Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
29-12-2021 21:19
Static task
static1
Behavioral task
behavioral1
Sample
a1d9d2b9440b1a33370302895edbf43b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
a1d9d2b9440b1a33370302895edbf43b.exe
Resource
win10-en-20211208
General
-
Target
a1d9d2b9440b1a33370302895edbf43b.exe
-
Size
278KB
-
MD5
a1d9d2b9440b1a33370302895edbf43b
-
SHA1
fce98aa07b88962d4768679b6dcc229e9df42233
-
SHA256
fb8acf77891e1897c9dcab222d5a9424e1fd4eb0273e0def4e2872bd870c9901
-
SHA512
9821d377b0c57a46ead06b2c2e90c66f21fdf315146a57161bae8116208c9ace35d5651398950be32b6d8bf68d99be42c26cffda6e17a8710cd7e41948ca0b6b
Malware Config
Extracted
cobaltstrike
0
-
beacon_type
1024
-
host
0.0.0.0
-
http_header1
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
polling_time
10000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnOM3nXx+7HBhkbDd+AwFrFisSunK999w2tM0uTpuuEiBalcJhcL+QgQWtf6S7zPp5hjImG+2YcPl18geU4f5JlSPXHwilbK4DFb/ePWyKFjhrA7emVRqhM21QMlo1ANsn14rY/RO2pzuft8P7TXoIjjI/B2GGVuzYNZX6X4I2EwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
watermark
0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 520 860 WerFault.exe a1d9d2b9440b1a33370302895edbf43b.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 520 WerFault.exe 520 WerFault.exe 520 WerFault.exe 520 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 520 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 520 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
a1d9d2b9440b1a33370302895edbf43b.exedescription pid process target process PID 860 wrote to memory of 520 860 a1d9d2b9440b1a33370302895edbf43b.exe WerFault.exe PID 860 wrote to memory of 520 860 a1d9d2b9440b1a33370302895edbf43b.exe WerFault.exe PID 860 wrote to memory of 520 860 a1d9d2b9440b1a33370302895edbf43b.exe WerFault.exe PID 860 wrote to memory of 520 860 a1d9d2b9440b1a33370302895edbf43b.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1d9d2b9440b1a33370302895edbf43b.exe"C:\Users\Admin\AppData\Local\Temp\a1d9d2b9440b1a33370302895edbf43b.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 3482⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/520-56-0x0000000000000000-mapping.dmp
-
memory/520-57-0x0000000076731000-0x0000000076733000-memory.dmpFilesize
8KB
-
memory/520-58-0x0000000000600000-0x0000000000601000-memory.dmpFilesize
4KB
-
memory/860-54-0x0000000000360000-0x0000000000393000-memory.dmpFilesize
204KB
-
memory/860-55-0x00000000003A0000-0x00000000003DC000-memory.dmpFilesize
240KB