Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
12-01-2022 17:40
Static task
static1
Behavioral task
behavioral1
Sample
Ayfaga3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
Ayfaga3.exe
Resource
win10-en-20211208
General
-
Target
Ayfaga3.exe
-
Size
389KB
-
MD5
d053d4cd461951966e47ea44d28b42f8
-
SHA1
1ec4ce0b1379f951bc0fafcee15ac0945ab1beac
-
SHA256
94053dfbc06bc7124129dd51fabf67f7f3738109d6dc11d0b4bb785f0e93c0b6
-
SHA512
f132082ae13457c92a8b44bcd4bfb81bc07cb62e52a6ec89d6c17867a50bc0227f5ca4d813d516a446d9a6d1ec20ed69e611f8d44333916d0209ad7864217df3
Malware Config
Extracted
cobaltstrike
1580103824
http://104.168.44.45:443/ptj
-
access_type
512
-
beacon_type
2048
-
host
104.168.44.45,/ptj
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
polling_time
60000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnCZHWnYFqYB/6gJdkc4MPDTtBJ20nkEAd3tsY4tPKs8MV4yIjJb5CtlrbKHjzP1oD/1AQsj6EKlEMFIKtakLx5+VybrMYE+dDdkDteHmVX0AeFyw001FyQVlt1B+OSNPRscKI5sh1L/ZdwnrMy6S6nNbQ5N5hls6k2kgNO5nQ7QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.php
-
user_agent
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)
-
watermark
1580103824
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 26 IoCs
Processes:
whoami.exedescription pid process Token: SeDebugPrivilege 4556 whoami.exe Token: SeDebugPrivilege 4556 whoami.exe Token: SeDebugPrivilege 4556 whoami.exe Token: SeDebugPrivilege 4556 whoami.exe Token: SeDebugPrivilege 4556 whoami.exe Token: SeDebugPrivilege 4556 whoami.exe Token: SeDebugPrivilege 4556 whoami.exe Token: SeDebugPrivilege 4556 whoami.exe Token: SeDebugPrivilege 4556 whoami.exe Token: SeDebugPrivilege 4556 whoami.exe Token: SeDebugPrivilege 4556 whoami.exe Token: SeDebugPrivilege 4556 whoami.exe Token: SeDebugPrivilege 4556 whoami.exe Token: SeDebugPrivilege 4556 whoami.exe Token: SeDebugPrivilege 4556 whoami.exe Token: SeDebugPrivilege 4556 whoami.exe Token: SeDebugPrivilege 4556 whoami.exe Token: SeDebugPrivilege 4556 whoami.exe Token: SeDebugPrivilege 4556 whoami.exe Token: SeDebugPrivilege 4556 whoami.exe Token: SeDebugPrivilege 4556 whoami.exe Token: SeDebugPrivilege 4556 whoami.exe Token: SeDebugPrivilege 4556 whoami.exe Token: SeDebugPrivilege 4556 whoami.exe Token: SeDebugPrivilege 4556 whoami.exe Token: SeDebugPrivilege 4556 whoami.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Ayfaga3.execmd.exenet.exedescription pid process target process PID 3376 wrote to memory of 4556 3376 Ayfaga3.exe whoami.exe PID 3376 wrote to memory of 4556 3376 Ayfaga3.exe whoami.exe PID 3376 wrote to memory of 5000 3376 Ayfaga3.exe cmd.exe PID 3376 wrote to memory of 5000 3376 Ayfaga3.exe cmd.exe PID 5000 wrote to memory of 424 5000 cmd.exe net.exe PID 5000 wrote to memory of 424 5000 cmd.exe net.exe PID 424 wrote to memory of 740 424 net.exe net1.exe PID 424 wrote to memory of 740 424 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ayfaga3.exe"C:\Users\Admin\AppData\Local\Temp\Ayfaga3.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\whoami.exewhoami /groups2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C net group "domain admins" /domain2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet group "domain admins" /domain3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 group "domain admins" /domain4⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/424-346-0x0000000000000000-mapping.dmp
-
memory/740-347-0x0000000000000000-mapping.dmp
-
memory/3376-115-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-116-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-118-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-119-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-117-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-121-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-120-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-122-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-123-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-125-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-126-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-127-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-128-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-124-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-129-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-130-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-131-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-132-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-134-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-133-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-135-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-137-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-136-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-138-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-139-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-140-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-141-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-142-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-143-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-144-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-145-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-146-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-147-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-148-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-149-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-150-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-151-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-152-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-153-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-154-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-155-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-156-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-157-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-158-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-159-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-160-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-162-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-161-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-163-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-164-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-165-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-166-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-173-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-174-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-172-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-175-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-171-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-170-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-169-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-168-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-167-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-177-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-176-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-178-0x00007FFC0C0D0000-0x00007FFC0C0D1000-memory.dmpFilesize
4KB
-
memory/3376-342-0x0000024292E40000-0x0000024292E81000-memory.dmpFilesize
260KB
-
memory/3376-343-0x0000024292E90000-0x0000024292EDE000-memory.dmpFilesize
312KB
-
memory/4556-344-0x0000000000000000-mapping.dmp
-
memory/5000-345-0x0000000000000000-mapping.dmp