Analysis

  • max time kernel
    92s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/02/2024, 11:48

General

  • Target

    a1cbb55f6316a7a7ef379e9b09802835.dll

  • Size

    397KB

  • MD5

    a1cbb55f6316a7a7ef379e9b09802835

  • SHA1

    8a12b893d11dcf21da5c2ecdd4f4879406d4f848

  • SHA256

    87b9a803fb991bd9e508b55bb01fb657e505d7bd077bc18ce13d0ea518f202fd

  • SHA512

    e669e3eeebf6c72fda3ba4a20a1c5882ee6166fed120a5a00e8ae36ab8562586b40a3416cf8675a3665a6387e61c821d4ad63a9645d5a5e947efa3ffb6506af4

  • SSDEEP

    6144:RWsKyc+w/50wpi+TafNEJrOuQVyX0Wglt1M/Nt+j2IVJ:Rhk+w/K+6xuQV80PP

Malware Config

Extracted

Family

cobaltstrike

Botnet

1627331580

C2

http://rodeo.shoppond.com:443/api/messaging/read/46wjf9shdo33/events

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    rodeo.shoppond.com,/api/messaging/read/46wjf9shdo33/events

  • http_header1

    AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAfQWNjZXB0LUxhbmd1YWdlOiBlbi1VUyxlbjtxPTAuNQAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAAPAAAAAwAAAAIAAAAGX3Nlc3M9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAfQWNjZXB0LUxhbmd1YWdlOiBlbi1VUyxlbjtxPTAuNQAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAEAAAAPAAAADQAAAAUAAAAEY29udgAAAAcAAAAAAAAADQAAAAUAAAAGdXBkYXRlAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    8448

  • polling_time

    45500

  • port_number

    443

  • sc_process32

    %windir%\syswow64\logman.exe

  • sc_process64

    %windir%\sysnative\logman.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCWFGJRvOhUDntqq2p3Eas2qveYiUJa20VeX34i4BT/A+imTotd4BKZrqx5XD1qxhQ0BW6t/pFlN59bwpFpNWOYtjMvIgUjMAQvKgNaRxukuqdO/orXWEdlw2fpb+jb03tgNKnBxs/Vt9BJd1E0y8w6dogw02nJlzbGX8MHDZUIvwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    6.711296e+07

  • unknown2

    AAAABAAAAA8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown3

    1.610612736e+09

  • uri

    /api/messaging/send/37dj4sh873h

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36

  • watermark

    1627331580

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\a1cbb55f6316a7a7ef379e9b09802835.dll,#1
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3080
    • C:\Windows\system32\rundll32.exe
      C:\Windows\system32\rundll32.exe
      2⤵
        PID:872

    Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/872-0-0x0000000000400000-0x0000000000452000-memory.dmp

            Filesize

            328KB

          • memory/872-2-0x0000000000400000-0x0000000000452000-memory.dmp

            Filesize

            328KB

          • memory/872-4-0x0000000000400000-0x0000000000452000-memory.dmp

            Filesize

            328KB

          • memory/872-6-0x00000243E1920000-0x00000243E1961000-memory.dmp

            Filesize

            260KB

          • memory/872-8-0x00007FFC3B460000-0x00007FFC3B510000-memory.dmp

            Filesize

            704KB

          • memory/872-9-0x0000000000400000-0x0000000000452000-memory.dmp

            Filesize

            328KB