Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08-07-2022 06:21
Static task
static1
Behavioral task
behavioral1
Sample
d9e963c0f84f253b9d9bca968153a823fb1f4a749e707e4f49ec48b1c6da2817.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
d9e963c0f84f253b9d9bca968153a823fb1f4a749e707e4f49ec48b1c6da2817.exe
Resource
win10v2004-20220414-en
General
-
Target
d9e963c0f84f253b9d9bca968153a823fb1f4a749e707e4f49ec48b1c6da2817.exe
-
Size
5.0MB
-
MD5
32400e7fd0ed98be8dca035611cc1792
-
SHA1
634174959969eb7660250a7732d5d5fddbf39f0d
-
SHA256
d9e963c0f84f253b9d9bca968153a823fb1f4a749e707e4f49ec48b1c6da2817
-
SHA512
8014ed8a4eeeb49fe432836f68e852b1cd34c06e9e4acee9603af58d9fd64de26ddbbcbca62e575968b5aeb7e92ed868c9399a99cc4ea5f33cc81eb1533398e3
Malware Config
Extracted
cobaltstrike
0
-
watermark
0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
suricata: ET MALWARE Successful Cobalt Strike Shellcode Download (x64) M1
suricata: ET MALWARE Successful Cobalt Strike Shellcode Download (x64) M1
-
Loads dropped DLL 13 IoCs
Processes:
d9e963c0f84f253b9d9bca968153a823fb1f4a749e707e4f49ec48b1c6da2817.exepid process 2004 d9e963c0f84f253b9d9bca968153a823fb1f4a749e707e4f49ec48b1c6da2817.exe 2004 d9e963c0f84f253b9d9bca968153a823fb1f4a749e707e4f49ec48b1c6da2817.exe 2004 d9e963c0f84f253b9d9bca968153a823fb1f4a749e707e4f49ec48b1c6da2817.exe 2004 d9e963c0f84f253b9d9bca968153a823fb1f4a749e707e4f49ec48b1c6da2817.exe 2004 d9e963c0f84f253b9d9bca968153a823fb1f4a749e707e4f49ec48b1c6da2817.exe 2004 d9e963c0f84f253b9d9bca968153a823fb1f4a749e707e4f49ec48b1c6da2817.exe 2004 d9e963c0f84f253b9d9bca968153a823fb1f4a749e707e4f49ec48b1c6da2817.exe 2004 d9e963c0f84f253b9d9bca968153a823fb1f4a749e707e4f49ec48b1c6da2817.exe 2004 d9e963c0f84f253b9d9bca968153a823fb1f4a749e707e4f49ec48b1c6da2817.exe 2004 d9e963c0f84f253b9d9bca968153a823fb1f4a749e707e4f49ec48b1c6da2817.exe 2004 d9e963c0f84f253b9d9bca968153a823fb1f4a749e707e4f49ec48b1c6da2817.exe 2004 d9e963c0f84f253b9d9bca968153a823fb1f4a749e707e4f49ec48b1c6da2817.exe 2004 d9e963c0f84f253b9d9bca968153a823fb1f4a749e707e4f49ec48b1c6da2817.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
d9e963c0f84f253b9d9bca968153a823fb1f4a749e707e4f49ec48b1c6da2817.exedescription pid process Token: 35 2004 d9e963c0f84f253b9d9bca968153a823fb1f4a749e707e4f49ec48b1c6da2817.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
