Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-01-2022 00:09
Static task
static1
Behavioral task
behavioral1
Sample
f0c21480a5ebde8ed2e9e91a1ad7e0a83419155aeeb36c1423a09c86becb62fb.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
f0c21480a5ebde8ed2e9e91a1ad7e0a83419155aeeb36c1423a09c86becb62fb.exe
Resource
win10-en-20211208
General
-
Target
f0c21480a5ebde8ed2e9e91a1ad7e0a83419155aeeb36c1423a09c86becb62fb.exe
-
Size
746KB
-
MD5
b79ac58a4abd87d445670ed97c0a4061
-
SHA1
7678e142c4d455a2861ef774f5706452af41d02d
-
SHA256
f0c21480a5ebde8ed2e9e91a1ad7e0a83419155aeeb36c1423a09c86becb62fb
-
SHA512
ec292db908ae43069bf208ac533fc934c45587a88ec832ac7faffb17177d6ce94ee4949b3c4b3286fb31becf1646b800f68d6ce74d7d2efb3c9769856bc504b6
Malware Config
Extracted
cobaltstrike
426352781
http://download.windows-microsoft-en.com:443/cms/api/am/checkLogin
-
access_type
512
-
beacon_type
2048
-
host
download.windows-microsoft-en.com,/cms/api/am/checkLogin
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAABAAAAAkSG9zdDogZG93bmxvYWQud2luZG93cy5taWNyb3NvZnQuY29tAAAACQAAAAhpZT11dGYtOAAAAAkAAAAWbXNfcHE9ZDRlNDM2NWIwMDBkODZlOQAAAAkAAABEbXNfcmVmPTY2OTdBMWppOWxoSUoyQkZGVm5SVDJCbEhpdnNYQ3owa1ltcm9CenN4ZXRyMjZUZzlpc1JzM0h2NHFrVFkAAAAHAAAAAAAAAA0AAAACAAAAi2lkcz10YXNtaWdyYXRpb24wMTAuY2FydGVtYmVycGwuZGlzYWJsZW5vcmVmdW5kcy5kYWNvbnZlcnRlbmFibGVkLmVuYWJsZXNjYXJsZXR0bWV0YWRhdGE7aW1wPTZmOWY4MjkwLWE3M2QtNGFmOC05ZjNlLTQwNTRmZDBhMGZhNTtTRVNTSU9OUz0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAAEAAAACRIb3N0OiBkb3dubG9hZC53aW5kb3dzLm1pY3Jvc29mdC5jb20AAAAKAAAAC0FjY2VwdDogKi8qAAAACQAAAAhpZT11dGYtOAAAAAkAAAAWbXNfcHE9ZDRlNDM2NWIwMDBkODZlOQAAAAkAAABEbXNfcmVmPTY2OTdBMWppOWxoSUoyQkZGVm5SVDJCbEhpdnNYQ3owa1ltcm9CenN4ZXRyMjZUZzlpc1JzM0h2NHFrVFkAAAAHAAAAAAAAAAMAAAACAAAAi2lkcz10YXNtaWdyYXRpb24wMTAuY2FydGVtYmVycGwuZGlzYWJsZW5vcmVmdW5kcy5kYWNvbnZlcnRlbmFibGVkLmVuYWJsZXNjYXJsZXR0bWV0YWRhdGE7aW1wPTZmOWY4MjkwLWE3M2QtNGFmOC05ZjNlLTQwNTRmZDBhMGZhNTtTRVNTSU9OUz0AAAAGAAAABkNvb2tpZQAAAAcAAAABAAAAAwAAAAIAAABTQXBwaWQ9NWVjNzVhYTZlZTEzZDRiZDRmODImY3NyZmlkPTU1ZDcxZWI2NjhiN2Q1ZWNmOGMzMmViYTZlNjE1MTVmODE4ZWExMGFjNDAmRGF0YT0AAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
7680
-
polling_time
35000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCOHTBHY2KE5J117W1CYAndtVOlmc/TGjF120dd15v49sKCevreY6O/rmDcr1rg8XJj+N4Iu43lIHosgrPhfxGMSecKChWYmL8lHHXP+jRMl725S0S0lF/Ns+95RkyXFh56yTdS5ziRvsAj1iO6QSwzEz2RnYeGAtxTUVIVCI6qKwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
3.109360896e+09
-
unknown2
AAAABAAAAAEAAAA5AAAAAgAAACgAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/cms/api/am/checkLoginState
-
user_agent
Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
-
watermark
426352781
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.