Analysis
-
max time kernel
142s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
03-11-2023 17:43
Static task
static1
Behavioral task
behavioral1
Sample
8f02db051024b4431c0bd5beb7d666a9f717e3a6386f24a11857ca5b92ce617c.dll
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
8f02db051024b4431c0bd5beb7d666a9f717e3a6386f24a11857ca5b92ce617c.dll
Resource
win10v2004-20231020-en
General
-
Target
8f02db051024b4431c0bd5beb7d666a9f717e3a6386f24a11857ca5b92ce617c.dll
-
Size
216KB
-
MD5
d2fd12b6af179ae7c4ad6a090f7d5c25
-
SHA1
516f3edd3c00776f4c325decb6ddf29a6f1d2fd3
-
SHA256
8f02db051024b4431c0bd5beb7d666a9f717e3a6386f24a11857ca5b92ce617c
-
SHA512
d59136a39cbe504d9f30b8f52cef83121953dfefc17ae0e79f9d39872362cb3004229f0dc9d050a044787c2ddc7929722a74413e29ed4780871c88c50317712a
-
SSDEEP
3072:kK8DwCtyxm16c2mvM7XpQoyq8f2Rc5XLYf+qdddkg7BiOxjbHoc:kK8DwFm16QgqJEfCGdc
Malware Config
Extracted
cobaltstrike
1580103824
http://paymentsolo.online:443/menu/dashboard/6TRE23
-
access_type
512
-
beacon_type
2048
-
host
paymentsolo.online,/menu/dashboard/6TRE23
-
http_header1
AAAAEAAAABhIb3N0OiBwYXltZW50c29sby5vbmxpbmUAAAAKAAAAC0FjY2VwdDogKi8qAAAACgAAAB9BY2NlcHQtTGFuZ3VhZ2U6IGVuLVVTLGVuO3E9MC41AAAACgAAABVTZWMtRmV0Y2gtRGVzdDogZW1wdHkAAAAKAAAAFFNlYy1GZXRjaC1Nb2RlOiBjb3JzAAAACgAAABpTZWMtRmV0Y2gtU2l0ZTogY3Jvc3Mtc2l0ZQAAAAcAAAAAAAAAAwAAAAIAAAAKUEhQU0VTU0lEPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAAEAAAABhIb3N0OiBwYXltZW50c29sby5vbmxpbmUAAAAKAAAAC0FjY2VwdDogKi8qAAAACgAAAB9BY2NlcHQtTGFuZ3VhZ2U6IGVuLVVTLGVuO3E9MC41AAAACgAAAEhBY2Nlc3MtQ29udHJvbC1SZXF1ZXN0LUhlYWRlcnM6IGNvbnRlbnQtdHlwZSx4LWdvb2ctYXBpLWtleSx4LXVzZXItYWdlbnQAAAAKAAAAFVNlYy1GZXRjaC1EZXN0OiBlbXB0eQAAAAoAAAAUU2VjLUZldGNoLU1vZGU6IGNvcnMAAAAKAAAAGlNlYy1GZXRjaC1TaXRlOiBjcm9zcy1zaXRlAAAABwAAAAAAAAADAAAAAgAAAApQSFBTRVNTSUQ9AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
5120
-
polling_time
60000
-
port_number
443
-
sc_process32
%windir%\syswow64\dllhost.exe
-
sc_process64
%windir%\sysnative\dllhost.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCjkWvHnxN+a3eaUDaQ4sLAhhbALgwfkCSfxkz5OIOOQa/XO+oxZg5yD6F9uyQmvtwZMhku91jaGiJpf8qJQxOzsTZWeVsHyzFj6qZLOvTGzMM2A8/2S6Il5UvEImGXtsE7o+2AWBhEGFteJKcHtc1eJkWKbVkCBYbGknkcYgT/zQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
1.481970944e+09
-
unknown2
AAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/menu/dashboard/6JSM74
-
user_agent
Mozilla/5.0 (Linux; Android 8.1.0; CPH1853) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Mobile Safari/537.36 EdgA/110.0.1588.77
-
watermark
1580103824
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 59 4856 rundll32.exe 78 4856 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1208 wrote to memory of 4856 1208 rundll32.exe rundll32.exe PID 1208 wrote to memory of 4856 1208 rundll32.exe rundll32.exe PID 1208 wrote to memory of 4856 1208 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8f02db051024b4431c0bd5beb7d666a9f717e3a6386f24a11857ca5b92ce617c.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8f02db051024b4431c0bd5beb7d666a9f717e3a6386f24a11857ca5b92ce617c.dll,#12⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4856-0-0x0000000077441000-0x0000000077561000-memory.dmpFilesize
1.1MB
-
memory/4856-1-0x0000000000D40000-0x0000000000D74000-memory.dmpFilesize
208KB
-
memory/4856-2-0x0000000000DA0000-0x0000000000E32000-memory.dmpFilesize
584KB
-
memory/4856-3-0x0000000000DA0000-0x0000000000E32000-memory.dmpFilesize
584KB