d9e963c0f84f253b9d9bca968153a823fb1f4a749e707e4f49ec48b1c6da2817.exedescription pid process target process PID 1096 wrote to memory of 2004 1096 d9e963c0f84f253b9d9bca968153a823fb1f4a749e707e4f49ec48b1c6da2817.exe d9e963c0f84f253b9d9bca968153a823fb1f4a749e707e4f49ec48b1c6da2817.exe PID 1096 wrote to memory of 2004 1096 d9e963c0f84f253b9d9bca968153a823fb1f4a749e707e4f49ec48b1c6da2817.exe d9e963c0f84f253b9d9bca968153a823fb1f4a749e707e4f49ec48b1c6da2817.exe PID 1096 wrote to memory of 2004 1096 d9e963c0f84f253b9d9bca968153a823fb1f4a749e707e4f49ec48b1c6da2817.exe d9e963c0f84f253b9d9bca968153a823fb1f4a749e707e4f49ec48b1c6da2817.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d9e963c0f84f253b9d9bca968153a823fb1f4a749e707e4f49ec48b1c6da2817.exe"C:\Users\Admin\AppData\Local\Temp\d9e963c0f84f253b9d9bca968153a823fb1f4a749e707e4f49ec48b1c6da2817.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d9e963c0f84f253b9d9bca968153a823fb1f4a749e707e4f49ec48b1c6da2817.exe"C:\Users\Admin\AppData\Local\Temp\d9e963c0f84f253b9d9bca968153a823fb1f4a749e707e4f49ec48b1c6da2817.exe"2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\_MEI10962\VCRUNTIME140.dllFilesize
87KB
MD50e675d4a7a5b7ccd69013386793f68eb
SHA16e5821ddd8fea6681bda4448816f39984a33596b
SHA256bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1
SHA512cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66
-
C:\Users\Admin\AppData\Local\Temp\_MEI10962\_bz2.pydFilesize
87KB
MD5dbe4148e566f853bdf8ee8faaf5184a0
SHA1d374dbd751e5cd1893d2f54d19303b7521aea3df
SHA256a7f59f60b84bb49ff4b9a6b4beda6dc33148de902492a097103a044c471f41e0
SHA5125576f32e463912979cc617e805f59385d26663170d9e6f490e30180a4936fbd1fb608d060770f40403e10c83b9172f81667d7298d69d834a9f818517542c6fe5
-
C:\Users\Admin\AppData\Local\Temp\_MEI10962\_ctypes.pydFilesize
129KB
MD5c33c65f70d34aa900e903d7129de24a8
SHA1d4e3f15593ce4e331a851678aad0971e26cfc523
SHA256e4380415eecc99ed387c30fccbe36687c3b3aca1c2d2336cc51705c658229a2e
SHA512272b1d915061d8da1ab3edd3703d23a5340a1673c46235b6501c978712e2673df632ddbe7e822988c92604106372d8680f074166230b97adf4cc78708efca38a
-
C:\Users\Admin\AppData\Local\Temp\_MEI10962\_hashlib.pydFilesize
38KB
MD54fae65aac546648d4ea085ca8f9d4772
SHA1db5ad4047ef200560265ce4c3d62a77ee8566b3a
SHA256b67ce2bb6ab1882e4171c8b823bebe4ee7210018ffcec62936a1f75cb9cad97d
SHA5128198cead53a2dc4f077cf678e93d5d89324bb8c950d32a24ec7a4f4f0c31dceab1930aa81e53fdba1af181938008aca669cd29ba959e581928030c32491d46d6
-
C:\Users\Admin\AppData\Local\Temp\_MEI10962\_lzma.pydFilesize
251KB
MD5974cd774adf72baef351ed2f2c2e0d2b
SHA1796958082b68b64399fd68d445cbcca8409d0c91
SHA256799ec9924a1eb4d1b9906e2759062dd3864af9e8a71d07303591dbcb9cd7fb4e
SHA512947249e68d1567c3c06a1dc4407a287e45c1b535981935cc1265dd6fcb7f8853c7f9d4ca3f85a18bdf472451b639f83c812a268258f7f64d74b41a00f2391876
-
C:\Users\Admin\AppData\Local\Temp\_MEI10962\_queue.pydFilesize
27KB
MD5ef0919f8297277c2f6730753a53fdf57
SHA11819fbb29296f7a6567942db8e50923d73732bcf
