Overview

overview

10

Static

static

gwui.dll

windows7_x64

10

gwui.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    173s
  • max time network
    201s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    08-02-2022 22:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    gwui.dll

  • Size

    211KB

  • MD5

    ac581207ef80437a961f2ada3a47d763

  • SHA1

    62964395bbc5fbee65dac62e0233ce8377674b2c

  • SHA256

    b6262f4aa06d0bf045d95e3fcbc142f1d1d98f053da5714e3570482f0cf93b65

  • SHA512

    e0e079b3271cf71b582c6d1ea9326860f7c7467051c7aaacab7f19115390655341200fdba1e0b01e2b6225e8ed2efb0a1cdc55bd7fccb120060d89cb0d493bc2

Score
10/10
cobaltstrikebackdoortrojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://foxofeli.com:443/image-directory/dhl.jpg

Attributes
  • user_agent

    Host: weibo.com Connection: close Accept-Language: fr-CH, fr;q=0.9, en;q=0.8, de;q=0.7, *;q=0.5 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Drops file in Windows directory 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 45 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\gwui.dll
    1⤵
      PID:1692
    • C:\Windows\system32\MusNotifyIcon.exe
      %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
      1⤵
      • Checks processor information in registry
      PID:1636
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k NetworkService -p
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:1848

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1692-130-0x0000000000F90000-0x0000000000F9A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1692-131-0x0000000003530000-0x0000000003930000-memory.dmp
      Filesize

      4.0MB

      Download