Analysis
-
max time kernel
128s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
10-04-2024 09:55
Static task
static1
Behavioral task
behavioral1
Sample
1f5a915e75ad96e560cee3e24861cf6f8de299fdf79e1829453defbfe2013239.dll
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
1f5a915e75ad96e560cee3e24861cf6f8de299fdf79e1829453defbfe2013239.dll
Resource
win10v2004-20240226-en
General
-
Target
1f5a915e75ad96e560cee3e24861cf6f8de299fdf79e1829453defbfe2013239.dll
-
Size
297KB
-
MD5
d622b7b553d981c526ab7ac4c5884ad5
-
SHA1
bca1177027130c0d6b30a328cff526e882cc8d65
-
SHA256
1f5a915e75ad96e560cee3e24861cf6f8de299fdf79e1829453defbfe2013239
-
SHA512
c5ef99d73ca520a775c05e6e7be3205cb5cf34f7ab227903a6cd0f42bd78c7dbc3f0e3e6aa643016cc1a744163e51ac85d4bf05367d2370a06a25d6e694f11ae
-
SSDEEP
6144:1msMAvQ2l2lr0TVLWmwaRPl2Bal9W8g+3IW8O:1bMWQ2l2lrSLxqBaXg+YHO
Malware Config
Extracted
cobaltstrike
305419896
http://tacomanewspaper.com:443/security/update/uaswraddfaWf
-
access_type
512
-
beacon_type
2048
-
host
tacomanewspaper.com,/security/update/uaswraddfaWf
-
http_header1
AAAACgAAABxBY2NlcHQ6IHRleHQvaHRtbCxpbWFnZS9qcGVnAAAACgAAABdDYWNoZS1Db250cm9sOiBuby1jYWNoZQAAAAcAAAAAAAAACAAAAAEAAAAGdjIuMzlzAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAABZDb25uZWN0aW9uOiBLZWVwLUFsaXZlAAAACgAAABdDYWNoZS1Db250cm9sOiBuby1jYWNoZQAAAAcAAAAAAAAACwAAAAEAAAAGL3YyLjI4AAAADAAAAAcAAAABAAAAAwAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
jitter
3840
-
maxdns
255
-
polling_time
35000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDk6IzLqUoHwEbiA53p6R+ozKtuJJbTwLanw3L8EtsxdScTZaz/lTgpbmnQ4XWix3/Dpa33rT3kldnu77KUxRF1xPjG/kAzJLQYtIRKL+Y7G9fXGMP96D63lMtJBZStijYgeYhOOU9/kRGbO8mfTxpN+4rdSBpGD9GgjGtyF5oM2QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
1.481970944e+09
-
unknown2
AAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/security/download/posdkgk
-
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
-
watermark
305419896
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 2920 notepad.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2912 wrote to memory of 2924 2912 rundll32.exe rundll32.exe PID 2912 wrote to memory of 2924 2912 rundll32.exe rundll32.exe PID 2912 wrote to memory of 2924 2912 rundll32.exe rundll32.exe PID 2912 wrote to memory of 2924 2912 rundll32.exe rundll32.exe PID 2912 wrote to memory of 2924 2912 rundll32.exe rundll32.exe PID 2912 wrote to memory of 2924 2912 rundll32.exe rundll32.exe PID 2912 wrote to memory of 2924 2912 rundll32.exe rundll32.exe PID 2924 wrote to memory of 2920 2924 rundll32.exe notepad.exe PID 2924 wrote to memory of 2920 2924 rundll32.exe notepad.exe PID 2924 wrote to memory of 2920 2924 rundll32.exe notepad.exe PID 2924 wrote to memory of 2920 2924 rundll32.exe notepad.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1f5a915e75ad96e560cee3e24861cf6f8de299fdf79e1829453defbfe2013239.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1f5a915e75ad96e560cee3e24861cf6f8de299fdf79e1829453defbfe2013239.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad.exe C:\Users\Admin\AppData\Local\Temp\data\information.txt3⤵
- Opens file in notepad (likely ransom note)