Analysis
-
max time kernel
120s -
max time network
172s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
28-07-2021 11:22
Static task
static1
Behavioral task
behavioral1
Sample
284b3dde6049c0d9be0c3cd55b0e5c286796d937e4964347e3d3fb8fda495cfc.bin.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
284b3dde6049c0d9be0c3cd55b0e5c286796d937e4964347e3d3fb8fda495cfc.bin.exe
Resource
win10v20210408
General
-
Target
284b3dde6049c0d9be0c3cd55b0e5c286796d937e4964347e3d3fb8fda495cfc.bin.exe
-
Size
4.4MB
-
MD5
007f1c18e002c1d5c8fbba68e76ab5cf
-
SHA1
00d54bbcfed3248bd360c605eaf2e75bd85e4b99
-
SHA256
284b3dde6049c0d9be0c3cd55b0e5c286796d937e4964347e3d3fb8fda495cfc
-
SHA512
10addb33452b5c436561097c9e3564785fc92b1857ccd0da0e5a7e903e370ab210403015ca694fee8873b3bc2cc1b4ceac9242409aa2b2f886f5e2c23434e157
Malware Config
Extracted
cobaltstrike
http://101.37.15.184:8888/SUqD
-
user_agent
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSCOM)
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Loads dropped DLL 2 IoCs
Processes:
284b3dde6049c0d9be0c3cd55b0e5c286796d937e4964347e3d3fb8fda495cfc.bin.exepid process 2032 284b3dde6049c0d9be0c3cd55b0e5c286796d937e4964347e3d3fb8fda495cfc.bin.exe 2032 284b3dde6049c0d9be0c3cd55b0e5c286796d937e4964347e3d3fb8fda495cfc.bin.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
284b3dde6049c0d9be0c3cd55b0e5c286796d937e4964347e3d3fb8fda495cfc.bin.exedescription pid process target process PID 1020 wrote to memory of 2032 1020 284b3dde6049c0d9be0c3cd55b0e5c286796d937e4964347e3d3fb8fda495cfc.bin.exe 284b3dde6049c0d9be0c3cd55b0e5c286796d937e4964347e3d3fb8fda495cfc.bin.exe PID 1020 wrote to memory of 2032 1020 284b3dde6049c0d9be0c3cd55b0e5c286796d937e4964347e3d3fb8fda495cfc.bin.exe 284b3dde6049c0d9be0c3cd55b0e5c286796d937e4964347e3d3fb8fda495cfc.bin.exe PID 1020 wrote to memory of 2032 1020 284b3dde6049c0d9be0c3cd55b0e5c286796d937e4964347e3d3fb8fda495cfc.bin.exe 284b3dde6049c0d9be0c3cd55b0e5c286796d937e4964347e3d3fb8fda495cfc.bin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\284b3dde6049c0d9be0c3cd55b0e5c286796d937e4964347e3d3fb8fda495cfc.bin.exe"C:\Users\Admin\AppData\Local\Temp\284b3dde6049c0d9be0c3cd55b0e5c286796d937e4964347e3d3fb8fda495cfc.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Users\Admin\AppData\Local\Temp\284b3dde6049c0d9be0c3cd55b0e5c286796d937e4964347e3d3fb8fda495cfc.bin.exe"C:\Users\Admin\AppData\Local\Temp\284b3dde6049c0d9be0c3cd55b0e5c286796d937e4964347e3d3fb8fda495cfc.bin.exe"2⤵
- Loads dropped DLL
PID:2032
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\_MEI10202\_ctypes.pydMD5
744e95852d3f6a1cd54e1c33b8c4f492
SHA15a73b103e58eb8886615dc12433673274c19b2da
SHA2563f622380097e46217bdcd45382cf66558eb144d90699a92ddde345eb447d9470
SHA51220cc5fd1d8866f69221290f346cb4c0a4f5f9ab4f5e18c6ba571946ca1048158026719fbb18c9a71de606e306e80f0ea638e1344a89b3f620a534b8483db3a95
-
C:\Users\Admin\AppData\Local\Temp\_MEI10202\python27.dllMD5
ccccc034d1f7c8df404bfcbb2722f16e
SHA12f18686bc2e2f9aadc15b08c0b75dabc0aeeb2e0
SHA2561aa07295c53742e06ebec7ac35ab824c8470ac5a812c5ac5bec2d3b01446579d
SHA512f41e632751b7a565ba598f524b19e5a9e5422af843ec57ade7c0f65949bc7eb6014dd2c5478e8a6d89f3fac9b0fdceb41a75e77b0a92ce56733afa2e41a1124e
-
\Users\Admin\AppData\Local\Temp\_MEI10202\_ctypes.pydMD5
744e95852d3f6a1cd54e1c33b8c4f492
SHA15a73b103e58eb8886615dc12433673274c19b2da
SHA2563f622380097e46217bdcd45382cf66558eb144d90699a92ddde345eb447d9470
SHA51220cc5fd1d8866f69221290f346cb4c0a4f5f9ab4f5e18c6ba571946ca1048158026719fbb18c9a71de606e306e80f0ea638e1344a89b3f620a534b8483db3a95
-
\Users\Admin\AppData\Local\Temp\_MEI10202\python27.dllMD5
ccccc034d1f7c8df404bfcbb2722f16e
SHA12f18686bc2e2f9aadc15b08c0b75dabc0aeeb2e0
SHA2561aa07295c53742e06ebec7ac35ab824c8470ac5a812c5ac5bec2d3b01446579d
SHA512f41e632751b7a565ba598f524b19e5a9e5422af843ec57ade7c0f65949bc7eb6014dd2c5478e8a6d89f3fac9b0fdceb41a75e77b0a92ce56733afa2e41a1124e
-
memory/2032-59-0x0000000000000000-mapping.dmp
-
memory/2032-64-0x0000000001B20000-0x0000000001B21000-memory.dmpFilesize
4KB