SHA2561e40c9a90d54f7ccf1d645f27ed09e9068d9188f8e3c0fcab8c7c622d4062b77
SHA5125214aaa7bfc5bdeb9d17e27ecca5000280336590ebae140d2176eeaaf31777fcc9b4de3a15143af43fc93e8ea26f2a58cc39ff200778596b5f4d282194343453
-
C:\Users\Admin\AppData\Local\Temp\_MEI10962\_socket.pydFilesize
74KB
MD50f476bd38eb1d6a79b16c73f48caec17
SHA152184c66c24f3bc477685c78b52a691d6e17b3e6
SHA25609fc679658d08e680db0dc5f0cc733b3459249b8b3135abcc403305edbf6a10d
SHA512e218bb21ab846cd869ba17f0a521d09a8359578dc3014d873edca6a2040120d12f755ef02ea4203e7f5cc9127f68d15c975770b5250363da06c3bd74fc675d3f
-
C:\Users\Admin\AppData\Local\Temp\_MEI10962\_ssl.pydFilesize
120KB
MD5eb3c2ff3543f6ace1ac31ac144059806
SHA1cb1dc6aa93b784a51c666e6929beb8642cce0f82
SHA256f58c8a11166077e128d159acd98ad98f74278f89d517cc07a49b53676b999ad3
SHA51299f41d129d237c4ff82a5256138c7c357ced5a64f2ddd378f13f0ab71eec41f2f67573c8ef09759f2843a5c5507e5fd5ec062c6ccfb5b2898421aa88c926721d
-
C:\Users\Admin\AppData\Local\Temp\_MEI10962\base_library.zipFilesize
775KB
MD57cf7c92b0f5641d1c316a6cf00ef9a98
SHA12992d5ff48d5bcc14f2539e23f63d1fa37f8e888
SHA256b66e5abd6983bba3dabbfa92d4b50cc6245291b069387b5e9f86d6856344a7e5
SHA51228e1bdfc8dec2f8eb4f9cd75f95d89135a2e83d44ed0379737218562274a4cc198a2985dd72064d1c454c0ffba9c798dbc51d6d6b31193e89a46ebcf99620c8a
-
C:\Users\Admin\AppData\Local\Temp\_MEI10962\libcrypto-1_1-x64.dllFilesize
2.4MB
MD58acf7c9fd65ed2ff7c5b4c8d4a12a0b2
SHA1747319e93621acb9126990f49567faa72a344463
SHA256cd7186f01edebc906f09694af0e4dd732b6d80fabc92814ac0ad7951b8c0d7a6
SHA512b6c4fcb04850b558b549662d55c952915e91b00e205d7f782edb61f65a0d492cc3b1e08762a3304ccb1bd2e17fa9e00f57ccab1f8fce17e3c1cecb061994846b
-
C:\Users\Admin\AppData\Local\Temp\_MEI10962\libssl-1_1-x64.dllFilesize
514KB
MD59783d27a3b09bfcf7aa9f50d43cc9024
SHA135f290d30bdf64f5bf9ddcd5cf47beb5a45d1c11
SHA25633dd512032b6bed1f7292a419abd1b8760fba84d7a43f66c7112fac6deba4b6e
SHA512b30fd974a47f97f3108a12b424e5c03c862257303afaa08a1638a98b6add00f57541ff981d2a20b2457007e05dea766204476a757c02095dd2c7fd707a63a3e4
-
C:\Users\Admin\AppData\Local\Temp\_MEI10962\python37.dllFilesize
3.6MB
MD522546a966149e4f545e00d0c0c294a53
SHA13d51c13be6cd7f115934bfa9ef8a3ddd3f571949
SHA256b01884bced504e81edb83da4c0e6c3098d87c1512d60bb85e88ecd1a937ed2a0
SHA5121a62a837b42e6ecb149d034826929a9d818571ac7b830b380899bdcf3b72307025d2f47b7d6013cab2725ccbdc1af9ad4b733be75dfe030ecd674d7927b90eac
-
C:\Users\Admin\AppData\Local\Temp\_MEI10962\select.pydFilesize
26KB
MD5590a8782bfaab2425672f366cc78a070
SHA1b4535b05b91e72e10c28f59bd042dc174ea71759
SHA2560e537f93a92150483966435e8a102014014cf38c7edb7f7703db3b253108951d
