Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
08-12-2020 14:51
Static task
static1
Behavioral task
behavioral1
Sample
btc.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
btc.exe
Resource
win10v20201028
General
-
Target
btc.exe
-
Size
161KB
-
MD5
0555493303b805edc68e153d013e6b30
-
SHA1
4c5a730e08120aac73369a893239268c56265d97
-
SHA256
b48d3ae5fa7696774dfdad64078ca260f5121c03fca80fc53c0caf0bf346aeb1
-
SHA512
4f7cdc3183e6868128d65ce1fb3062a638fd45108a263030654adaa6f2d3054753b4d8d6c40b12a76a988ae546f4604ea5e4e0f30312c6e7d49d9827eb98753e
Malware Config
Extracted
metasploit
windows/download_exec
http://www.impulse-static.com:443/site/content/jquery-3.3.1.slim.min.js
Extracted
cobaltstrike
http://www.impulse-static.com:443/site/jquery-3.3.1.min.js
http://www.shark-knifes.com:443/site/jquery-3.3.1.min.js
-
access_type
512
-
beacon_type
2048
-
create_remote_thread
0
-
day
0
-
dns_idle
3.7054228e+09
-
dns_sleep
0
-
host
www.impulse-static.com,/site/jquery-3.3.1.min.js,www.shark-knifes.com,/site/jquery-3.3.1.min.js
-
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuZ2l0aHViLmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADQAAAAIAAAAJX19jZmR1aWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuZ2l0aHViLmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADwAAAA0AAAAFAAAACF9fY2ZkdWlkAAAABwAAAAEAAAAPAAAADQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
- injection_process
-
jitter
5888
-
maxdns
255
-
month
0
- pipe_name
-
polling_time
10000
-
port_number
443
- proxy_password
- proxy_server
- proxy_username
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCIWFGzNKTst4Ksfub0bQSX5/CUWz/iN8e3Xl47TQNwtX9sqe1eYQ+J+W3Oc5ed0KqxL43LuWKHIn3o9ilVAqQ7zJFDyNWIwqjccImGdt8B7ktOmxuvzmxJvBN3Eg4PhcJQP82MsxB+F5QJuJ8rAxfzwhhewLHOf5vm9fnXH05ERwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4.234810624e+09
-
unknown2
AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown3
0
-
unknown4
0
-
unknown5
1
-
uri
/site/jquery-3.3.2.min.js
-
user_agent
Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
-
year
0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
btc.exedescription pid process target process PID 1028 set thread context of 476 1028 btc.exe btc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
btc.exedescription pid process target process PID 1028 wrote to memory of 476 1028 btc.exe btc.exe PID 1028 wrote to memory of 476 1028 btc.exe btc.exe PID 1028 wrote to memory of 476 1028 btc.exe btc.exe PID 1028 wrote to memory of 476 1028 btc.exe btc.exe PID 1028 wrote to memory of 476 1028 btc.exe btc.exe PID 1028 wrote to memory of 476 1028 btc.exe btc.exe PID 1028 wrote to memory of 476 1028 btc.exe btc.exe PID 1028 wrote to memory of 476 1028 btc.exe btc.exe PID 1028 wrote to memory of 476 1028 btc.exe btc.exe PID 1028 wrote to memory of 476 1028 btc.exe btc.exe PID 1028 wrote to memory of 476 1028 btc.exe btc.exe PID 1028 wrote to memory of 476 1028 btc.exe btc.exe
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/476-4-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/476-5-0x00000000004014B0-mapping.dmp
-
memory/476-6-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/476-7-0x0000000000020000-0x0000000000021000-memory.dmpFilesize
4KB
-
memory/476-8-0x0000000003E00000-0x0000000004272000-memory.dmpFilesize
4.4MB
-
memory/476-9-0x0000000003E00000-0x0000000004272000-memory.dmpFilesize
4.4MB
-
memory/1028-2-0x00000000006B9000-0x00000000006BA000-memory.dmpFilesize
4KB
-
memory/1028-3-0x0000000002240000-0x0000000002241000-memory.dmpFilesize
4KB