General
-
Target
9023247984.zip
-
Size
419KB
-
Sample
230206-w67rbaae6w
-
MD5
349ec863a3a3daf935cbb7dbcb2fa2bd
-
SHA1
a2695f30651e7138ae095a42fb68ce004767313d
-
SHA256
b8191fcab4089c6089d8dd0bf7a81380b49dece0ec055ed15195a20a18ee06cf
-
SHA512
b8da84f057504cc02651cea09ad329738f73a8f071f6a84c7506b38229ba65ed5c0190d0e29be83761df7d6e061d0628d70f3c62b703d9e2b1dbe3378b49bda3
-
SSDEEP
12288:ejkgK6u5SRqOtJtMcSd4gnjiYi8mvQS+GYtwKymZax1/b6p:eIuDRqOxMj4gnGYTMWtwCy1TE
Static task
static1
Behavioral task
behavioral1
Sample
RuntimeBroker.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
RuntimeBroker.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral3
Sample
info.txt
Resource
win7-20221111-en
Behavioral task
behavioral4
Sample
info.txt
Resource
win10v2004-20220901-en
Behavioral task
behavioral5
Sample
umpdc.dll
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
umpdc.dll
Resource
win10v2004-20221111-en
Malware Config
Extracted
cobaltstrike
987654321
http://45.12.253.139:443/an.js
-
access_type
512
-
beacon_type
2048
-
host
45.12.253.139,/an.js
-
http_header1
AAAAEAAAABpIb3N0OiBidXNpbmVzc3NlcnZpY2VzLmNvbQAAAAoAAAARQ29ubmVjdGlvbjogY2xvc2UAAAAKAAAAE0FjY2VwdC1FbmNvZGluZzogYnIAAAAKAAAAFkFjY2VwdC1MYW5ndWFnZTogZW4tVVMAAAAHAAAAAAAAAA0AAAADAAAAAgAAABp3b29jb21tZXJjZV9pdGVtc19pbl9jYXJ0PQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAAEAAAABpIb3N0OiBidXNpbmVzc3NlcnZpY2VzLmNvbQAAAAoAAAARQ29ubmVjdGlvbjogY2xvc2UAAAAKAAAAGUFjY2VwdC1FbmNvZGluZzogZ3ppcCwgYnIAAAAKAAAAL0NvbnRlbnQtVHlwZTogYXBwbGljYXRpb24veC13d3ctZm9ybS11cmxlbmNvZGVkAAAABwAAAAEAAAANAAAAAwAAAAIAAAAIZGV0YWlscz0AAAAEAAAABwAAAAAAAAADAAAAAgAAAA5fX3Nlc3Npb25fX2lkPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
9472
-
polling_time
55991
-
port_number
443
-
sc_process32
%windir%\syswow64\dllhost.exe
-
sc_process64
%windir%\sysnative\dllhost.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCMEuNG3asVOp+bgSmSog10bB55R9e+aj5dF2sVbnRjA/dTkltRdDD0DdF5vJh/gURBikZ4FxqqmfqR2SPAheOzDDrYvV7ScpwPkZe8IUd/DbJmPs30ST9SGHn+eLjTQQEU+I142t7yTsO7HCKf1CTDMHfS3PNoz3V8ivNRwL1aiQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
9.63976192e+08
-
unknown2
AAAABAAAAAIAAANxAAAAAwAAAA0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/ch
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/42.0.2311.135
-
watermark
987654321
Targets
-
-
Target
RuntimeBroker.exe
-
Size
100KB
-
MD5
ba4cfe6461afa1004c52f19c8f2169dc
-
SHA1
ab8539ef6b2a93ff9589dec4b34a0257b6296c92
-
SHA256
e86870769ee6c797e09457bd99c58d9bf2303cf0193a24ef9b1222c2c3daf628
-
SHA512
2c5190d7609767237311260f241c619b82434ca640f396bb9710d356286844f82f320f9e05525a38707f2a52977790c0c3e2a217b36a7f0095a87c138b939af0
-
SSDEEP
1536:l5gC0wSKok6UAeVEBFgvozLmwCedFpQHI8PXjYlTx/2whBGE/5K5/EJD2VEUcO8h:sC+vEArBCgmejo8X/2whRJDAE2r+e
Score10/10-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Adds Run key to start application
-
-
-
Target
info.txt
-
Size
174KB
-
MD5
84b90b27b759c98f05d35e2936939ea2
-
SHA1
0a398991b1559455da5333b696da112af07f028e
-
SHA256
161854614e6405d6899e19409cee5fc8b08fc08a0c52c208593c059f93b869f8
-
SHA512
b1aa38152af47a156a426794d2d2a4560a736ff7447a54327df629bb9e09c8a22d54360615dc73ba4ed435c188a2b07d13962b6823a30bc1a8c0647d0e64e564
-
SSDEEP
3072:vpIKIHU84AKvpmlIUj/k0uw5tTHf/bXtdn8OqxbuRTVpi6q:hIelvE7LuCl//bXWuJXi6q
Score1/10 -
-
-
Target
umpdc.dll
-
Size
391KB
-
MD5
1570c92c1c5f039c438295ac68ff7e82
-
SHA1
3ee6c1d3582361e8af4efec44b1d1420494ab728
-
SHA256
b41b4e32607a4e21593332da63ce1bcf9c1d43f8f6754789a43bea7428833ea4
-
SHA512
fbf28062d81538f814e1a615caf9993aa24e54fd0b7ff84ead7e22002bac0a4c866d334fd445d6c7844289a7310e82a0febd07d7f02536ea51d11f9f884e4992
-
SSDEEP
6144:JAuyRydkljgV0gy791xfB9yDAxRX9yMhklyCgk0gyWYFgdDlmZdHyHydkl9Tr0g/:JAAU8V0ZrH88Y2k0md8dHdUB0BwH
Score10/10-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Adds Run key to start application
-