Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
03-05-2021 14:01
Static task
static1
Behavioral task
behavioral1
Sample
fc008b1f_by_Libranalysis.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
fc008b1f_by_Libranalysis.exe
Resource
win10v20210408
General
-
Target
fc008b1f_by_Libranalysis.exe
-
Size
813KB
-
MD5
fc008b1ff424b45bc9e616cfd8aaeae4
-
SHA1
b526df575129071d4627dbe0b27f40e525dd0c43
-
SHA256
3f9cf521bf11dfe1a5b6baebde88f8eaac8e851ed8bcf220109d081b4a3f0b6f
-
SHA512
f66ecaaa7b6dd97de3e536554391f94e5d11112488fd23953e6d5382bb524a5dd9e9d4fc0fd38bdcefc634e1af862decc5353e7d394d7ee2528295f7be49ad32
Malware Config
Extracted
cobaltstrike
0
http://192.99.250.7:80/r-arrow.js
-
access_type
512
-
host
192.99.250.7,/r-arrow.js
-
http_header1
AAAAEAAAABFIb3N0OiBuaWtvbWluLmNvbQAAAAoAAAARQ29ubmVjdGlvbjogY2xvc2UAAAAKAAAAFUFjY2VwdC1FbmNvZGluZzogZ3ppcAAAAAoAAAAlQWNjZXB0LUxhbmd1YWdlOiBlbi1HQjtxPTAuOSwgKjtxPTAuNwAAAAcAAAAAAAAAAwAAAAMAAAACAAAADHJlZ19mYl9nYXRlPQAAAAYAAAAGQ29va2llAAAACQAAAAxQYXllcklEPXRydWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAAEAAAABFIb3N0OiBuaWtvbWluLmNvbQAAAAoAAAARQ29ubmVjdGlvbjogY2xvc2UAAAAKAAAAL0NvbnRlbnQtVHlwZTogYXBwbGljYXRpb24veC13d3ctZm9ybS11cmxlbmNvZGVkAAAABwAAAAEAAAADAAAAAwAAAAIAAAAOZGVjb21wb3NpdGlvbj0AAAAEAAAABwAAAAAAAAADAAAAAgAAAA5fX3Nlc3Npb25fX2lkPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
10496
-
polling_time
62222
-
port_number
80
-
sc_process32
%windir%\syswow64\runonce.exe
-
sc_process64
%windir%\sysnative\runonce.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnOM3nXx+7HBhkbDd+AwFrFisSunK999w2tM0uTpuuEiBalcJhcL+QgQWtf6S7zPp5hjImG+2YcPl18geU4f5JlSPXHwilbK4DFb/ePWyKFjhrA7emVRqhM21QMlo1ANsn14rY/RO2pzuft8P7TXoIjjI/B2GGVuzYNZX6X4I2EwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4.272630272e+09
-
unknown2
AAAABAAAAAIAAAFSAAAAAwAAAAsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/ki
-
user_agent
Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0
-
watermark
0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
fc008b1f_by_Libranalysis.exedescription pid process target process PID 644 wrote to memory of 2708 644 fc008b1f_by_Libranalysis.exe cmd.exe PID 644 wrote to memory of 2708 644 fc008b1f_by_Libranalysis.exe cmd.exe PID 644 wrote to memory of 2708 644 fc008b1f_by_Libranalysis.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc008b1f_by_Libranalysis.exe"C:\Users\Admin\AppData\Local\Temp\fc008b1f_by_Libranalysis.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c echo usKgACrQlXGRauSoRGETcxGDXHqhRXBNnJywyuzKMG>"C:\Users\Admin\AppData\Local\Temp\DEM7313.tmp"&exit2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DEM7313.tmpMD5
8c9dd17caf3522d0106e46e62c88a613
SHA14d6e184589183d93b2cd89626b0030c4f68e4a81
SHA2569a736c66045892fb81b8736bc5b3fec78db1f4fdf958bb46b7397708035e1787
SHA512b552e59ebf5e7f614620c7fa24fea7a054439c924b34e3680bec0e776ed54bc3c0bdacec0fc8e053da3d08b6b18dfb82abc5a27cb9836a1551da83c1da84e91d
-
memory/644-117-0x0000000000D30000-0x0000000000DB7000-memory.dmpFilesize
540KB
-
memory/644-118-0x0000000000D30000-0x0000000000DB7000-memory.dmpFilesize
540KB
-
memory/2708-114-0x0000000000000000-mapping.dmp