Analysis
-
max time kernel
75s -
max time network
124s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
11-11-2021 18:26
Static task
static1
Behavioral task
behavioral1
Sample
!.bin.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
!.bin.exe
Resource
win10-en-20211014
General
-
Target
!.bin.exe
-
Size
5.2MB
-
MD5
c1e722db229bd6dd596663f6f08aa654
-
SHA1
e8f2847b2bc4e1585f47a46161c192caf3978d02
-
SHA256
6b88286b240db5630c98d895fd188d079b4a88790dee601645afab7ae28cc578
-
SHA512
b415b68edcc8488f82f1dd9537640b35c22f4321f622cbac59f44fbe22ab36890a3ed13c1bf292c1e417f88ef9d72f79e810cbc114711ed00219304ea341303c
Malware Config
Extracted
cobaltstrike
http://101.35.100.211:58888/bEIm
-
user_agent
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 3412 created 2740 3412 WerFault.exe !.bin.exe -
Loads dropped DLL 3 IoCs
Processes:
!.bin.exepid process 2740 !.bin.exe 2740 !.bin.exe 2740 !.bin.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3412 2740 WerFault.exe !.bin.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 3412 WerFault.exe 3412 WerFault.exe 3412 WerFault.exe 3412 WerFault.exe 3412 WerFault.exe 3412 WerFault.exe 3412 WerFault.exe 3412 WerFault.exe 3412 WerFault.exe 3412 WerFault.exe 3412 WerFault.exe 3412 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 3412 WerFault.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
!.bin.exedescription pid process target process PID 2636 wrote to memory of 2740 2636 !.bin.exe !.bin.exe PID 2636 wrote to memory of 2740 2636 !.bin.exe !.bin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\!.bin.exe"C:\Users\Admin\AppData\Local\Temp\!.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\!.bin.exe"C:\Users\Admin\AppData\Local\Temp\!.bin.exe"2⤵
- Loads dropped DLL
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2740 -s 10323⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\_MEI26362\MSVCR90.dllMD5
552cf56353af11ce8e0d10ee12fdcd85
SHA16ab062b709f851a9576685fe0410ff9f1a4af670
SHA256e88299ea1a140ff758163dfff179fff3bc5e90e7cfbbd178d0c886dbad184012
SHA512122f389e7047b728b27f3c964d34b9c8bcae7c36177122e6aa997a6edadad20b14552879f60667a084d34727cb2c85dd5534b6fa7a451f0ab33555b315335457
-
C:\Users\Admin\AppData\Local\Temp\_MEI26362\UUID_loader1.exe.manifestMD5
5dd7dcf8cf647908b20a69a2f1a9fe15
SHA1818308c2d53cfd95b4882909e13643852550afca
SHA25630e4ba7862154d9917f8bfb40c0b752eb74e1b62e2d5b78f21fca794f50987ca
SHA512674f064bae910f70283f5ce3c9b8a8579cbefc690dbde5aa7636991b36563eae5cdbea572501a866dc29a5082d2d59d3b4b96f6bd0e70a7a530e1fa674702a1e
-
C:\Users\Admin\AppData\Local\Temp\_MEI26362\_ctypes.pydMD5
28e5d05ab42adb1e7ada35f1eef1b32b
SHA10792867716c8a933305455a2c7f39d30807dad65
SHA256a93e3bfe62afa5062c6257a7f347d715af346ac3aec7999b8d86a9f2580ec176
SHA5120cb08ec46068e20a2df3fc0e69bceba5b8a807aeb580002e846d9272fea7a6ee24b8f2c571571677b61dd8c58eb998c26a656193798de5075c6943f6d701c569
-
C:\Users\Admin\AppData\Local\Temp\_MEI26362\python27.dllMD5
4fc438493188550ea7dfb0cc153b4983
SHA12e7e79cee5ca14a584c49d7222cecd4a53beac41
SHA2562ae1f70a99a8f760d3883258f0f69ae759b48270b07036e41b1e887add0c3cfc
SHA5125f91ddf65fa94129c2e483400327d564a8ce3e3b9dea3a5294fdb6bbd5ee599f89003da8922d1f3904dbab7bd0d4b23fc355f1854e6b34a7f012c1065e88053e
-
\Users\Admin\AppData\Local\Temp\_MEI26362\_ctypes.pydMD5
28e5d05ab42adb1e7ada35f1eef1b32b
SHA10792867716c8a933305455a2c7f39d30807dad65
SHA256a93e3bfe62afa5062c6257a7f347d715af346ac3aec7999b8d86a9f2580ec176
SHA5120cb08ec46068e20a2df3fc0e69bceba5b8a807aeb580002e846d9272fea7a6ee24b8f2c571571677b61dd8c58eb998c26a656193798de5075c6943f6d701c569
-
\Users\Admin\AppData\Local\Temp\_MEI26362\msvcr90.dllMD5
552cf56353af11ce8e0d10ee12fdcd85
SHA16ab062b709f851a9576685fe0410ff9f1a4af670
SHA256e88299ea1a140ff758163dfff179fff3bc5e90e7cfbbd178d0c886dbad184012
SHA512122f389e7047b728b27f3c964d34b9c8bcae7c36177122e6aa997a6edadad20b14552879f60667a084d34727cb2c85dd5534b6fa7a451f0ab33555b315335457
-
\Users\Admin\AppData\Local\Temp\_MEI26362\python27.dllMD5
4fc438493188550ea7dfb0cc153b4983
SHA12e7e79cee5ca14a584c49d7222cecd4a53beac41
SHA2562ae1f70a99a8f760d3883258f0f69ae759b48270b07036e41b1e887add0c3cfc
SHA5125f91ddf65fa94129c2e483400327d564a8ce3e3b9dea3a5294fdb6bbd5ee599f89003da8922d1f3904dbab7bd0d4b23fc355f1854e6b34a7f012c1065e88053e
-
memory/2740-115-0x0000000000000000-mapping.dmp
-
memory/2740-123-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB