Analysis
-
max time kernel
161s -
max time network
180s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
07-11-2022 13:27
General
-
Target
ab0be423a7c0940154615c731074f4e09104501a338573dd3dde297445b52bbe.dll
-
Size
687KB
-
MD5
28e6011c2a4a975209a0e7a4881a5266
-
SHA1
8dfa65157fc14b54fc89696ad6a6022fce42d6f0
-
SHA256
ab0be423a7c0940154615c731074f4e09104501a338573dd3dde297445b52bbe
-
SHA512
1b6e892cb9b3425ac8afbae0ef3a4450438257c33cab630dfc6455226780161ddaddfb0a82095d8584a3f605ccad685597cd3e64e5a950b96f8a3fc706fc53d1
-
SSDEEP
6144:VNFNN0quA/N3zYXtrps4king/r2kYI7JvHM:VT0C/lws4king/r2ZIu
Malware Config
Extracted
cobaltstrike
305419896
http://185.162.235.61:80/fwlink
-
access_type
512
-
host
185.162.235.61,/fwlink
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
polling_time
60000
-
port_number
80
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCcsZBIeupBvTv1XFS17TKfvCpS1G4R35yenr0uhYON4par8SWqXcB2CyCwmtQnP22N2G9g7JZbM4d673Yjb5OW5WE77QV4Z4tOlQh+gj45HfOoZI+Z570/jIhnNiz8ltNriZj4XB1Nswis0ePPGY5ZhCvCBQ/udFDLlaAX2RUG0QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.php
-
user_agent
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
-
watermark
305419896
Extracted
cobaltstrike
0
-
watermark
0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\ab0be423a7c0940154615c731074f4e09104501a338573dd3dde297445b52bbe.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c echo 1234567890 && ping -n 6 127.0.0.12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping -n 6 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4376-133-0x0000000000000000-mapping.dmp
-
memory/4656-132-0x0000000000000000-mapping.dmp
-
memory/4716-134-0x0000000001FC0000-0x0000000002000000-memory.dmpFilesize
256KB
-
memory/4716-135-0x0000000001F40000-0x0000000001F8C000-memory.dmpFilesize
304KB