Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
21-02-2023 04:15
Static task
static1
Behavioral task
behavioral1
Sample
tianqin.dll
Resource
win10-20230220-en
Behavioral task
behavioral2
Sample
tianqin.dll
Resource
win7-20230220-en
Behavioral task
behavioral3
Sample
tianqin.dll
Resource
win10v2004-20230220-en
General
-
Target
tianqin.dll
-
Size
114KB
-
MD5
76616710538d3a565c768c51d5a55abc
-
SHA1
1e92575313409eaf847a966ef1d3f001fb4631df
-
SHA256
8b960c45753593ef4f320a402c20424ab6fe775c163b65d7c03fb89f89378094
-
SHA512
718cd5bff0e72dc964d870d9c47d13ef55739345b3d450222a49c435bd0fb5df45a1ca1025ca827faf5e6e0b0e9e590229b4bce6aeaa620e23756827db17c2e4
-
SSDEEP
3072:3XfxrOJuHUIxeyVegFT2FkzDOxfCmPn7:nfRlUItt/CxqO
Malware Config
Extracted
metasploit
windows/download_exec
http://info.bookworld-langchao.work:2096/FpaE
Extracted
cobaltstrike
305419896
http://info.bookworld-langchao.work:2096/jquery.js
-
access_type
512
-
beacon_type
2048
-
host
info.bookworld-langchao.work,/jquery.js
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAABAAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALHNjaC1obHQ9cy0yNEtVMTFXQjgyUlpTWUdKM1dFUnwxNTI5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAQAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
jitter
5120
-
maxdns
255
-
polling_time
5000
-
port_number
2096
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrZ4M1kDofy9bq2RX/5+t9xbZFdiF0uw8B92fNu6tPEldEJ/0BA7zeNUkN6EUHEX5kFGyRfUOjVxHKOnnHMTqckPQi9/ARmPX9w5ccQXuGoLD8BXWBCJh+PK7fLyXTeOQe448vqgE51IxqSY+WVj03d2pE+dLTiXixqlOZ0ykrdQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N5632/sadj/display.js
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36
-
watermark
305419896
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Blocklisted process makes network request 27 IoCs
Processes:
rundll32.exeflow pid process 1 2960 rundll32.exe 4 2960 rundll32.exe 6 2960 rundll32.exe 7 2960 rundll32.exe 9 2960 rundll32.exe 10 2960 rundll32.exe 11 2960 rundll32.exe 12 2960 rundll32.exe 13 2960 rundll32.exe 14 2960 rundll32.exe 17 2960 rundll32.exe 19 2960 rundll32.exe 20 2960 rundll32.exe 21 2960 rundll32.exe 22 2960 rundll32.exe 23 2960 rundll32.exe 24 2960 rundll32.exe 25 2960 rundll32.exe 26 2960 rundll32.exe 27 2960 rundll32.exe 28 2960 rundll32.exe 29 2960 rundll32.exe 30 2960 rundll32.exe 31 2960 rundll32.exe 32 2960 rundll32.exe 33 2960 rundll32.exe 34 2960 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2540 wrote to memory of 2960 2540 rundll32.exe rundll32.exe PID 2540 wrote to memory of 2960 2540 rundll32.exe rundll32.exe PID 2540 wrote to memory of 2960 2540 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\tianqin.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\tianqin.dll,#12⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2960-121-0x0000000073710000-0x0000000073735000-memory.dmpFilesize
148KB
-
memory/2960-122-0x00000000009C0000-0x00000000009C5000-memory.dmpFilesize
20KB
-
memory/2960-123-0x00000000049D0000-0x0000000004DD0000-memory.dmpFilesize
4.0MB
-
memory/2960-124-0x0000000004DD0000-0x0000000004E0D000-memory.dmpFilesize
244KB
-
memory/2960-125-0x0000000073710000-0x0000000073735000-memory.dmpFilesize
148KB
-
memory/2960-126-0x0000000004DD0000-0x0000000004E0D000-memory.dmpFilesize
244KB