Analysis
-
max time kernel
161s -
max time network
180s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
07-11-2022 13:27
Static task
static1
Behavioral task
behavioral1
Sample
ab0be423a7c0940154615c731074f4e09104501a338573dd3dde297445b52bbe.dll
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ab0be423a7c0940154615c731074f4e09104501a338573dd3dde297445b52bbe.dll
Resource
win10v2004-20220812-en
General
-
Target
ab0be423a7c0940154615c731074f4e09104501a338573dd3dde297445b52bbe.dll
-
Size
687KB
-
MD5
28e6011c2a4a975209a0e7a4881a5266
-
SHA1
8dfa65157fc14b54fc89696ad6a6022fce42d6f0
-
SHA256
ab0be423a7c0940154615c731074f4e09104501a338573dd3dde297445b52bbe
-
SHA512
1b6e892cb9b3425ac8afbae0ef3a4450438257c33cab630dfc6455226780161ddaddfb0a82095d8584a3f605ccad685597cd3e64e5a950b96f8a3fc706fc53d1
-
SSDEEP
6144:VNFNN0quA/N3zYXtrps4king/r2kYI7JvHM:VT0C/lws4king/r2ZIu
Malware Config
Extracted
cobaltstrike
305419896
http://185.162.235.61:80/fwlink
-
access_type
512
-
host
185.162.235.61,/fwlink
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
polling_time
60000
-
port_number
80
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCcsZBIeupBvTv1XFS17TKfvCpS1G4R35yenr0uhYON4par8SWqXcB2CyCwmtQnP22N2G9g7JZbM4d673Yjb5OW5WE77QV4Z4tOlQh+gj45HfOoZI+Z570/jIhnNiz8ltNriZj4XB1Nswis0ePPGY5ZhCvCBQ/udFDLlaAX2RUG0QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.php
-
user_agent
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
-
watermark
305419896
Extracted
cobaltstrike
0
-
watermark
0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
regsvr32.execmd.exedescription pid process target process PID 4716 wrote to memory of 4656 4716 regsvr32.exe cmd.exe PID 4716 wrote to memory of 4656 4716 regsvr32.exe cmd.exe PID 4656 wrote to memory of 4376 4656 cmd.exe PING.EXE PID 4656 wrote to memory of 4376 4656 cmd.exe PING.EXE
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\ab0be423a7c0940154615c731074f4e09104501a338573dd3dde297445b52bbe.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c echo 1234567890 && ping -n 6 127.0.0.12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping -n 6 127.0.0.13⤵
- Runs ping.exe