General
-
Target
42c0b7865a97c5bdf243a9fa8a57a622140eaecb52d831aa2f3141a18619ff7f
-
Size
3.0MB
-
Sample
220704-kc9s2afffq
-
MD5
83d7f0fe8d269f04c7665c0b6cbb8ada
-
SHA1
902921743f59ff19eeb395d2618ef5addeac62fd
-
SHA256
42c0b7865a97c5bdf243a9fa8a57a622140eaecb52d831aa2f3141a18619ff7f
-
SHA512
c51cc2f1779bc9fd659cda5524464098fa19dd86910d7a23b4353d944e5dbe56ba43314ecb9b6352b9614e7f43f76d7b61fe60bf5a5c4889ac264dd8a7f845eb
Static task
static1
Behavioral task
behavioral1
Sample
42c0b7865a97c5bdf243a9fa8a57a622140eaecb52d831aa2f3141a18619ff7f.msi
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
42c0b7865a97c5bdf243a9fa8a57a622140eaecb52d831aa2f3141a18619ff7f.msi
Resource
win10v2004-20220414-en
Malware Config
Extracted
cobaltstrike
305419896
http://47.111.170.180:8888/load
-
access_type
512
-
host
47.111.170.180,/load
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
polling_time
60000
-
port_number
8888
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCepxWkRvKff9aSr8NJNjICKAfOAkCwiFfvggEjm6rsOd85r6J2MO/aflKXRMu6HUJ7YdYYiTR4AqWEq0crzforQfGXDqJ355NO17M/jGAEtdClSmPsH/w3g3OgnEq4mk086l68Kw0uE3i/neDyRh+nRllGEVlzNToWUJqwR2asBQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.php
-
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
-
watermark
305419896
Extracted
cobaltstrike
0
-
watermark
0
Targets
-
-
Target
42c0b7865a97c5bdf243a9fa8a57a622140eaecb52d831aa2f3141a18619ff7f
-
Size
3.0MB
-
MD5
83d7f0fe8d269f04c7665c0b6cbb8ada
-
SHA1
902921743f59ff19eeb395d2618ef5addeac62fd
-
SHA256
42c0b7865a97c5bdf243a9fa8a57a622140eaecb52d831aa2f3141a18619ff7f
-
SHA512
c51cc2f1779bc9fd659cda5524464098fa19dd86910d7a23b4353d944e5dbe56ba43314ecb9b6352b9614e7f43f76d7b61fe60bf5a5c4889ac264dd8a7f845eb
Score10/10-
Blocklisted process makes network request
-
Executes dropped EXE
-
Loads dropped DLL
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory
-