SHA512c1d39dbbf35400423142fb656287b11a309f4fc3f3931a5daf0040c81658c1835103aea540bda75c88c57f739cbd9dc90221659958fde6ca81010a9f5e945ba6
-
C:\Users\Admin\AppData\Local\Temp\_MEI10962\unicodedata.pydFilesize
1.0MB
MD5c5fdc3ccd042bd4e291a83be2eb288c0
SHA13f5d48a902a2ab5981f70e1deceaa72c2f4758f8
SHA256a6593c09fdaf1a29ca5d6a69188020dfdabd65fa61b26003bd6e38e4ba148b03
SHA5120a24bf0189108a08240c25a7facdc3b9c789aafb6e6e224927f001ca3dc430663db811ceb6426d63e15d47515dc8d04b3589021623c16f45bd8abce53cfcdce4
-
\Users\Admin\AppData\Local\Temp\_MEI10962\VCRUNTIME140.dllFilesize
87KB
MD50e675d4a7a5b7ccd69013386793f68eb
SHA16e5821ddd8fea6681bda4448816f39984a33596b
SHA256bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1
SHA512cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66
-
\Users\Admin\AppData\Local\Temp\_MEI10962\_bz2.pydFilesize
87KB
MD5dbe4148e566f853bdf8ee8faaf5184a0
SHA1d374dbd751e5cd1893d2f54d19303b7521aea3df
SHA256a7f59f60b84bb49ff4b9a6b4beda6dc33148de902492a097103a044c471f41e0
SHA5125576f32e463912979cc617e805f59385d26663170d9e6f490e30180a4936fbd1fb608d060770f40403e10c83b9172f81667d7298d69d834a9f818517542c6fe5
-
\Users\Admin\AppData\Local\Temp\_MEI10962\_ctypes.pydFilesize
129KB
MD5c33c65f70d34aa900e903d7129de24a8
SHA1d4e3f15593ce4e331a851678aad0971e26cfc523
SHA256e4380415eecc99ed387c30fccbe36687c3b3aca1c2d2336cc51705c658229a2e
SHA512272b1d915061d8da1ab3edd3703d23a5340a1673c46235b6501c978712e2673df632ddbe7e822988c92604106372d8680f074166230b97adf4cc78708efca38a
-
\Users\Admin\AppData\Local\Temp\_MEI10962\_hashlib.pydFilesize
38KB
MD54fae65aac546648d4ea085ca8f9d4772
SHA1db5ad4047ef200560265ce4c3d62a77ee8566b3a
SHA256b67ce2bb6ab1882e4171c8b823bebe4ee7210018ffcec62936a1f75cb9cad97d
SHA5128198cead53a2dc4f077cf678e93d5d89324bb8c950d32a24ec7a4f4f0c31dceab1930aa81e53fdba1af181938008aca669cd29ba959e581928030c32491d46d6
-
\Users\Admin\AppData\Local\Temp\_MEI10962\_lzma.pydFilesize
251KB
MD5974cd774adf72baef351ed2f2c2e0d2b
SHA1796958082b68b64399fd68d445cbcca8409d0c91
SHA256799ec9924a1eb4d1b9906e2759062dd3864af9e8a71d07303591dbcb9cd7fb4e
SHA512947249e68d1567c3c06a1dc4407a287e45c1b535981935cc1265dd6fcb7f8853c7f9d4ca3f85a18bdf472451b639f83c812a268258f7f64d74b41a00f2391876
-
\Users\Admin\AppData\Local\Temp\_MEI10962\_queue.pydFilesize
27KB
MD5ef0919f8297277c2f6730753a53fdf57
SHA11819fbb29296f7a6567942db8e50923d73732bcf
SHA2561e40c9a90d54f7ccf1d645f27ed09e9068d9188f8e3c0fcab8c7c622d4062b77
SHA5125214aaa7bfc5bdeb9d17e27ecca5000280336590ebae140d2176eeaaf31777fcc9b4de3a15143af43fc93e8ea26f2a58cc39ff200778596b5f4d282194343453
-
\Users\Admin\AppData\Local\Temp\_MEI10962\_socket.pydFilesize
74KB
MD50f476bd38eb1d6a79b16c73f48caec17
SHA152184c66c24f3bc477685c78b52a691d6e17b3e6
