Analysis
-
max time kernel
139s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
23-08-2023 00:09
Behavioral task
behavioral1
Sample
f7714a6adf58a4ff4d44be68e5bbd676c860f3560cf20b821051d0948c491bfa.dll
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
f7714a6adf58a4ff4d44be68e5bbd676c860f3560cf20b821051d0948c491bfa.dll
Resource
win10v2004-20230703-en
General
-
Target
f7714a6adf58a4ff4d44be68e5bbd676c860f3560cf20b821051d0948c491bfa.dll
-
Size
9KB
-
MD5
92fe208986491f8510883bbff5391bc3
-
SHA1
386fc5e8af6fd706876320a933149467303ca8e2
-
SHA256
f7714a6adf58a4ff4d44be68e5bbd676c860f3560cf20b821051d0948c491bfa
-
SHA512
cbd7f47f81576d231011c0b62e5cce32e83dd95154fd30530e9d44211f6a4dc34cff0ccfbfb59026653f72bb90fcf56fc7c731179241a63a9990d930afca0424
-
SSDEEP
48:q0r+l6O5aXyn/hNhx4/jC/VyR9x3P7cvAw5av9w/nuPLLCKRb0E:dX0Y7x34r5av2nELLP
Malware Config
Extracted
cobaltstrike
http://43.138.188.41:5556/ZLBu
-
user_agent
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; QQDownload 733; .NET CLR 2.0.50727)
Extracted
cobaltstrike
305419896
http://43.138.188.41:5556/cm
-
access_type
512
-
host
43.138.188.41,/cm
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
polling_time
60000
-
port_number
5556
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnCZHWnYFqYB/6gJdkc4MPDTtBJ20nkEAd3tsY4tPKs8MV4yIjJb5CtlrbKHjzP1oD/1AQsj6EKlEMFIKtakLx5+VybrMYE+dDdkDteHmVX0AeFyw001FyQVlt1B+OSNPRscKI5sh1L/ZdwnrMy6S6nNbQ5N5hls6k2kgNO5nQ7QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.php
-
user_agent
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
-
watermark
305419896
Extracted
cobaltstrike
0
-
watermark
0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Blocklisted process makes network request 4 IoCs
Processes:
rundll32.exeflow pid process 1 636 rundll32.exe 9 636 rundll32.exe 38 636 rundll32.exe 44 636 rundll32.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1748 set thread context of 636 1748 rundll32.exe rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1748 wrote to memory of 636 1748 rundll32.exe rundll32.exe PID 1748 wrote to memory of 636 1748 rundll32.exe rundll32.exe PID 1748 wrote to memory of 636 1748 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f7714a6adf58a4ff4d44be68e5bbd676c860f3560cf20b821051d0948c491bfa.dll,#11⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe2⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/636-133-0x0000015519800000-0x0000015519801000-memory.dmpFilesize
4KB
-
memory/636-134-0x000001551B640000-0x000001551BA40000-memory.dmpFilesize
4.0MB
-
memory/636-135-0x000001551BA40000-0x000001551BA8C000-memory.dmpFilesize
304KB
-
memory/636-136-0x000001551BA40000-0x000001551BA8C000-memory.dmpFilesize
304KB