Analysis
-
max time kernel
134s -
max time network
134s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
15-02-2021 17:16
Static task
static1
Behavioral task
behavioral1
Sample
HyperLinkDemo.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
HyperLinkDemo.exe
Resource
win10v20201028
General
-
Target
HyperLinkDemo.exe
-
Size
952KB
-
MD5
593f93498ed4563985e10ebbe80d657e
-
SHA1
7a76a16b1355da1e594e5a6cad2db28ab68c02cf
-
SHA256
cf9f6a9389651599d4dd42b160643841cc1602b4dc4065ce4fbceaec0d8656d1
-
SHA512
50c93d2a3f17ed56318b204b43c49af0b9f86057fb7649ed7a02196e2349a6ccfd728fb8adab67b32af8a5b366a630a07cc9a9b6010a7a93e8a1c5391232f6b5
Malware Config
Extracted
cobaltstrike
http://topother.com:443/admin
-
access_type
512
-
beacon_type
2048
-
create_remote_thread
0
-
day
0
-
dns_idle
0
-
dns_sleep
0
-
host
topother.com,/admin
-
http_header1
AAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAAVQWNjZXB0LUVuY29kaW5nOiBnemlwAAAACgAAACVBY2NlcHQtTGFuZ3VhZ2U6IGVuLUdCO3E9MC45LCAqO3E9MC43AAAABwAAAAAAAAADAAAAAwAAAAIAAAArd29yZHByZXNzX2Q2YzA0MDVlMGQ3YWIxOGZkNGU2YTBiNzRmY2U0MGIwPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAAVQWNjZXB0LUVuY29kaW5nOiBnemlwAAAACgAAABhDb250ZW50LVR5cGU6IHRleHQvcGxhaW4AAAAHAAAAAQAAAAMAAAADAAAABAAAAAcAAAAAAAAAAwAAAAIAAAAOX19zZXNzaW9uX19pZD0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
- injection_process
-
jitter
10496
-
maxdns
0
-
month
0
- pipe_name
-
polling_time
55030
-
port_number
443
- proxy_password
- proxy_server
- proxy_username
-
sc_process32
%windir%\syswow64\regsvr32.exe
-
sc_process64
%windir%\sysnative\regsvr32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeiunXEnsXFofwaNPXBB2LDEFCgt+TyBd4oRWC9zFX1OUYgS94SloQQUBYMkz1BAPvqlU7/AA6UTyDUrcyoaWp7r+j8QYnvY6K6T5B0M1el1aEL8KqOiPkrSgs3MzekU22hbK1xDWxNvszHXc/F5U39/30kLg01iiJ7irjrpes4QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4.272630272e+09
-
unknown2
AAAABAAAAAIAAAFSAAAAAwAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown3
0
-
unknown4
0
-
unknown5
1.841236305e+09
-
uri
/ee
-
user_agent
Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0
-
year
0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Dave packer 1 IoCs
Detects executable packed with a packer named 'Dave' from the community, due to a string at the end of it.
Processes:
resource yara_rule behavioral1/memory/296-5-0x00000000002A0000-0x00000000002CD000-memory.dmp dave -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
HyperLinkDemo.exepid process 296 HyperLinkDemo.exe 296 HyperLinkDemo.exe