Analysis
-
max time kernel
4294179s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
31-03-2022 14:13
Static task
static1
Behavioral task
behavioral1
Sample
beacon.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
beacon.exe
Resource
win10v2004-en-20220113
General
-
Target
beacon.exe
-
Size
14KB
-
MD5
2d0e28316e3f60de63654609f3a1b297
-
SHA1
99e64215ea6f3027dc1928ac26443953c8f5294d
-
SHA256
8c8b4cd6f149a3b9cfaeb11f49d8748233731be028b8e9ad9b3f8d0c3987cfc8
-
SHA512
481bd8ff670f2e637d4678e37927e2c76d7dd35a6034ced40b5b62c60d082951740874fc58743002c61d5cebfaec508f983c3dd7cddad8ed711d97e9ae12d713
Malware Config
Extracted
cobaltstrike
http://qb.awotj.com:80/pacom003/ST/CSo0w1j8/d/2376/lo2c.htm
-
user_agent
Accept: */* Connection: Keep-Alive Cache-Control: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.177 Host: qb.awotj.com
Extracted
cobaltstrike
1
http://qb.awotj.com:80/pacom003/_layouts/Wopi/01554532-64bc-45ee-9645-512577ae642d
-
access_type
512
-
host
qb.awotj.com,/pacom003/_layouts/Wopi/01554532-64bc-45ee-9645-512577ae642d
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAAAwAAAAIAAAAOc2Vzc2lvbi10b2tlbj0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAXQ29udGVudC1UeXBlOiBpbWFnZS9wbmcAAAAJAAAADW9lPUlTTy04ODU5LTEAAAAHAAAAAAAAAAUAAAACc24AAAAJAAAABnM9MTEyNAAAAAkAAAAmZF9yZWZlcmVyPWh0dHAlM0ElMkYlMkZiYW5rLnBpbmdhbi5jb20AAAAHAAAAAQAAAAMAAAACAAAABIlQTkcAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
7680
-
polling_time
5500
-
port_number
80
-
sc_process32
%windir%\syswow64\w32tm.exe
-
sc_process64
%windir%\sysnative\w32tm.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCRpwp8UKDSrLYmg1T8qsKaBTiSXmGzJsxjfT1zSQAP4VsmBXHqnwIcuUrjaAfl0yFmxYlo2kUpHgGryMxFXKaFfanzRs+TOYzHMW1p5kwzLgwsHY7GPfVUG1mVTpq3WIFkQ6ltcRC79FXrjKSlcQbTMZXNg/aQ3C9F0HAZzpNnBQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
1.515525376e+09
-
unknown2
AAAABAAAAAIAAAAEAAAADQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/pacom003/person/ithelp/bug/list
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.177
-
watermark
1
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
suricata: ET MALWARE Successful Cobalt Strike Shellcode Download (x64) M1
suricata: ET MALWARE Successful Cobalt Strike Shellcode Download (x64) M1
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 5 1476 rundll32.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1476 set thread context of 700 1476 rundll32.exe w32tm.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 840 700 WerFault.exe w32tm.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
beacon.exerundll32.exew32tm.exedescription pid process target process PID 1604 wrote to memory of 1476 1604 beacon.exe rundll32.exe PID 1604 wrote to memory of 1476 1604 beacon.exe rundll32.exe PID 1604 wrote to memory of 1476 1604 beacon.exe rundll32.exe PID 1604 wrote to memory of 1476 1604 beacon.exe rundll32.exe PID 1476 wrote to memory of 700 1476 rundll32.exe w32tm.exe PID 1476 wrote to memory of 700 1476 rundll32.exe w32tm.exe PID 1476 wrote to memory of 700 1476 rundll32.exe w32tm.exe PID 1476 wrote to memory of 700 1476 rundll32.exe w32tm.exe PID 700 wrote to memory of 840 700 w32tm.exe WerFault.exe PID 700 wrote to memory of 840 700 w32tm.exe WerFault.exe PID 700 wrote to memory of 840 700 w32tm.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\beacon.exe"C:\Users\Admin\AppData\Local\Temp\beacon.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exeC:\Windows\system32\w32tm.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 700 -s 1404⤵
- Program crash
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/700-64-0x00000000000E0000-0x0000000000111000-memory.dmpFilesize
196KB
-
memory/700-67-0x00000000000E0000-mapping.dmp
-
memory/700-66-0x00000000000E0000-0x0000000000111000-memory.dmpFilesize
196KB
-
memory/840-68-0x0000000000000000-mapping.dmp
-
memory/1476-61-0x0000000001CC0000-0x0000000001D0E000-memory.dmpFilesize
312KB
-
memory/1476-60-0x0000000001CC0000-0x0000000001D0E000-memory.dmpFilesize
312KB
-
memory/1476-62-0x0000000002BA0000-0x0000000002FA0000-memory.dmpFilesize
4.0MB
-
memory/1476-63-0x0000000002190000-0x00000000021A9000-memory.dmpFilesize
100KB
-
memory/1476-59-0x000007FEFBF51000-0x000007FEFBF53000-memory.dmpFilesize
8KB
-
memory/1476-57-0x0000000000000000-mapping.dmp
-
memory/1476-55-0x0000000000060000-0x0000000000061000-memory.dmpFilesize
4KB
-
memory/1476-69-0x00000000020F0000-0x0000000002105000-memory.dmpFilesize
84KB
-
memory/1604-54-0x000000013F600000-0x000000013F608000-memory.dmpFilesize
32KB
-
memory/1604-58-0x00000000023C0000-0x00000000023C2000-memory.dmpFilesize
8KB