SHA25609fc679658d08e680db0dc5f0cc733b3459249b8b3135abcc403305edbf6a10d
SHA512e218bb21ab846cd869ba17f0a521d09a8359578dc3014d873edca6a2040120d12f755ef02ea4203e7f5cc9127f68d15c975770b5250363da06c3bd74fc675d3f
-
\Users\Admin\AppData\Local\Temp\_MEI10962\_ssl.pydFilesize
120KB
MD5eb3c2ff3543f6ace1ac31ac144059806
SHA1cb1dc6aa93b784a51c666e6929beb8642cce0f82
SHA256f58c8a11166077e128d159acd98ad98f74278f89d517cc07a49b53676b999ad3
SHA51299f41d129d237c4ff82a5256138c7c357ced5a64f2ddd378f13f0ab71eec41f2f67573c8ef09759f2843a5c5507e5fd5ec062c6ccfb5b2898421aa88c926721d
-
\Users\Admin\AppData\Local\Temp\_MEI10962\libcrypto-1_1-x64.dllFilesize
2.4MB
MD58acf7c9fd65ed2ff7c5b4c8d4a12a0b2
SHA1747319e93621acb9126990f49567faa72a344463
SHA256cd7186f01edebc906f09694af0e4dd732b6d80fabc92814ac0ad7951b8c0d7a6
SHA512b6c4fcb04850b558b549662d55c952915e91b00e205d7f782edb61f65a0d492cc3b1e08762a3304ccb1bd2e17fa9e00f57ccab1f8fce17e3c1cecb061994846b
-
\Users\Admin\AppData\Local\Temp\_MEI10962\libssl-1_1-x64.dllFilesize
514KB
MD59783d27a3b09bfcf7aa9f50d43cc9024
SHA135f290d30bdf64f5bf9ddcd5cf47beb5a45d1c11
SHA25633dd512032b6bed1f7292a419abd1b8760fba84d7a43f66c7112fac6deba4b6e
SHA512b30fd974a47f97f3108a12b424e5c03c862257303afaa08a1638a98b6add00f57541ff981d2a20b2457007e05dea766204476a757c02095dd2c7fd707a63a3e4
-
\Users\Admin\AppData\Local\Temp\_MEI10962\python37.dllFilesize
3.6MB
MD522546a966149e4f545e00d0c0c294a53
SHA13d51c13be6cd7f115934bfa9ef8a3ddd3f571949
SHA256b01884bced504e81edb83da4c0e6c3098d87c1512d60bb85e88ecd1a937ed2a0
SHA5121a62a837b42e6ecb149d034826929a9d818571ac7b830b380899bdcf3b72307025d2f47b7d6013cab2725ccbdc1af9ad4b733be75dfe030ecd674d7927b90eac
-
\Users\Admin\AppData\Local\Temp\_MEI10962\select.pydFilesize
26KB
MD5590a8782bfaab2425672f366cc78a070
SHA1b4535b05b91e72e10c28f59bd042dc174ea71759
SHA2560e537f93a92150483966435e8a102014014cf38c7edb7f7703db3b253108951d
SHA512c1d39dbbf35400423142fb656287b11a309f4fc3f3931a5daf0040c81658c1835103aea540bda75c88c57f739cbd9dc90221659958fde6ca81010a9f5e945ba6
-
\Users\Admin\AppData\Local\Temp\_MEI10962\unicodedata.pydFilesize
1.0MB
MD5c5fdc3ccd042bd4e291a83be2eb288c0
SHA13f5d48a902a2ab5981f70e1deceaa72c2f4758f8
SHA256a6593c09fdaf1a29ca5d6a69188020dfdabd65fa61b26003bd6e38e4ba148b03
SHA5120a24bf0189108a08240c25a7facdc3b9c789aafb6e6e224927f001ca3dc430663db811ceb6426d63e15d47515dc8d04b3589021623c16f45bd8abce53cfcdce4
-
memory/1096-54-0x000007FEFBFC1000-0x000007FEFBFC3000-memory.dmpFilesize
8KB
-
memory/2004-55-0x0000000000000000-mapping.dmp
-
memory/2004-84-0x0000000005030000-0x0000000005430000-memory.dmpFilesize
4.0MB
-
memory/2004-85-0x00000000034C0000-0x000000000350E000-memory.dmpFilesize
312KB