Analysis
-
max time kernel
249s -
max time network
250s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
13-06-2024 15:05
General
-
Target
f2e55046e1f929223e14f3c9e88f5b550bb0d1b30ee876e84a6dfd4b4c9ac4de.dll
-
Size
539KB
-
MD5
a2452391e7f17d4006d1d38b6160e68c
-
SHA1
c82df6f3f8fc8048acf41f3cf5d7ecc1b54fe2d8
-
SHA256
f2e55046e1f929223e14f3c9e88f5b550bb0d1b30ee876e84a6dfd4b4c9ac4de
-
SHA512
f348428a705deecc0051723b934db44cb2a99e3da0456c8b0e0040f159549b4e70565675cf45c6c034b719f6678e6cd67e96183b8098730421c43f12437161cf
-
SSDEEP
12288:E1TLY9/cIKhpyFfIsd59w51AK/gU8VL8HdFonf:OT09/cI8pyTJkT/gU8tn
Malware Config
Extracted
cobaltstrike
1580103824
http://68.233.238.123:80/gv
-
access_type
512
-
host
68.233.238.123,/gv
-
http_header1
AAAAEAAAABZIb3N0OiBoaWdoLWNvbnRyb2wubmV0AAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAAVQWNjZXB0LUVuY29kaW5nOiBnemlwAAAACgAAABZBY2NlcHQtTGFuZ3VhZ2U6IGVuLVVTAAAABwAAAAAAAAADAAAAAwAAAAIAAAArd29yZHByZXNzXzUyMjM4NTU4ZTkzMGYxZWM2OTllNGYxMmFiMDE1YTRmPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAAEAAAABZIb3N0OiBoaWdoLWNvbnRyb2wubmV0AAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAAZQWNjZXB0LUVuY29kaW5nOiBnemlwLCBicgAAAAoAAAAvQ29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQAAAAHAAAAAQAAAAMAAAADAAAAAgAAAAhuZXduYW1lPQAAAAQAAAAHAAAAAAAAAAMAAAACAAAADl9fc2Vzc2lvbl9faWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
9984
-
polling_time
59087
-
port_number
80
-
sc_process32
%windir%\syswow64\runonce.exe
-
sc_process64
%windir%\sysnative\runonce.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnCZHWnYFqYB/6gJdkc4MPDTtBJ20nkEAd3tsY4tPKs8MV4yIjJb5CtlrbKHjzP1oD/1AQsj6EKlEMFIKtakLx5+VybrMYE+dDdkDteHmVX0AeFyw001FyQVlt1B+OSNPRscKI5sh1L/ZdwnrMy6S6nNbQ5N5hls6k2kgNO5nQ7QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
6.1158912e+08
-
unknown2
AAAABAAAAAIAAAJYAAAAAwAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/btn_bg
-
user_agent
Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202
-
watermark
1580103824
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\f2e55046e1f929223e14f3c9e88f5b550bb0d1b30ee876e84a6dfd4b4c9ac4de.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\f2e55046e1f929223e14f3c9e88f5b550bb0d1b30ee876e84a6dfd4b4c9ac4de.dll2⤵
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
516KB
-
Filesize
208KB
-
Filesize
516KB
-
Filesize
208KB