Analysis
-
max time kernel
130s -
max time network
147s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
31-01-2022 04:09
Behavioral task
behavioral1
Sample
712fb79d19d8e77a9f0b3f7d469a7277315838e242c821ee361ca70e1099d932.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
712fb79d19d8e77a9f0b3f7d469a7277315838e242c821ee361ca70e1099d932.exe
Resource
win10-en-20211208
General
-
Target
712fb79d19d8e77a9f0b3f7d469a7277315838e242c821ee361ca70e1099d932.exe
-
Size
833KB
-
MD5
70ef6b2d2f01d1ff0732f7d9617b610e
-
SHA1
40bc8629f145c9092408482ca126e322a26eab47
-
SHA256
712fb79d19d8e77a9f0b3f7d469a7277315838e242c821ee361ca70e1099d932
-
SHA512
8ceded8c21513d3e77ca66ea6c694e763f4c597d109b58dbecb4873ca97b1cea779eda14b03640db0adf5aa00a8ef6eeac67948057e0594d3fb395769547f981
Malware Config
Extracted
cobaltstrike
0
http://smart-summary.com:443/assets/environment-f0a84e0c1.js
-
access_type
512
-
beacon_type
2048
-
host
smart-summary.com,/assets/environment-f0a84e0c1.js
-
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAbUmVmZXJlcjogaHR0cDovL2dvb2dsZS5jb20vAAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAHAAAAAAAAAA0AAAACAAAAE19fQ2h1bmtTZXNzaW9uRGF0YT0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAfUmVmZXJlcjogaHR0cDovL3d3dy5nb29nbGUuY29tLwAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAAPAAAADQAAAAUAAAAQX19DaHVua0F1dGhUb2tlbgAAAAcAAAABAAAADwAAAA0AAAAFAAAAC19fU2Vzc2lvbklkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
GET
-
jitter
9472
-
polling_time
25000
-
port_number
443
-
sc_process32
%windir%\syswow64\dllhost1.exe
-
sc_process64
%windir%\sysnative\dllhost1.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQClb9YN/Mm0G5C15pg8YXJjbOaNzDpbbtHQjkO4a7QyI5S8GBUo4wHC/t749hHX4V/y8HsoYowFgoaCmvt4klm6yW2DD9JIlzwd8g9mOjCbJVpmGABHAvfhMgEeY8FMteSyerUExVNxvh7Oj8kiAhWwSZZz8pRniaSkkVtPlLb3+wIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
3.3969984e+09
-
unknown2
AAAABAAAAAEAAAAyAAAAAgAAACQAAAACAAAlGQAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown3
1.610612736e+09
-
uri
/assets/chunk-vendor-4c69db4f.js
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36
-
watermark
0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
712fb79d19d8e77a9f0b3f7d469a7277315838e242c821ee361ca70e1099d932.exedescription pid process target process PID 1660 wrote to memory of 524 1660 712fb79d19d8e77a9f0b3f7d469a7277315838e242c821ee361ca70e1099d932.exe upnpcont.exe PID 1660 wrote to memory of 524 1660 712fb79d19d8e77a9f0b3f7d469a7277315838e242c821ee361ca70e1099d932.exe upnpcont.exe PID 1660 wrote to memory of 524 1660 712fb79d19d8e77a9f0b3f7d469a7277315838e242c821ee361ca70e1099d932.exe upnpcont.exe PID 1660 wrote to memory of 524 1660 712fb79d19d8e77a9f0b3f7d469a7277315838e242c821ee361ca70e1099d932.exe upnpcont.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\712fb79d19d8e77a9f0b3f7d469a7277315838e242c821ee361ca70e1099d932.exe"C:\Users\Admin\AppData\Local\Temp\712fb79d19d8e77a9f0b3f7d469a7277315838e242c821ee361ca70e1099d932.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\upnpcont.exeupnpcont.exe2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/524-58-0x0000000001C20000-0x0000000002092000-memory.dmpFilesize
4.4MB
-
memory/524-59-0x0000000000060000-0x00000000000A0000-memory.dmpFilesize
256KB
-
memory/524-60-0x000007FEFC0E1000-0x000007FEFC0E3000-memory.dmpFilesize
8KB
-
memory/524-61-0x0000000001C20000-0x0000000002092000-memory.dmpFilesize
4.4MB
-
memory/1660-55-0x0000000000400000-0x00000000004D5000-memory.dmpFilesize
852KB
-
memory/1660-57-0x00000000001D0000-0x000000000028F000-memory.dmpFilesize
764KB