Analysis
-
max time kernel
128s -
max time network
134s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
12-11-2020 13:47
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.BackDoor.Meterpreter.130.21870.19638.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
SecuriteInfo.com.BackDoor.Meterpreter.130.21870.19638.exe
Resource
win10v20201028
General
-
Target
SecuriteInfo.com.BackDoor.Meterpreter.130.21870.19638.exe
-
Size
383KB
-
MD5
860cdd118f68793a680ad4d22c43619a
-
SHA1
18ad055e52757826b292e2e05fc9d15e33ccd4bf
-
SHA256
4f6af6104eb118ee193f1b77124dfcdfbef04af6ae6e55c8e37f2f68e9d526eb
-
SHA512
f6ce5ba4a0b21e49adde25e934b0f1426d372297033d027131a9afb8b28350ff74a48a1fdaca9b6f069b7164124d96f8e7cf7fa55e79321197b6c805302836ae
Malware Config
Extracted
cobaltstrike
http://oow8Phokeing6kai5haH.glowtrow.online:443/gifs/
http://ooLiey0phuoghei2cei7.cleans.online:443/gifs/
http://eiphaem9aifuR1udaizu.badedsho.space:443/image/
-
access_type
512
-
beacon_type
2048
-
create_remote_thread
0
-
day
0
-
dns_idle
6.7373064e+07
-
dns_sleep
8.1297408e+08
-
host
oow8Phokeing6kai5haH.glowtrow.online,/gifs/,ooLiey0phuoghei2cei7.cleans.online,/gifs/,eiphaem9aifuR1udaizu.badedsho.space,/image/
-
http_header1
AAAACgAAAB9BY2NlcHQtTGFuZ3VhZ2U6IGVuLVVTLGVuO3E9MC41AAAACgAAAFJBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LGltYWdlL3dlYnAsKi8qO3E9MC44AAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAKAAAAEUNvbm5lY3Rpb246IGNsb3NlAAAABwAAAAAAAAAPAAAADQAAAAEAAAALL2tpdHRlbi5naWYAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAB5Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL2pzb24AAAAKAAAAEUNvbm5lY3Rpb246IGNsb3NlAAAABwAAAAAAAAAPAAAACAAAAAYAAAAOQXV0aGVudGljYXRpb24AAAAHAAAAAQAAAAMAAAACAAAAc3siaW1hZ2VfdXJsIiA6ICJodHRwczovL3N1bjktMjMudXNlcmFwaS5jb20vRzRKdmRaREVmTGRJUGxOTjEtSmtNR1EydW5mMktFSVY1NE9tNWcvYWJKNzBqR0hmVmsuanBnIiwgIm1ldGFkYXRhIiA6ICIAAAABAAAAAiJ9AAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
- injection_process
-
jitter
5120
-
maxdns
235
-
month
0
- pipe_name
-
polling_time
60000
-
port_number
443
- proxy_password
- proxy_server
- proxy_username
-
sc_process32
%windir%\syswow64\dfrgui.exe
-
sc_process64
%windir%\sysnative\dfrgui.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCIvdvQtJDW1I3V763zrsMpAmKESYebzPux6wkGUe3JLUJvczek+1wURhIWBSAHODyo9VoVYeV+Fdi5GC0F0c2E/NuZLhEk3eetXSCMFJCMo0wXM3ACHlKjMy1l87lvp4k+BN3+FR+bhR2mps1R+tsO941l1YKmMDez894lUy1mXwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
3.2384e+09
-
unknown2
AAAABAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown3
0
-
unknown4
0
-
unknown5
2.583822336e+09
-
uri
/stocks/
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36
-
year
0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.BackDoor.Meterpreter.130.21870.19638.exedescription pid process target process PID 648 set thread context of 1852 648 SecuriteInfo.com.BackDoor.Meterpreter.130.21870.19638.exe mstsc.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2472 timeout.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
SecuriteInfo.com.BackDoor.Meterpreter.130.21870.19638.execmd.exedescription pid process target process PID 648 wrote to memory of 1852 648 SecuriteInfo.com.BackDoor.Meterpreter.130.21870.19638.exe mstsc.exe PID 648 wrote to memory of 1852 648 SecuriteInfo.com.BackDoor.Meterpreter.130.21870.19638.exe mstsc.exe PID 648 wrote to memory of 1852 648 SecuriteInfo.com.BackDoor.Meterpreter.130.21870.19638.exe mstsc.exe PID 648 wrote to memory of 1852 648 SecuriteInfo.com.BackDoor.Meterpreter.130.21870.19638.exe mstsc.exe PID 648 wrote to memory of 2072 648 SecuriteInfo.com.BackDoor.Meterpreter.130.21870.19638.exe cmd.exe PID 648 wrote to memory of 2072 648 SecuriteInfo.com.BackDoor.Meterpreter.130.21870.19638.exe cmd.exe PID 648 wrote to memory of 2072 648 SecuriteInfo.com.BackDoor.Meterpreter.130.21870.19638.exe cmd.exe PID 2072 wrote to memory of 2472 2072 cmd.exe timeout.exe PID 2072 wrote to memory of 2472 2072 cmd.exe timeout.exe PID 2072 wrote to memory of 2472 2072 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.Meterpreter.130.21870.19638.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.Meterpreter.130.21870.19638.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Windows\SysWOW64\mstsc.exeC:\Windows\SysWOW64\mstsc.exe2⤵PID:1852
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout 120 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.Meterpreter.130.21870.19638.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\timeout.exetimeout 1203⤵
- Delays execution with timeout.exe
PID:2472
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1852-0-0x0000000000E50000-0x0000000000E84000-memory.dmpFilesize
208KB
-
memory/1852-2-0x0000000000E50000-mapping.dmp
-
memory/1852-5-0x0000000004CF0000-0x0000000004EFF000-memory.dmpFilesize
2.1MB
-
memory/1852-6-0x0000000004CF0000-0x0000000004EFF000-memory.dmpFilesize
2.1MB
-
memory/2072-3-0x0000000000000000-mapping.dmp
-
memory/2472-4-0x0000000000000000-mapping.dmp