Analysis
-
max time kernel
132s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
20-11-2023 05:01
Static task
static1
Behavioral task
behavioral1
Sample
c2f68afa882adecc96217f7eab229aaa2ec01abfae0d8087bfa3d4fed66fbcbb.dll
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
c2f68afa882adecc96217f7eab229aaa2ec01abfae0d8087bfa3d4fed66fbcbb.dll
Resource
win10v2004-20231023-en
General
-
Target
c2f68afa882adecc96217f7eab229aaa2ec01abfae0d8087bfa3d4fed66fbcbb.dll
-
Size
93KB
-
MD5
b6fb8b50cbfa81b70b4657069710c226
-
SHA1
5679e8026721e338612ac5d987a7739e5673177d
-
SHA256
c2f68afa882adecc96217f7eab229aaa2ec01abfae0d8087bfa3d4fed66fbcbb
-
SHA512
a15a4d45917232900bd5be0ddf9d77e7870d0d9f4b1df0069bf34289731ed83a826f54b377765e7b98c72b76ec29780698ac1deac94bdcde1dbf8bacef20f511
-
SSDEEP
1536:uYhEyx42txwW3Te8eUaOBfRxMTr0ylZVEw9YDC7i50OD:u4Rxwq6XUaOBfRxMTIUVEwee77O
Malware Config
Extracted
cobaltstrike
http://service-a0y8baw1-1319935181.bj.apigw.tencentcs.com:443/bootstrap-2.min.js
-
user_agent
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 7.0; InfoPath.3; .NET CLR 3.1.40767; Trident/6.0; en-IN)
Extracted
cobaltstrike
20410727
http://service-a0y8baw1-1319935181.bj.apigw.tencentcs.com:443/api/x
-
access_type
512
-
beacon_type
2048
-
host
service-a0y8baw1-1319935181.bj.apigw.tencentcs.com,/api/x
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAAAwAAAAIAAAAKU0VTU0lPTklEPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAAAwAAAAIAAAAJSlNFU1NJT049AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
12800
-
polling_time
30000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCTWV74mUQ+mRv5G12a9zODYqH4hd3vN8wA5KM1K3qxHkx8PMfWuxuzFPJTbTmmP/psUSaIxASMDmgFAenz3/yOWa2GZRhGhYsxPzqZ3I9pFkF+QUzwhc8fWqWwOJv66NmlHQGJLc2kG3H4GT15QDwwz2TZ8NVMfeDzPuVcpJGwCwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
1.481970944e+09
-
unknown2
AAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/api/y
-
user_agent
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 7.0; InfoPath.3; .NET CLR 3.1.40767; Trident/6.0; en-IN)
-
watermark
20410727
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 2144 set thread context of 2288 2144 rundll32.exe conhost.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
rundll32.exepid process 2144 rundll32.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
rundll32.exedescription pid process target process PID 2144 wrote to memory of 2288 2144 rundll32.exe conhost.exe PID 2144 wrote to memory of 2288 2144 rundll32.exe conhost.exe PID 2144 wrote to memory of 2288 2144 rundll32.exe conhost.exe PID 2144 wrote to memory of 2288 2144 rundll32.exe conhost.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c2f68afa882adecc96217f7eab229aaa2ec01abfae0d8087bfa3d4fed66fbcbb.dll,#11⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\conhost.execonhost.exe2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2288-0-0x0000000000060000-0x0000000000061000-memory.dmpFilesize
4KB
-
memory/2288-1-0x0000000002870000-0x0000000002C70000-memory.dmpFilesize
4.0MB
-
memory/2288-2-0x0000000001F90000-0x0000000001FDE000-memory.dmpFilesize
312KB
-
memory/2288-3-0x0000000001F90000-0x0000000001FDE000-memory.dmpFilesize
312KB