Analysis
-
max time kernel
134s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
13-11-2020 16:08
Static task
static1
Behavioral task
behavioral1
Sample
3ec7126c2538d33007a3c5da01130430442a59349794ceddbc64c1b45a2dc4ba.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
3ec7126c2538d33007a3c5da01130430442a59349794ceddbc64c1b45a2dc4ba.exe
Resource
win10v20201028
General
-
Target
3ec7126c2538d33007a3c5da01130430442a59349794ceddbc64c1b45a2dc4ba.exe
-
Size
224KB
-
MD5
b425a2f36c42563e301ba185512486e5
-
SHA1
b3c6e81be888de6a7af48d2947d06d8b9db71960
-
SHA256
3ec7126c2538d33007a3c5da01130430442a59349794ceddbc64c1b45a2dc4ba
-
SHA512
f1334e1edf8503134cec5348ab4525642b37b76ae5b5826742ae07db515929d82b8b39ef6f7a1d590520d8338e4aa3f12d9b682aee548769fe81110688bbbcb1
Malware Config
Extracted
cobaltstrike
http://support.manilacityhall.com:443/jquery-ajaxSuccess.js
-
access_type
512
-
beacon_type
2048
-
create_remote_thread
0
-
day
0
-
dns_idle
0
-
dns_sleep
0
-
host
support.manilacityhall.com,/jquery-ajaxSuccess.js
-
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAVSG9zdDogY29kZS5qcXVlcnkuY29tAAAACgAAACBSZWZlcmVyOiBodHRwOi8vY29kZS5qcXVlcnkuY29tLwAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAANAAAAAgAAAAlfX2NmZHVpZD0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAVSG9zdDogY29kZS5qcXVlcnkuY29tAAAACgAAACBSZWZlcmVyOiBodHRwOi8vY29kZS5qcXVlcnkuY29tLwAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAAPAAAADQAAAAUAAAAIX19jZmR1aWQAAAAHAAAAAQAAAA8AAAANAAAABAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
- injection_process
-
jitter
9472
-
maxdns
255
-
month
0
- pipe_name
-
polling_time
60000
-
port_number
443
- proxy_password
- proxy_server
- proxy_username
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCVRrITlds21bbk/+HfUdlq32bnIYIqJ/TgHPYgtliFLWwQfIhuvUldbUpMGMtdb3WHlRoqmz2XOajC5j4ZmzslqMa0vBwTd5wEmnqypQCzdspTEdq3Ose34Q5Q96c0u8MC6qh5RavngODYv1lfBEmB14mAAH0WqDFu6wfFmQWyuQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4.234810624e+09
-
unknown2
AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown3
0
-
unknown4
0
-
unknown5
3.276909167e+09
-
uri
/jquery-before.js
-
user_agent
Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
-
year
0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.