Analysis
-
max time kernel
133s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
03-11-2023 17:43
Static task
static1
Behavioral task
behavioral1
Sample
8f02db051024b4431c0bd5beb7d666a9f717e3a6386f24a11857ca5b92ce617c.dll
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
8f02db051024b4431c0bd5beb7d666a9f717e3a6386f24a11857ca5b92ce617c.dll
Resource
win10v2004-20231020-en
General
-
Target
8f02db051024b4431c0bd5beb7d666a9f717e3a6386f24a11857ca5b92ce617c.dll
-
Size
216KB
-
MD5
d2fd12b6af179ae7c4ad6a090f7d5c25
-
SHA1
516f3edd3c00776f4c325decb6ddf29a6f1d2fd3
-
SHA256
8f02db051024b4431c0bd5beb7d666a9f717e3a6386f24a11857ca5b92ce617c
-
SHA512
d59136a39cbe504d9f30b8f52cef83121953dfefc17ae0e79f9d39872362cb3004229f0dc9d050a044787c2ddc7929722a74413e29ed4780871c88c50317712a
-
SSDEEP
3072:kK8DwCtyxm16c2mvM7XpQoyq8f2Rc5XLYf+qdddkg7BiOxjbHoc:kK8DwFm16QgqJEfCGdc
Malware Config
Extracted
cobaltstrike
1580103824
http://paymentsolo.online:443/menu/dashboard/6TRE23
-
access_type
512
-
beacon_type
2048
-
host
paymentsolo.online,/menu/dashboard/6TRE23
-
http_header1
AAAAEAAAABhIb3N0OiBwYXltZW50c29sby5vbmxpbmUAAAAKAAAAC0FjY2VwdDogKi8qAAAACgAAAB9BY2NlcHQtTGFuZ3VhZ2U6IGVuLVVTLGVuO3E9MC41AAAACgAAABVTZWMtRmV0Y2gtRGVzdDogZW1wdHkAAAAKAAAAFFNlYy1GZXRjaC1Nb2RlOiBjb3JzAAAACgAAABpTZWMtRmV0Y2gtU2l0ZTogY3Jvc3Mtc2l0ZQAAAAcAAAAAAAAAAwAAAAIAAAAKUEhQU0VTU0lEPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAAEAAAABhIb3N0OiBwYXltZW50c29sby5vbmxpbmUAAAAKAAAAC0FjY2VwdDogKi8qAAAACgAAAB9BY2NlcHQtTGFuZ3VhZ2U6IGVuLVVTLGVuO3E9MC41AAAACgAAAEhBY2Nlc3MtQ29udHJvbC1SZXF1ZXN0LUhlYWRlcnM6IGNvbnRlbnQtdHlwZSx4LWdvb2ctYXBpLWtleSx4LXVzZXItYWdlbnQAAAAKAAAAFVNlYy1GZXRjaC1EZXN0OiBlbXB0eQAAAAoAAAAUU2VjLUZldGNoLU1vZGU6IGNvcnMAAAAKAAAAGlNlYy1GZXRjaC1TaXRlOiBjcm9zcy1zaXRlAAAABwAAAAAAAAADAAAAAgAAAApQSFBTRVNTSUQ9AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
5120
-
polling_time
60000
-
port_number
443
-
sc_process32
%windir%\syswow64\dllhost.exe
-
sc_process64
%windir%\sysnative\dllhost.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCjkWvHnxN+a3eaUDaQ4sLAhhbALgwfkCSfxkz5OIOOQa/XO+oxZg5yD6F9uyQmvtwZMhku91jaGiJpf8qJQxOzsTZWeVsHyzFj6qZLOvTGzMM2A8/2S6Il5UvEImGXtsE7o+2AWBhEGFteJKcHtc1eJkWKbVkCBYbGknkcYgT/zQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
1.481970944e+09
-
unknown2
AAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/menu/dashboard/6JSM74
-
user_agent
Mozilla/5.0 (Linux; Android 8.1.0; CPH1853) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Mobile Safari/537.36 EdgA/110.0.1588.77
-
watermark
1580103824
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 4 2732 rundll32.exe 6 2732 rundll32.exe 7 2732 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 2872 wrote to memory of 2732 2872 rundll32.exe rundll32.exe PID 2872 wrote to memory of 2732 2872 rundll32.exe rundll32.exe PID 2872 wrote to memory of 2732 2872 rundll32.exe rundll32.exe PID 2872 wrote to memory of 2732 2872 rundll32.exe rundll32.exe PID 2872 wrote to memory of 2732 2872 rundll32.exe rundll32.exe PID 2872 wrote to memory of 2732 2872 rundll32.exe rundll32.exe PID 2872 wrote to memory of 2732 2872 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8f02db051024b4431c0bd5beb7d666a9f717e3a6386f24a11857ca5b92ce617c.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8f02db051024b4431c0bd5beb7d666a9f717e3a6386f24a11857ca5b92ce617c.dll,#12⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2732-0-0x0000000077BA0000-0x0000000077C76000-memory.dmpFilesize
856KB
-
memory/2732-1-0x0000000000140000-0x0000000000174000-memory.dmpFilesize
208KB
-
memory/2732-4-0x0000000000460000-0x00000000004F2000-memory.dmpFilesize
584KB
-
memory/2732-3-0x0000000000140000-0x0000000000174000-memory.dmpFilesize
208KB
-
memory/2732-5-0x0000000000460000-0x00000000004F2000-memory.dmpFilesize
584KB