Overview

overview

10

Static

static

3

P2.dll

windows7-x64

10

P2.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    422s
  • max time network
    428s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2023 13:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    P2.dll

  • Size

    121KB

  • MD5

    cc69a31a067b62dda5f2076f8ee335e1

  • SHA1

    7efb9b1f96810c195ad7976f86c8051c16faac8a

  • SHA256

    c528e31aad8e88e0997d48c74b58014a02848dd897c5b17e8c806163992acd30

  • SHA512

    21a61c4554240dc047a24d0dda263ff4ff4b9c307c1e7be850077240d9464cbab7af8dfafdc5bf191f570f77745360aef32a1d0b0862c05ae0e9e9d835ad0e2e

  • SSDEEP

    3072:vNvdT8s5z+zW+EwiHdozduv2aureni7UygKmUXhkejTs59oY:vTv58Whw02duv2Ki7UqdTTQoY

Score
10/10
cobaltstrikebackdoorspywarestealertrojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://clouditsoft.com:8008/static-directory/mg.jpg

Attributes
  • user_agent

    Host: clouditsoft.com Connection: close Accept-Encoding: gzip User-Agent: Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\P2.dll
    1⤵
      PID:4444
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3316
      • C:\Windows\system32\rundll32.exe
        rundll32 C:\Users\Admin\AppData\Local\Temp\P2.dll,DllRegisterServer
        2⤵
          PID:4252
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
        1⤵
          PID:1380
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe"
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:3968
          • C:\Windows\system32\rundll32.exe
            rundll32 P2.dll,DllRegisterServer
            2⤵
              PID:2352

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Initial Access

          Execution

          Persistence

          Privilege Escalation

          Defense Evasion

          Credential Access

          Unsecured Credentials

          1
          T1552

          Credentials In Files

          1
          T1552.001

          Discovery

          Lateral Movement

          Collection

          Data from Local System

          1
          T1005

          Exfiltration

          Command and Control

          Impact

          Resource Development

          Reconnaissance

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/4444-0-0x0000000000A20000-0x0000000000A22000-memory.dmp
            Filesize

            8KB

            Download