Analysis
-
max time kernel
141s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
18-04-2024 21:38
Behavioral task
behavioral1
Sample
2/JudianService.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2/JudianService.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral3
Sample
2/cbappendix.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
2/cbappendix.exe
Resource
win10v2004-20240412-en
General
-
Target
2/JudianService.dll
-
Size
283KB
-
MD5
943cb4b5ffb69926803d7f9c3dd1bc7c
-
SHA1
2459b3ee3761e20439494ab11a7bd5aa96f3913c
-
SHA256
8ccd9591e9438a313a21958c7f8edce4b238bbb147e8284ec4a2b7b488b920ca
-
SHA512
c983494abcee03d98c6daa6e26b6a4afc639d1ffeaafc8ca2a0f0dd27bdcae21926fa4896dcf21fe92d829d959a8c36a6457024acf5c4526a1f5fc412ece3096
-
SSDEEP
6144:UZC4MTZhJZa5u+/c/xDbUkQFXzF7goI1WtkBTkoLOhSo:UUj7Za5a+RF7aTNLOh3
Malware Config
Extracted
metasploit
encoder/shikata_ga_nai
Extracted
cobaltstrike
0
http://chart.expocasheuro.com:443/fromdefault
http://94.237.81.57:443/fromdefault
-
access_type
512
-
beacon_type
2048
-
host
chart.expocasheuro.com,/fromdefault,94.237.81.57,/fromdefault
-
http_header1
AAAACgAAABBIb3N0OiB3d3cucXEuY29tAAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAfQWNjZXB0LUxhbmd1YWdlOiBlbi1VUyxlbjtxPTAuNQAAAAoAAAAZQWNjZXB0LUVuY29kaW5nOiBnemlwLCBicgAAAAcAAAAAAAAADwAAAAMAAAACAAAACmNtX2Nvb2tpZT0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAABBIb3N0OiB3d3cucXEuY29tAAAACgAAAClBY2NlcHQ6IGFwcGxpY2F0aW9uL2pzb24sIHRleHQvcGxhaW4sICovKgAAAAoAAAAVQWNjZXB0LUVuY29kaW5nOiBnemlwAAAABwAAAAAAAAAPAAAAAwAAAAIAAAAKY21fY29va2llPQAAAAYAAAAGQ29va2llAAAABwAAAAEAAAAPAAAAAwAAAAIAAAAQeyJwYWdlIjoyLCJ1aW4iOgAAAAEAAAAOLCJwYWdlU2l6ZSI6M30AAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
jitter
6656
-
maxdns
244
-
polling_time
7300
-
port_number
443
-
sc_process32
%windir%\syswow64\taskeng.exe
-
sc_process64
%windir%\sysnative\taskeng.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCgKUlf3RLWKgNJ9S8y26ebK2mGsFDDooTj9uq8fjMrU1OIjQ74FBmAQLpksIts/EPd5KL9KW5KpmrHRqoFWsWWylAQBegxuqj4h2Tyw5fi9fAWRBXMhY9lmo9tjYSbFuLMCFCu4kdLRishHaVfQ0uw6TGHr9q2slEMrom+ypPcvwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
1.001138688e+09
-
unknown2
AAAABAAAAAEAAACOAAAAAgAAAPUAAAADAAAACAAAAA8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/app
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0
-
watermark
0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Blocklisted process makes network request 9 IoCs
flow pid Process 4 2508 rundll32.exe 6 2508 rundll32.exe 7 2508 rundll32.exe 8 2508 rundll32.exe 9 2508 rundll32.exe 10 2508 rundll32.exe 11 2508 rundll32.exe 12 2508 rundll32.exe 13 2508 rundll32.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2508 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1704 wrote to memory of 2508 1704 rundll32.exe 28 PID 1704 wrote to memory of 2508 1704 rundll32.exe 28 PID 1704 wrote to memory of 2508 1704 rundll32.exe 28 PID 1704 wrote to memory of 2508 1704 rundll32.exe 28 PID 1704 wrote to memory of 2508 1704 rundll32.exe 28 PID 1704 wrote to memory of 2508 1704 rundll32.exe 28 PID 1704 wrote to memory of 2508 1704 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2\JudianService.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2\JudianService.dll,#12⤵
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:2508
-