edb5d7f4bc9326581dedd4
Malware Config
Extracted
cobaltstrike
0
http://baravazna.com:80/jquery-3.3.1.min.js
-
access_type
512
-
host
baravazna.com,/jquery-3.3.1.min.js
-
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADQAAAAIAAAAJX19jZmR1aWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADwAAAA0AAAAFAAAACF9fY2ZkdWlkAAAABwAAAAEAAAAPAAAADQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
2560
-
polling_time
5000
-
port_number
80
-
sc_process32
%windir%\syswow64\dllhost.exe
-
sc_process64
%windir%\sysnative\dllhost.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCFtg8nSO1Kg+yalqkTqSycP2oW8JKU0EBWjOVwdiaOEwxATLGqXJw7IwYSq7rW1X0g9QJ72zRyAvfchwm9H1mVHoPDj1bLLMF+pZaBUJ9ZACSrDQJQZBG+MdJmZVvZfPcB45tzMYL+YWY1emtYbgTM3P6o+uqYL3U/xUWnxwWwaQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4.234810624e+09
-
unknown2
AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/jquery-3.3.2.min.js
-
user_agent
Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
suricata: ET MALWARE Cobalt Strike Beacon Activity (GET)
suricata: ET MALWARE Cobalt Strike Beacon Activity (GET)
-
suricata: ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile M2
suricata: ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile M2
-
suricata: ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile Response
suricata: ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile Response
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 5 1028 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.execmd.exedescription pid process target process PID 600 wrote to memory of 1588 600 rundll32.exe cmd.exe PID 600 wrote to memory of 1588 600 rundll32.exe cmd.exe PID 600 wrote to memory of 1588 600 rundll32.exe cmd.exe PID 1588 wrote to memory of 1028 1588 cmd.exe rundll32.exe PID 1588 wrote to memory of 1028 1588 cmd.exe rundll32.exe PID 1588 wrote to memory of 1028 1588 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\48951d50abf8359aad5a14d14d4bd4f442ce55f21da1e1f8bd4116be41fa5daf.bin.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe/c rundll32 "C:\Users\Admin\AppData\Local\Temp\48951d50abf8359aad5a14d14d4bd4f442ce55f21da1e1f8bd4116be41fa5daf.bin.dll", opxHaqTeHKOxAsPT2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32 "C:\Users\Admin\AppData\Local\Temp\48951d50abf8359aad5a14d14d4bd4f442ce55f21da1e1f8bd4116be41fa5daf.bin.dll", opxHaqTeHKOxAsPT3⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1028-55-0x0000000000000000-mapping.dmp
-
memory/1028-56-0x0000000000290000-0x00000000002D1000-memory.dmpFilesize
260KB
-
memory/1028-57-0x0000000001E70000-0x00000000022E2000-memory.dmpFilesize
4.4MB
-
memory/1028-58-0x0000000000290000-0x00000000002D1000-memory.dmpFilesize
260KB
-
memory/1028-59-0x0000000001E70000-0x00000000022E2000-memory.dmpFilesize
4.4MB
-
memory/1588-54-0x0000000000000000-mapping.dmp