Analysis
-
max time kernel
28s -
max time network
32s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
22-01-2022 12:07
Static task
static1
Behavioral task
behavioral1
Sample
333dedd9aa08687b59a8391c6837674a1f136cc1eff545e9459c6398a6b40925.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
333dedd9aa08687b59a8391c6837674a1f136cc1eff545e9459c6398a6b40925.exe
Resource
win10-en-20211208
General
-
Target
333dedd9aa08687b59a8391c6837674a1f136cc1eff545e9459c6398a6b40925.exe
-
Size
321KB
-
MD5
82630f6faa5acc2c7ff75cb395436a12
-
SHA1
71c0f210fb400eef6e302abbc67d1f37af1cc4c1
-
SHA256
333dedd9aa08687b59a8391c6837674a1f136cc1eff545e9459c6398a6b40925
-
SHA512
d00b292259d336cdb4c3eb565589757d3fb354d41ac77b22575a2561f33d39aeae4809c90de82c53b75aafa9aa54ac08ef141f358cc83f157fb2dea4bf2372a7
Malware Config
Extracted
cobaltstrike
http://212.129.249.163:443/jquery-3.3.2.slim.min.js
-
user_agent
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Host: baidu.comswhiwcnja.top Referer: http://code.jquery.com/ Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 4364 created 344 4364 WerFault.exe 333dedd9aa08687b59a8391c6837674a1f136cc1eff545e9459c6398a6b40925.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4364 344 WerFault.exe 333dedd9aa08687b59a8391c6837674a1f136cc1eff545e9459c6398a6b40925.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 4364 WerFault.exe 4364 WerFault.exe 4364 WerFault.exe 4364 WerFault.exe 4364 WerFault.exe 4364 WerFault.exe 4364 WerFault.exe 4364 WerFault.exe 4364 WerFault.exe 4364 WerFault.exe 4364 WerFault.exe 4364 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 4364 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\333dedd9aa08687b59a8391c6837674a1f136cc1eff545e9459c6398a6b40925.exe"C:\Users\Admin\AppData\Local\Temp\333dedd9aa08687b59a8391c6837674a1f136cc1eff545e9459c6398a6b40925.exe"1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 344 -s 9642⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/344-115-0x0000013D47110000-0x0000013D47111000-memory.dmpFilesize
4KB