Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
08-01-2022 13:01
Static task
static1
Behavioral task
behavioral1
Sample
a88e83a8808d0978892705e0db49b784.exe.vir.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
a88e83a8808d0978892705e0db49b784.exe.vir.exe
Resource
win10-en-20211208
General
-
Target
a88e83a8808d0978892705e0db49b784.exe.vir.exe
-
Size
19KB
-
MD5
a88e83a8808d0978892705e0db49b784
-
SHA1
4f98927d80bc29e7dcc5db96ea772fc260084cf6
-
SHA256
6c737ddbc304760111281fc03f544a9fa7529f15c85241f57cfae9fce79c5856
-
SHA512
1d2da9c21c870e4b4e4cb66fadc14930868d9f0f83fcb318258b8aba99f5fb969ee2bbeab21df50e94d57e4fd1824357fec06631b65208f8b2326f57d6e2cf1c
Malware Config
Extracted
cobaltstrike
http://www.fscoode.xyz:2083/dJeJ
-
user_agent
User-Agent: Mozilla/5.0 (Trident/7.0; LCJB; rv:11.0) Iike Gecko
Extracted
cobaltstrike
0
http://www.fscoode.xyz:2083/access/
-
access_type
512
-
beacon_type
2048
-
host
www.fscoode.xyz,/access/
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAeR2V0Q29udGVudEZlYXR1cmVzLkRMTkEuT1JHOiAxAAAACgAAAEhDb29raWU6ICBfX3V0bWE9MjEwMDc3NjIyLjE3MzI0Mzk5OTUuMTQzMzIwMTQ2Mi4xNDAzMjA0MzcyLjEzODUyMDI0OTMuMjsAAAAJAAAACXZlcnNpb249NAAAAAkAAAAObGlkPTE1ODI1MDI3MjQAAAAHAAAAAAAAAAgAAAAFAAAABXRva2VuAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAHAAAAAAAAAAUAAAADcmlkAAAACQAAAA5saWQ9MTU4MjUwMjcyNAAAAAkAAAAfbWV0aG9kPWdldFNlYXJjaFJlY29tbWVuZGF0aW9ucwAAAAcAAAABAAAAAwAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
5376
-
polling_time
1000
-
port_number
2083
-
sc_process32
%windir%\syswow64\WerFault.exe
-
sc_process64
%windir%\sysnative\WerFault.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDbpXVpOkYGrwsZZkZJfk9eJ2rNap4IcIBRhWbvHtYFQGqn4wznr9nvbZsofxNRHuPEjC4Gouxd5h/c/TiROj9uKeeNcPEYtlSOFDmFw2QbJWxG02IC/Iu4GTNgT37h+cvgPU/MXFTu3VCC6Bv4iMzcebXCVogqbLzo32i1TZQ8vwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
1.4764032e+09
-
unknown2
AAAABAAAAAgAAAACAAAAEAAAAAIAAAAQAAAAAgAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/radio/xmlrpc/v35
-
user_agent
Mozilla/5.0 (Trident/7.0; LCJB; rv:11.0) Iike Gecko
-
watermark
0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
a88e83a8808d0978892705e0db49b784.exe.vir.exepid process 1588 a88e83a8808d0978892705e0db49b784.exe.vir.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
a88e83a8808d0978892705e0db49b784.exe.vir.exedescription pid process target process PID 1588 wrote to memory of 1104 1588 a88e83a8808d0978892705e0db49b784.exe.vir.exe WerFault.exe PID 1588 wrote to memory of 1104 1588 a88e83a8808d0978892705e0db49b784.exe.vir.exe WerFault.exe PID 1588 wrote to memory of 1104 1588 a88e83a8808d0978892705e0db49b784.exe.vir.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a88e83a8808d0978892705e0db49b784.exe.vir.exe"C:\Users\Admin\AppData\Local\Temp\a88e83a8808d0978892705e0db49b784.exe.vir.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1104-57-0x0000000000000000-mapping.dmp
-
memory/1104-59-0x00000000001E0000-0x0000000000216000-memory.dmpFilesize
216KB
-
memory/1104-60-0x0000000000060000-0x0000000000091000-memory.dmpFilesize
196KB
-
memory/1588-54-0x0000000000020000-0x0000000000021000-memory.dmpFilesize
4KB
-
memory/1588-55-0x000007FEFBC11000-0x000007FEFBC13000-memory.dmpFilesize
8KB
-
memory/1588-56-0x0000000004260000-0x0000000004660000-memory.dmpFilesize
4.0MB