Analysis
-
max time kernel
162s -
max time network
170s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-08-2022 06:22
Static task
static1
Behavioral task
behavioral1
Sample
2d1d71f05b0ab72e85c649e04f4c78f3007741649b9910be4266fde74504456d.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
2d1d71f05b0ab72e85c649e04f4c78f3007741649b9910be4266fde74504456d.exe
Resource
win10v2004-20220812-en
General
-
Target
2d1d71f05b0ab72e85c649e04f4c78f3007741649b9910be4266fde74504456d.exe
-
Size
511KB
-
MD5
7b3c8a33a8607c3b1cabd24ba83a9876
-
SHA1
70a9605990488445f8ae5836b5c92819f93d6355
-
SHA256
2d1d71f05b0ab72e85c649e04f4c78f3007741649b9910be4266fde74504456d
-
SHA512
3c71c27fa650c64a1b10220c5bdc42031a3426745f9a4bfbd128fd4dd7e31098c1049884e977a9b2f52f772229fc94ba44781525cade627ce562a6b663cc6c6c
-
SSDEEP
6144:IeiRWoGu79mhdLRYxJbFP23zKx8t52aXbJdXv+4wNaS:F/oOhdLEwjKx8t52aLJd/3wNaS
Malware Config
Extracted
cobaltstrike
1359593325
http://124.71.184.251:6751/owa/
-
access_type
512
-
host
124.71.184.251,/owa/
-
http_header1
AAAAEAAAABZIb3N0OiBvdXRsb29rLmxpdmUuY29tAAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAACGQ29va2llOiBNaWNyb3NvZnRBcHBsaWNhdGlvbnNUZWxlbWV0cnlEZXZpY2VJZD05NWMxOGQ4LTRkY2U5ODU0O0NsaWVudElkPTFDMEY2QzVEOTEwRjk7TVNQQXV0aD0zRWtBakRLakk7eGlkPTczMGJmNzt3bGE0Mj1aRzB5TXpBMktqRXMAAAAHAAAAAAAAAA0AAAAFAAAAAndhAAAACQAAAA5wYXRoPS9jYWxlbmRhcgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAAEAAAABZIb3N0OiBvdXRsb29rLmxpdmUuY29tAAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAABAAAADQAAAAUAAAACd2EAAAAHAAAAAAAAAA0AAAACAAAABndsYTQyPQAAAAIAAAALeGlkPTczMGJmNzsAAAACAAAAEk1TUEF1dGg9M0VrQWpES2pJOwAAAAIAAAAXQ2xpZW50SWQ9MUMwRjZDNUQ5MTBGOTsAAAACAAAAOE1pY3Jvc29mdEFwcGxpY2F0aW9uc1RlbGVtZXRyeURldmljZUlkPTk1YzE4ZDgtNGRjZTk4NTQ7AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
GET
-
jitter
5120
-
polling_time
5000
-
port_number
6751
-
sc_process32
%windir%\syswow64\gpupdate.exe
-
sc_process64
%windir%\sysnative\gpupdate.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCgwZtr5WmRWGqXa6bxdqQDUmj+XU+vA4zK2b7Nfzq4qy143458ufxXidOMjoSLVP3BqyJgWamd0KYY7Yt3bDmFbWashi7f+OYdWpDNixd5AvcGOOzQhShEZ/0Uz8CG/gc99swyssnxs0YBg9Hka4Wh0ufxO89KSApuLegLE5i1/QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
1.448416512e+09
-
unknown2
AAAABAAAAA0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown3
1.610612736e+09
-
uri
/OWA/
-
user_agent
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)
-
watermark
1359593325
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Executes dropped EXE 1 IoCs
Processes:
word.exepid process 268 word.exe -
Loads dropped DLL 2 IoCs
Processes:
2d1d71f05b0ab72e85c649e04f4c78f3007741649b9910be4266fde74504456d.exepid process 896 2d1d71f05b0ab72e85c649e04f4c78f3007741649b9910be4266fde74504456d.exe 896 2d1d71f05b0ab72e85c649e04f4c78f3007741649b9910be4266fde74504456d.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
