Analysis

  • max time kernel
    1785s
  • max time network
    1787s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    03-02-2021 17:13

General

  • Target

    AnnualReport.exe

  • Size

    441KB

  • MD5

    2c00aaba1bad8a20cf1f154646e50878

  • SHA1

    314c5dd041216b0eb130075961ab660004e39fdf

  • SHA256

    52bbe09c7150ea66269c71bac8d0237fb0e6b0cae4ca63ab19807c310d6a1a0b

  • SHA512

    f6b48cb567a808b2b25b113a84476178ae42ffa7f4d47e03f6ca0c3e31762316f539d1913afedb88de28a6164c6551705130f28a66bdedfd4d182cf1cdd37ce0

Malware Config

Extracted

Family

cobaltstrike

Version

windows/download_exec

C2

http://jobsmarc.com:443/image-directory/tab_shop.ico

Extracted

Family

cobaltstrike

C2

http://jobsmarc.com:443/eso

Attributes
  • access_type

    512

  • beacon_type

    2048

  • create_remote_thread

    0

  • day

    0

  • dns_idle

    0

  • dns_sleep

    0

  • host

    jobsmarc.com,/eso

  • http_header1

    AAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAATQWNjZXB0LUVuY29kaW5nOiBicgAAAAoAAAA9QWNjZXB0LUxhbmd1YWdlOiBmci1DSCwgZnI7cT0wLjksIGVuO3E9MC44LCBkZTtxPTAuNywgKjtxPTAuNQAAAAcAAAAAAAAADwAAAAMAAAACAAAAA2x1PQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAAYQ29udGVudC1UeXBlOiB0ZXh0L3BsYWluAAAABwAAAAEAAAADAAAAAwAAAAQAAAAHAAAAAAAAAAMAAAACAAAADl9fc2Vzc2lvbl9faWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • injection_process

  • jitter

    11008

  • maxdns

    0

  • month

    0

  • pipe_name

  • polling_time

    63971

  • port_number

    443

  • proxy_password

  • proxy_server

  • proxy_username

  • sc_process32

    %windir%\syswow64\WUAUCLT.exe

  • sc_process64

    %windir%\sysnative\WUAUCLT.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCHUpRHYUbA0B1ftXjQoleMAjAN6V1d0hLi7Zajz2EiYlDBxzdzbAyRftkGXhfvLTBeqZK5ZW9ZoJL/3r1oYXT+/ZMGZeM0iaohj1O/yHEv1aYFHufvGR1VV5Rpy+Zi6h0MwDlq60Wu5gdgcXiHbSkRI54xRMKVhyCGoi5DgZSzdwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    7.8457344e+07

  • unknown2

    AAAABAAAAAIAAAJYAAAAAwAAAAsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown3

    0

  • unknown4

    0

  • unknown5

    1.841236305e+09

  • uri

    /ki

  • user_agent

    Mozilla/5.0 (Windows Phone 10.0; Android 6.0.1; Microsoft; RM-1152) AppleWebKit/537.36 (KHTML, like Gecko)

  • year

    0

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • Blocklisted process makes network request 21 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AnnualReport.exe
    "C:\Users\Admin\AppData\Local\Temp\AnnualReport.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4760
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe
      2⤵
      • Blocklisted process makes network request
      PID:840

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/840-2-0x0000000000000000-mapping.dmp
  • memory/840-3-0x000001D030EC0000-0x000001D030EC1000-memory.dmp
    Filesize

    4KB

  • memory/840-5-0x000001D032FA0000-0x000001D0333A0000-memory.dmp
    Filesize

    4.0MB