Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
25-01-2022 09:06
Static task
static1
Behavioral task
behavioral1
Sample
20220124svchost/dllhost.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
20220124svchost/dllhost.exe
Resource
win10-en-20211208
Behavioral task
behavioral3
Sample
20220124svchost/host.exe
Resource
win7-en-20211208
Behavioral task
behavioral4
Sample
20220124svchost/host.exe
Resource
win10-en-20211208
Behavioral task
behavioral5
Sample
20220124svchost/svchost.exe
Resource
win7-en-20211208
Behavioral task
behavioral6
Sample
20220124svchost/svchost.exe
Resource
win10-en-20211208
General
-
Target
20220124svchost/host.exe
-
Size
7KB
-
MD5
4b7b09158efe990aeae84bffd3495a06
-
SHA1
4d5a9a49b22815f344c90e04d8f3536bea29d501
-
SHA256
ef9fe61878d9d6ef602dedf8bad61927b8a754886c4923119572117141a87227
-
SHA512
90c9bd74c843bcfa0749509ffe0a647ed93318734bed8e68379037ffe84c4200854fd42bd726c8e214f15e1094abcb6cb818c14562bc717a15bcba08a0714d84
Malware Config
Extracted
cobaltstrike
http://dash.139pro.com:8880/w/static/js/app.clf44eeb.js
-
user_agent
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Host: dash.139pro.com Referer: http://www.bing.com/ Accept-Encoding: deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Extracted
cobaltstrike
999999
http://dash.139pro.com:8880/w/static/js/chunk-vendors.811798f9.js
-
access_type
512
-
host
dash.139pro.com,/w/static/js/chunk-vendors.811798f9.js
-
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAVSG9zdDogZGFzaC4xMzlwcm8uY29tAAAACgAAAB1SZWZlcmVyOiBodHRwOi8vd3d3LmJpbmcuY29tLwAAAAoAAAAYQWNjZXB0LUVuY29kaW5nOiBkZWZsYXRlAAAABwAAAAAAAAANAAAAAgAAABJzZW5zb3JzX3N0YXlfdGltZT0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAVSG9zdDogZGFzaC4xMzlwcm8uY29tAAAACgAAAB1SZWZlcmVyOiBodHRwOi8vd3d3LmJpbmcuY29tLwAAAAoAAAAYQWNjZXB0LUVuY29kaW5nOiBkZWZsYXRlAAAABwAAAAAAAAAPAAAADQAAAAUAAAARc2Vuc29yc19zdGF5X3RpbWUAAAAHAAAAAQAAAA8AAAANAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
9472
-
polling_time
1000
-
port_number
8880
-
sc_process32
%windir%\syswow64\dllhost.exe
-
sc_process64
%windir%\sysnative\dllhost.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCsaux/wtu42BOnD2ggcEwMY95Evz5CW0fQx0ahyfR8HW/DflLHIQ4ewNdq3O0uHj71HDIrT6ChacHhvuDqvs1UD5IxDN8Auubbj3cWEkYrA6iS2wBL6O5uSwelCcOa0+ckWFDTP9ISLCyE5U+hBAj32r4+41KjlyyKZTCfYcog5QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
1.633293568e+09
-
unknown2
AAAABAAAAAEAAAIlAAAAAgAAAFQAAAACAAACjQAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/w/static/js/chunk-vendors.8l1798f9.js
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
-
watermark
999999
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
host.exedescription pid process Token: SeDebugPrivilege 1804 host.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
host.exedescription pid process target process PID 1804 wrote to memory of 4072 1804 host.exe NOTEPAD.EXE PID 1804 wrote to memory of 4072 1804 host.exe NOTEPAD.EXE PID 1804 wrote to memory of 4072 1804 host.exe NOTEPAD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\20220124svchost\host.exe"C:\Users\Admin\AppData\Local\Temp\20220124svchost\host.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\SYSTEM32\NOTEPAD.EXE"C:\WINDOWS\SYSTEM32\NOTEPAD.EXE"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1804-115-0x0000000000480000-0x0000000000488000-memory.dmpFilesize
32KB
-
memory/4072-116-0x000001B78FBB0000-0x000001B78FBB1000-memory.dmpFilesize
4KB
-
memory/4072-117-0x000001B793080000-0x000001B7938F2000-memory.dmpFilesize
8.4MB
-
memory/4072-118-0x000001B793080000-0x000001B793480000-memory.dmpFilesize
4.0MB