Analysis
-
max time kernel
128s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
23-08-2023 00:09
Behavioral task
behavioral1
Sample
f7714a6adf58a4ff4d44be68e5bbd676c860f3560cf20b821051d0948c491bfa.dll
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
f7714a6adf58a4ff4d44be68e5bbd676c860f3560cf20b821051d0948c491bfa.dll
Resource
win10v2004-20230703-en
General
-
Target
f7714a6adf58a4ff4d44be68e5bbd676c860f3560cf20b821051d0948c491bfa.dll
-
Size
9KB
-
MD5
92fe208986491f8510883bbff5391bc3
-
SHA1
386fc5e8af6fd706876320a933149467303ca8e2
-
SHA256
f7714a6adf58a4ff4d44be68e5bbd676c860f3560cf20b821051d0948c491bfa
-
SHA512
cbd7f47f81576d231011c0b62e5cce32e83dd95154fd30530e9d44211f6a4dc34cff0ccfbfb59026653f72bb90fcf56fc7c731179241a63a9990d930afca0424
-
SSDEEP
48:q0r+l6O5aXyn/hNhx4/jC/VyR9x3P7cvAw5av9w/nuPLLCKRb0E:dX0Y7x34r5av2nELLP
Malware Config
Extracted
cobaltstrike
http://43.138.188.41:5556/ZLBu
-
user_agent
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; QQDownload 733; .NET CLR 2.0.50727)
Extracted
cobaltstrike
305419896
http://43.138.188.41:5556/cm
-
access_type
512
-
host
43.138.188.41,/cm
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
polling_time
60000
-
port_number
5556
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnCZHWnYFqYB/6gJdkc4MPDTtBJ20nkEAd3tsY4tPKs8MV4yIjJb5CtlrbKHjzP1oD/1AQsj6EKlEMFIKtakLx5+VybrMYE+dDdkDteHmVX0AeFyw001FyQVlt1B+OSNPRscKI5sh1L/ZdwnrMy6S6nNbQ5N5hls6k2kgNO5nQ7QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.php
-
user_agent
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
-
watermark
305419896
Extracted
cobaltstrike
0
-
watermark
0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Blocklisted process makes network request 4 IoCs
Processes:
rundll32.exeflow pid process 4 2352 rundll32.exe 5 2352 rundll32.exe 6 2352 rundll32.exe 7 2352 rundll32.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 2300 set thread context of 2352 2300 rundll32.exe rundll32.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
rundll32.exedescription pid process target process PID 2300 wrote to memory of 2352 2300 rundll32.exe rundll32.exe PID 2300 wrote to memory of 2352 2300 rundll32.exe rundll32.exe PID 2300 wrote to memory of 2352 2300 rundll32.exe rundll32.exe PID 2300 wrote to memory of 2352 2300 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f7714a6adf58a4ff4d44be68e5bbd676c860f3560cf20b821051d0948c491bfa.dll,#11⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe2⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2352-54-0x0000000000060000-0x0000000000061000-memory.dmpFilesize
4KB
-
memory/2352-56-0x0000000000060000-0x0000000000061000-memory.dmpFilesize
4KB
-
memory/2352-57-0x0000000002B60000-0x0000000002F60000-memory.dmpFilesize
4.0MB
-
memory/2352-58-0x0000000001C00000-0x0000000001C4C000-memory.dmpFilesize
304KB
-
memory/2352-59-0x0000000001C00000-0x0000000001C4C000-memory.dmpFilesize
304KB