word.exepid process 268 word.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
whoami.exedescription pid process Token: SeDebugPrivilege 1492 whoami.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
2d1d71f05b0ab72e85c649e04f4c78f3007741649b9910be4266fde74504456d.exeword.execmd.exedescription pid process target process PID 896 wrote to memory of 268 896 2d1d71f05b0ab72e85c649e04f4c78f3007741649b9910be4266fde74504456d.exe word.exe PID 896 wrote to memory of 268 896 2d1d71f05b0ab72e85c649e04f4c78f3007741649b9910be4266fde74504456d.exe word.exe PID 896 wrote to memory of 268 896 2d1d71f05b0ab72e85c649e04f4c78f3007741649b9910be4266fde74504456d.exe word.exe PID 268 wrote to memory of 1800 268 word.exe cmd.exe PID 268 wrote to memory of 1800 268 word.exe cmd.exe PID 268 wrote to memory of 1800 268 word.exe cmd.exe PID 1800 wrote to memory of 1492 1800 cmd.exe whoami.exe PID 1800 wrote to memory of 1492 1800 cmd.exe whoami.exe PID 1800 wrote to memory of 1492 1800 cmd.exe whoami.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d1d71f05b0ab72e85c649e04f4c78f3007741649b9910be4266fde74504456d.exe"C:\Users\Admin\AppData\Local\Temp\2d1d71f05b0ab72e85c649e04f4c78f3007741649b9910be4266fde74504456d.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\programdata\word.exe"C:\programdata\word.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C whoami3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\whoami.exewhoami4⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\word.exeFilesize
273KB
MD5773295382ac480e8db8fb2c1efad4cda
SHA1ae7c78724b8e0c946dd12d2ebc61f0f11c911067
SHA2563823a537e612fe6e0453394242999cabb6d5070d49da22950102490d59fc6681
SHA512c0116b326fe1a4adf4b0abcccf1cf14aa0ad3f6762c61650002e524c57d0af296dfbb575eca317cbe8ac144e50fd8d198ef4a62bcb49e47cbd4da26813a3c288
-
\ProgramData\word.exeFilesize
273KB
MD5773295382ac480e8db8fb2c1efad4cda
SHA1ae7c78724b8e0c946dd12d2ebc61f0f11c911067
SHA2563823a537e612fe6e0453394242999cabb6d5070d49da22950102490d59fc6681
SHA512c0116b326fe1a4adf4b0abcccf1cf14aa0ad3f6762c61650002e524c57d0af296dfbb575eca317cbe8ac144e50fd8d198ef4a62bcb49e47cbd4da26813a3c288
-
\ProgramData\word.exeFilesize
273KB
MD5773295382ac480e8db8fb2c1efad4cda
SHA1ae7c78724b8e0c946dd12d2ebc61f0f11c911067
SHA2563823a537e612fe6e0453394242999cabb6d5070d49da22950102490d59fc6681
SHA512c0116b326fe1a4adf4b0abcccf1cf14aa0ad3f6762c61650002e524c57d0af296dfbb575eca317cbe8ac144e50fd8d198ef4a62bcb49e47cbd4da26813a3c288
-
memory/268-57-0x0000000000000000-mapping.dmp
-
memory/268-60-0x000007FEF7680000-0x000007FEF772C000-memory.dmpFilesize
688KB
-
memory/268-61-0x0000000003930000-0x0000000003D30000-memory.dmpFilesize
4.0MB
-
memory/268-62-0x0000000003930000-0x0000000003D30000-memory.dmpFilesize
4.0MB
-
memory/896-54-0x000007FEFC101000-0x000007FEFC103000-memory.dmpFilesize
8KB
-
memory/1492-64-0x0000000000000000-mapping.dmp
-
memory/1800-63-0x0000000000000000-mapping.dmp