Analysis
-
max time kernel
122s -
max time network
119s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
12-11-2020 13:47
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.BackDoor.Meterpreter.130.21870.19638.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
SecuriteInfo.com.BackDoor.Meterpreter.130.21870.19638.exe
Resource
win10v20201028
General
-
Target
SecuriteInfo.com.BackDoor.Meterpreter.130.21870.19638.exe
-
Size
383KB
-
MD5
860cdd118f68793a680ad4d22c43619a
-
SHA1
18ad055e52757826b292e2e05fc9d15e33ccd4bf
-
SHA256
4f6af6104eb118ee193f1b77124dfcdfbef04af6ae6e55c8e37f2f68e9d526eb
-
SHA512
f6ce5ba4a0b21e49adde25e934b0f1426d372297033d027131a9afb8b28350ff74a48a1fdaca9b6f069b7164124d96f8e7cf7fa55e79321197b6c805302836ae
Malware Config
Extracted
cobaltstrike
http://oow8Phokeing6kai5haH.glowtrow.online:443/gifs/
http://ooLiey0phuoghei2cei7.cleans.online:443/gifs/
http://eiphaem9aifuR1udaizu.badedsho.space:443/image/
-
access_type
512
-
beacon_type
2048
-
create_remote_thread
0
-
day
0
-
dns_idle
6.7373064e+07
-
dns_sleep
8.1297408e+08
-
host
oow8Phokeing6kai5haH.glowtrow.online,/gifs/,ooLiey0phuoghei2cei7.cleans.online,/gifs/,eiphaem9aifuR1udaizu.badedsho.space,/image/
-
http_header1
AAAACgAAAB9BY2NlcHQtTGFuZ3VhZ2U6IGVuLVVTLGVuO3E9MC41AAAACgAAAFJBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LGltYWdlL3dlYnAsKi8qO3E9MC44AAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAKAAAAEUNvbm5lY3Rpb246IGNsb3NlAAAABwAAAAAAAAAPAAAADQAAAAEAAAALL2tpdHRlbi5naWYAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAB5Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL2pzb24AAAAKAAAAEUNvbm5lY3Rpb246IGNsb3NlAAAABwAAAAAAAAAPAAAACAAAAAYAAAAOQXV0aGVudGljYXRpb24AAAAHAAAAAQAAAAMAAAACAAAAc3siaW1hZ2VfdXJsIiA6ICJodHRwczovL3N1bjktMjMudXNlcmFwaS5jb20vRzRKdmRaREVmTGRJUGxOTjEtSmtNR1EydW5mMktFSVY1NE9tNWcvYWJKNzBqR0hmVmsuanBnIiwgIm1ldGFkYXRhIiA6ICIAAAABAAAAAiJ9AAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
- injection_process
-
jitter
5120
-
maxdns
235
-
month
0
- pipe_name
-
polling_time
60000
-
port_number
443
- proxy_password
- proxy_server
- proxy_username
-
sc_process32
%windir%\syswow64\dfrgui.exe
-
sc_process64
%windir%\sysnative\dfrgui.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCIvdvQtJDW1I3V763zrsMpAmKESYebzPux6wkGUe3JLUJvczek+1wURhIWBSAHODyo9VoVYeV+Fdi5GC0F0c2E/NuZLhEk3eetXSCMFJCMo0wXM3ACHlKjMy1l87lvp4k+BN3+FR+bhR2mps1R+tsO941l1YKmMDez894lUy1mXwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
3.2384e+09
-
unknown2
AAAABAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown3
0
-
unknown4
0
-
unknown5
2.583822336e+09
-
uri
/stocks/
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36
-
year
0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1676 cmd.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.BackDoor.Meterpreter.130.21870.19638.exedescription pid process target process PID 2036 set thread context of 1796 2036 SecuriteInfo.com.BackDoor.Meterpreter.130.21870.19638.exe mstsc.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1204 timeout.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
SecuriteInfo.com.BackDoor.Meterpreter.130.21870.19638.execmd.exedescription pid process target process PID 2036 wrote to memory of 1796 2036 SecuriteInfo.com.BackDoor.Meterpreter.130.21870.19638.exe mstsc.exe PID 2036 wrote to memory of 1796 2036 SecuriteInfo.com.BackDoor.Meterpreter.130.21870.19638.exe mstsc.exe PID 2036 wrote to memory of 1796 2036 SecuriteInfo.com.BackDoor.Meterpreter.130.21870.19638.exe mstsc.exe PID 2036 wrote to memory of 1796 2036 SecuriteInfo.com.BackDoor.Meterpreter.130.21870.19638.exe mstsc.exe PID 2036 wrote to memory of 1796 2036 SecuriteInfo.com.BackDoor.Meterpreter.130.21870.19638.exe mstsc.exe PID 2036 wrote to memory of 1676 2036 SecuriteInfo.com.BackDoor.Meterpreter.130.21870.19638.exe cmd.exe PID 2036 wrote to memory of 1676 2036 SecuriteInfo.com.BackDoor.Meterpreter.130.21870.19638.exe cmd.exe PID 2036 wrote to memory of 1676 2036 SecuriteInfo.com.BackDoor.Meterpreter.130.21870.19638.exe cmd.exe PID 2036 wrote to memory of 1676 2036 SecuriteInfo.com.BackDoor.Meterpreter.130.21870.19638.exe cmd.exe PID 1676 wrote to memory of 1204 1676 cmd.exe timeout.exe PID 1676 wrote to memory of 1204 1676 cmd.exe timeout.exe PID 1676 wrote to memory of 1204 1676 cmd.exe timeout.exe PID 1676 wrote to memory of 1204 1676 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.Meterpreter.130.21870.19638.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.Meterpreter.130.21870.19638.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mstsc.exeC:\Windows\SysWOW64\mstsc.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout 120 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.Meterpreter.130.21870.19638.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 1203⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/428-12-0x000007FEF7E60000-0x000007FEF80DA000-memory.dmpFilesize
2.5MB
-
memory/1204-6-0x0000000000000000-mapping.dmp
-
memory/1676-4-0x0000000000000000-mapping.dmp
-
memory/1796-0-0x0000000000080000-0x00000000000B4000-memory.dmpFilesize
208KB
-
memory/1796-1-0x0000000000080000-0x00000000000B4000-memory.dmpFilesize
208KB
-
memory/1796-3-0x0000000000080000-mapping.dmp
-
memory/1796-5-0x0000000001F20000-0x000000000212F000-memory.dmpFilesize
2.1MB
-
memory/1796-7-0x0000000000080000-0x00000000000B3006-memory.dmpFilesize
204KB
-
memory/1796-13-0x0000000001F20000-0x000000000212F000-memory.dmpFilesize
2.1MB