Overview
overview
10Static
static
ScanClient...1C.dll
windows7_x64
1ScanClient...1C.dll
windows10-2004_x64
1ScanClient...l1.dll
windows7_x64
1ScanClient...l1.dll
windows10-2004_x64
1ScanClient...em.dll
windows7_x64
1ScanClient...em.dll
windows10-2004_x64
1ScanClient...rd.dll
windows7_x64
1ScanClient...rd.dll
windows10-2004_x64
1ScanClient...te.lnk
windows7_x64
10ScanClient...te.lnk
windows10-2004_x64
10Analysis
-
max time kernel
142s -
max time network
148s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
14-01-2022 16:01
Static task
static1
Behavioral task
behavioral1
Sample
ScanClientUpdate/KM.EKeyAlmaz1C.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
ScanClientUpdate/KM.EKeyAlmaz1C.dll
Resource
win10v2004-en-20220113
Behavioral task
behavioral3
Sample
ScanClientUpdate/KM.EKeyCrystal1.dll
Resource
win7-en-20211208
Behavioral task
behavioral4
Sample
ScanClientUpdate/KM.EKeyCrystal1.dll
Resource
win10v2004-en-20220113
Behavioral task
behavioral5
Sample
ScanClientUpdate/KM.FileSystem.dll
Resource
win7-en-20211208
Behavioral task
behavioral6
Sample
ScanClientUpdate/KM.FileSystem.dll
Resource
win10v2004-en-20220112
Behavioral task
behavioral7
Sample
ScanClientUpdate/KM.IDCard.dll
Resource
win7-en-20211208
Behavioral task
behavioral8
Sample
ScanClientUpdate/KM.IDCard.dll
Resource
win10v2004-en-20220112
Behavioral task
behavioral9
Sample
ScanClientUpdate/ScanClientUpdate.lnk
Resource
win7-en-20211208
Behavioral task
behavioral10
Sample
ScanClientUpdate/ScanClientUpdate.lnk
Resource
win10v2004-en-20220112
General
-
Target
ScanClientUpdate/ScanClientUpdate.lnk
-
Size
1KB
-
MD5
d98d2caa6e63ca70c245e1d6eda2100b
-
SHA1
44b1884801c72dc8b218298aa1c537c69f2dfbfa
-
SHA256
74202eed181e2b83dd0ab6f791a34a13bd94e63e86b82395f9443cb5aeddc891
-
SHA512
2f63de892d0d757a2310ed5d1c59a8059b9a5fac9dc8c8f45c56b140d82e1009c9d25ff6a9ca9b27e571ee27e8a3329148f53a86cc73ef4a5384387526eb2cfa
Malware Config
Extracted
cobaltstrike
1359593325
http://doggroomingnews.com:443/storage/main.woff2
-
access_type
512
-
beacon_type
2048
-
host
doggroomingnews.com,/storage/main.woff2
-
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADQAAAAIAAAAFX19pZD0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADwAAAA0AAAAFAAAABV9fdWlkAAAABwAAAAEAAAAPAAAADQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
9472
-
polling_time
15000
-
port_number
443
-
sc_process32
%windir%\syswow64\dllhost.exe
-
sc_process64
%windir%\sysnative\dllhost.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCme/zaiZGT7pLjqDAy16p3eFtu90inaA2f41oeA4p/oHZuEumSy882EEc1UdIdb1t55cOwN7OQrfDBkRhcI9ZJuFVHFjb+O01lf9ppl+xBjW0Z7rjpo8RLJCmwNWyymCD1iQJuG0DSkU+RTjZPelztOIFqJS9twRnuhA7wGUGgkwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
5.76066816e+08
-
unknown2
AAAABAAAAAEAAABjAAAAAgAAAGQAAAANAAAADwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/storage/page.woff2
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4183.83 Safari/537.36
-
watermark
1359593325
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Blocklisted process makes network request 10 IoCs
Processes:
rundll32.exeflow pid process 5 472 rundll32.exe 6 472 rundll32.exe 7 472 rundll32.exe 9 472 rundll32.exe 10 472 rundll32.exe 11 472 rundll32.exe 13 472 rundll32.exe 14 472 rundll32.exe 15 472 rundll32.exe 17 472 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 1572 wrote to memory of 1352 1572 cmd.exe rundll32.exe PID 1572 wrote to memory of 1352 1572 cmd.exe rundll32.exe PID 1572 wrote to memory of 1352 1572 cmd.exe rundll32.exe PID 1352 wrote to memory of 472 1352 rundll32.exe rundll32.exe PID 1352 wrote to memory of 472 1352 rundll32.exe rundll32.exe PID 1352 wrote to memory of 472 1352 rundll32.exe rundll32.exe PID 1352 wrote to memory of 472 1352 rundll32.exe rundll32.exe PID 1352 wrote to memory of 472 1352 rundll32.exe rundll32.exe PID 1352 wrote to memory of 472 1352 rundll32.exe rundll32.exe PID 1352 wrote to memory of 472 1352 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\ScanClientUpdate\ScanClientUpdate.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" KM.FileSystem.dll KMGetInterface2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" KM.FileSystem.dll KMGetInterface3⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/472-56-0x0000000000000000-mapping.dmp
-
memory/472-57-0x0000000075D61000-0x0000000075D63000-memory.dmpFilesize
8KB
-
memory/472-58-0x00000000001D0000-0x0000000000203000-memory.dmpFilesize
204KB
-
memory/472-59-0x0000000002FC0000-0x0000000003432000-memory.dmpFilesize
4.4MB
-
memory/472-60-0x0000000002FC0000-0x0000000003432000-memory.dmpFilesize
4.4MB
-
memory/1352-55-0x0000000000000000-mapping.dmp
-
memory/1572-54-0x000007FEFB711000-0x000007FEFB713000-memory.dmpFilesize
8KB