Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231025-en -
resource tags
arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system -
submitted
28-10-2023 20:43
Static task
static1
Behavioral task
behavioral1
Sample
184cbf7df459c6266184ad6f241c66805a4301aa198920465a6756ee073d6801.dll
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
184cbf7df459c6266184ad6f241c66805a4301aa198920465a6756ee073d6801.dll
Resource
win10v2004-20231025-en
General
-
Target
184cbf7df459c6266184ad6f241c66805a4301aa198920465a6756ee073d6801.dll
-
Size
298KB
-
MD5
9bf777a32e84db48ce71e1e06fafd441
-
SHA1
ccfc23046955a103b3835023a3468d6dc2ffd01f
-
SHA256
184cbf7df459c6266184ad6f241c66805a4301aa198920465a6756ee073d6801
-
SHA512
dbf04c347a531b8856e2a87af85cde09d444ada6fcd362ba77e6122f7ce85996a4cc338e66bcc10ea0a5980e3d5ac5431d231488d274197f78fcb8e5fee4a1d5
-
SSDEEP
6144:CHzp4qIDRd6EqFmcCBk9LHZEPSZ/Of626BioBRXFsjf3FOUXzsezZOyMm:izp4qIDqRi8ZEatP26BzzUP
Malware Config
Extracted
cobaltstrike
100000
http://43.138.44.158:15999/socialapiVersion=1.1
-
access_type
512
-
host
43.138.44.158,/socialapiVersion=1.1
-
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAdSG9zdDogb2ZmaWNlY2RuLm1pY3Jvc29mdC5jb20AAAAKAAAAKVJlZmVyZXI6IGh0dHBzOi8vb2ZmaWNlY2RuLm1pY3Jvc29mdC5jb20vAAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAHAAAAAAAAAA0AAAACAAAACF9fbXMtY3Y9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAVSG9zdDogY2RuLmJvb3Rjc3MuY29tAAAACgAAACBSZWZlcmVyOiBodHRwOi8vY2RuLmJvb3Rjc3MuY29tLwAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAAPAAAADQAAAAUAAAAEZXRhZwAAAAcAAAABAAAADwAAAA0AAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
9472
-
polling_time
30000
-
port_number
15999
-
sc_process32
%windir%\syswow64\runonce.exe
-
sc_process64
%windir%\sysnative\runonce.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCDNXFfUSnRiMrus01oooCz6LOvdmjEE+7t+6lWJPjRacCsjD36xkeHkaQzYHqBIcp+IjzNOQWAkZeqSKWsWAdUzYDFb4JxRk+REfYtFkqJdO6vJYr9HeSBbcvIVifI4mnpePP5LjtfV9x8AHu1EGqJVJ6LIkucf4QWdZlyxuV5pQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
2.657621248e+09
-
unknown2
AAAABAAAAAEAAAdZAAAAAgAAB/IAAAACAAAD+AAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/socialapiVersion=2.0&include_base=true
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4044.62 Safari/537.26
-
watermark
100000
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 3888 set thread context of 740 3888 rundll32.exe notepad.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 3888 rundll32.exe 3888 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3888 wrote to memory of 740 3888 rundll32.exe notepad.exe PID 3888 wrote to memory of 740 3888 rundll32.exe notepad.exe PID 3888 wrote to memory of 740 3888 rundll32.exe notepad.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\184cbf7df459c6266184ad6f241c66805a4301aa198920465a6756ee073d6801.dll,#11⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\notepad.exenotepad.exe2⤵