Analysis
-
max time kernel
136s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
10-01-2023 17:31
Static task
static1
Behavioral task
behavioral1
Sample
document01.lnk
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
document01.lnk
Resource
win10v2004-20221111-en
Behavioral task
behavioral3
Sample
ipchains.dll
Resource
win7-20220901-en
Behavioral task
behavioral4
Sample
ipchains.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
price.bat
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
price.bat
Resource
win10v2004-20221111-en
General
-
Target
ipchains.dll
-
Size
572KB
-
MD5
8fdd7858bf72589cafba3e8f98a6730b
-
SHA1
ee3d8b9e6c4fc004a167d8ad5cfd1b479d009769
-
SHA256
39cc8085e331d0fbf1122e561472f87611de3df5f70344ac7b160d96b3cf576f
-
SHA512
0666c91cdf842f5755cffbfb7da8d69a84de024d90d56772e3fe9b71b0c923791205e9215469c96cd3d66f8ba2956fc9d3fc99303481b72eb00ac7de7b97a7ad
-
SSDEEP
6144:5RsC6WbKlOsSPfGGu3KFGSpdc0x/POh4OML3OLyK9kon8m5I5XWOFLBSmOJQgyxy:5qt7s3TvV4hBML3OLyoytj2mzdI
Malware Config
Extracted
cobaltstrike
1580103814
http://23.108.57.161:443/Forums.css
http://157.254.194.123:443/Forums.css
http://182.23.109.22:443/bn.css
http://157.72.142.1:443/Forums.css
-
access_type
512
-
beacon_type
2048
-
host
23.108.57.161,/Forums.css,157.254.194.123,/Forums.css,182.23.109.22,/bn.css,157.72.142.1,/Forums.css
-
http_header1
AAAAEAAAAA1Ib3N0OiBtc24uY29tAAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAcAAAAAAAAAAwAAAAMAAAACAAAAEG1hZGVfd3JpdGVfY29ubj0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAAEAAAAA1Ib3N0OiBtc24uY29tAAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAAWQWNjZXB0LUxhbmd1YWdlOiBlbi1VUwAAAAoAAAAYQ29udGVudC1UeXBlOiB0ZXh0L3BsYWluAAAABwAAAAEAAAADAAAAAwAAAAQAAAAHAAAAAAAAAAMAAAACAAAADl9fc2Vzc2lvbl9faWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
10496
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGR0Qh3y+EUBYe3BK7qolMM8JPwPWG3qSISL7jSnjkuexL5sMHLtzoO5zoQBy+e4TrkofBD2/CsND498lUEN11cFR9Kw1NFw6DnLSlodbOZoq4yAd4rqFrAU7pQXMn+TDas8ZyiZ1Gk0sb29Z3S9pi2fsZj2g4ZLC8cpJipJJRmQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
2.708806656e+09
-
unknown2
AAAABAAAAAIAAAPVAAAAAwAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/dz
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246
-
watermark
1580103814
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Blocklisted process makes network request 13 IoCs
Processes:
rundll32.exeflow pid process 1 2816 rundll32.exe 7 2816 rundll32.exe 14 2816 rundll32.exe 23 2816 rundll32.exe 24 2816 rundll32.exe 41 2816 rundll32.exe 43 2816 rundll32.exe 44 2816 rundll32.exe 45 2816 rundll32.exe 48 2816 rundll32.exe 49 2816 rundll32.exe 50 2816 rundll32.exe 51 2816 rundll32.exe
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2816-132-0x0000021804590000-0x000002180461B000-memory.dmpFilesize
556KB
-
memory/2816-133-0x0000021804190000-0x0000021804590000-memory.dmpFilesize
4.0MB
-
memory/2816-134-0x0000021804590000-0x000002180461B000-memory.dmpFilesize
556KB
-
memory/2816-135-0x0000021804190000-0x0000021804590000-memory.dmpFilesize
4.0MB