Analysis
-
max time kernel
605s -
max time network
618s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
11-10-2023 13:02
Static task
static1
Behavioral task
behavioral1
Sample
P2.dll
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
P2.dll
Resource
win10v2004-20230915-en
General
-
Target
P2.dll
-
Size
121KB
-
MD5
cc69a31a067b62dda5f2076f8ee335e1
-
SHA1
7efb9b1f96810c195ad7976f86c8051c16faac8a
-
SHA256
c528e31aad8e88e0997d48c74b58014a02848dd897c5b17e8c806163992acd30
-
SHA512
21a61c4554240dc047a24d0dda263ff4ff4b9c307c1e7be850077240d9464cbab7af8dfafdc5bf191f570f77745360aef32a1d0b0862c05ae0e9e9d835ad0e2e
-
SSDEEP
3072:vNvdT8s5z+zW+EwiHdozduv2aureni7UygKmUXhkejTs59oY:vTv58Whw02duv2Ki7UqdTTQoY
Malware Config
Extracted
cobaltstrike
http://clouditsoft.com:8008/static-directory/mg.jpg
-
user_agent
Host: clouditsoft.com Connection: close Accept-Encoding: gzip User-Agent: Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Loads dropped DLL 4 IoCs
Processes:
rundll32.exepid Process 2028 rundll32.exe 2028 rundll32.exe 2028 rundll32.exe 2028 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid Process procid_target PID 1796 wrote to memory of 2028 1796 cmd.exe 37 PID 1796 wrote to memory of 2028 1796 cmd.exe 37 PID 1796 wrote to memory of 2028 1796 cmd.exe 37
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\P2.dll1⤵PID:2840
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵PID:1080
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\system32\rundll32.exerundll32 C:\ProgramData\P2.dll,DllRegisterServer2⤵
- Loads dropped DLL
PID:2028
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
121KB
MD5cc69a31a067b62dda5f2076f8ee335e1
SHA17efb9b1f96810c195ad7976f86c8051c16faac8a
SHA256c528e31aad8e88e0997d48c74b58014a02848dd897c5b17e8c806163992acd30
SHA51221a61c4554240dc047a24d0dda263ff4ff4b9c307c1e7be850077240d9464cbab7af8dfafdc5bf191f570f77745360aef32a1d0b0862c05ae0e9e9d835ad0e2e
-
Filesize
121KB
MD5cc69a31a067b62dda5f2076f8ee335e1
SHA17efb9b1f96810c195ad7976f86c8051c16faac8a
SHA256c528e31aad8e88e0997d48c74b58014a02848dd897c5b17e8c806163992acd30
SHA51221a61c4554240dc047a24d0dda263ff4ff4b9c307c1e7be850077240d9464cbab7af8dfafdc5bf191f570f77745360aef32a1d0b0862c05ae0e9e9d835ad0e2e
-
Filesize
121KB
MD5cc69a31a067b62dda5f2076f8ee335e1
SHA17efb9b1f96810c195ad7976f86c8051c16faac8a
SHA256c528e31aad8e88e0997d48c74b58014a02848dd897c5b17e8c806163992acd30
SHA51221a61c4554240dc047a24d0dda263ff4ff4b9c307c1e7be850077240d9464cbab7af8dfafdc5bf191f570f77745360aef32a1d0b0862c05ae0e9e9d835ad0e2e
-
Filesize
121KB
MD5cc69a31a067b62dda5f2076f8ee335e1
SHA17efb9b1f96810c195ad7976f86c8051c16faac8a
SHA256c528e31aad8e88e0997d48c74b58014a02848dd897c5b17e8c806163992acd30
SHA51221a61c4554240dc047a24d0dda263ff4ff4b9c307c1e7be850077240d9464cbab7af8dfafdc5bf191f570f77745360aef32a1d0b0862c05ae0e9e9d835ad0e2e
-
Filesize
121KB
MD5cc69a31a067b62dda5f2076f8ee335e1
SHA17efb9b1f96810c195ad7976f86c8051c16faac8a
SHA256c528e31aad8e88e0997d48c74b58014a02848dd897c5b17e8c806163992acd30
SHA51221a61c4554240dc047a24d0dda263ff4ff4b9c307c1e7be850077240d9464cbab7af8dfafdc5bf191f570f77745360aef32a1d0b0862c05ae0e9e9d835ad0e2e