General

  • Target

    7943496156.zip

  • Size

    720KB

  • Sample

    220913-j719psahcl

  • MD5

    4ec1a76f3ce2412e06b484b3555d61b8

  • SHA1

    86c121b50a0793525dacc66db93243481af58c58

  • SHA256

    93fb21a9c51c0dbccb7e0bd5b4fad92061f540f3128ed2f9a248950c29f2f757

  • SHA512

    96353d22f26165e2eadee302d435d6069c0fd1dd20d07fe217d481ee8402d19689ca13e596b02be12070304ae4600d9d6a7a93bdd5a7b69519e8245e276702d5

  • SSDEEP

    12288:UEsXBmIQCdhuPidl4hE/rKX6i3FgnlcuUbemefeKMjMZzzlZKOVyU882X:UEsRmIBhus2QKXB6Bmaetj+zzeOl88e

Malware Config

Extracted

Family

cobaltstrike

Botnet

206546002

C2

http://ateliernow.net:443/Dev/v3.84/DB579PI9XE

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    ateliernow.net,/Dev/v3.84/DB579PI9XE

  • http_header1

    AAAACgAAADJBY2NlcHQ6IGFwcGxpY2F0aW9uL2pzb24sIGFwcGxpY2F0aW9uL3htbCwgaW1hZ2UvKgAAAAoAAAATQWNjZXB0LUxhbmd1YWdlOiB0aAAAAAoAAAAfQWNjZXB0LUVuY29kaW5nOiBpZGVudGl0eSwgZ3ppcAAAAAcAAAAAAAAADwAAAAgAAAACAAAABl9HWGlkPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAACxBY2NlcHQ6IGFwcGxpY2F0aW9uL2pzb24sIHRleHQvaHRtbCwgaW1hZ2UvKgAAAAoAAAATQWNjZXB0LUxhbmd1YWdlOiBmcgAAAAoAAAAWQWNjZXB0LUVuY29kaW5nOiBiciwgKgAAAAcAAAAAAAAADwAAAAsAAAAFAAAACV9HVUVaTElLUgAAAAcAAAABAAAADwAAAA0AAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    12288

  • polling_time

    68823

  • port_number

    443

  • sc_process32

    %windir%\syswow64\svchost.exe -k wksvc

  • sc_process64

    %windir%\sysnative\systray.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCN5UAJbAA83lOuZlkNoqHDAdV1F7OJnqUiF3kD6mwuXzJzVpu9+f4l/QIUotuiQA+vvxdM3q/XGu77WogAe90LRUknEdoD6YnU32G/ts9dbSwG6HySt7cLn5B3FsomLWjBbssH9e31TihCUvZbK6PRzmLW4SBgZigBWLXZgu7+SwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    1.141448704e+09

  • unknown2

    AAAABAAAAAEAAASeAAAAAgAABJ4AAAALAAAADwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /Stop/element/X71JO9M7V

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36

  • watermark

    206546002

Targets

    • Target

      7508939c077d0cf8ea1fadcba4255c69bc1b126d132e40bc28962e83435c8f13

    • Size

      1.2MB

    • MD5

      c312d68d160ae738bc46bcc4aa0ea97a

    • SHA1

      8572ff2bf304cdbce1498c5d7285cc033148c8d6

    • SHA256

      7508939c077d0cf8ea1fadcba4255c69bc1b126d132e40bc28962e83435c8f13

    • SHA512

      227fcc214e63e88acb6c435b5bafc63ac7480c1972d0cfaea01353efa9df77293bd0fb8e3e720b57c415e6da0816cb04089bcaf7d832b8b04487c03241d52771

    • SSDEEP

      24576:4cKqReEXbU+xrOtDZnNo1YlBBp5bXf222RYbw+vyVf2Zn:3FR/Q+5WDZNo1+B6RYb0VfQn

    • Target

      7d14b98cdc1b898bd0d9be80398fc59ab560e8c44e0a9dedac8ad4ece3d450b0

    • Size

      128KB

    • MD5

      0ba1d5a26f15f5f7942d0435fa63947e

    • SHA1

      92284cdbefe3fe21a57aa1b0fba23dbca16069eb

    • SHA256

      7d14b98cdc1b898bd0d9be80398fc59ab560e8c44e0a9dedac8ad4ece3d450b0

    • SHA512

      a51135427d1c2e060fe2ab41595b09c532a0881801f7d6136384e3b1bd01bef6306d0e22394512b37b83523ad2db042fe60e655c65fc1f058a613d7418c33bc1

    • SSDEEP

      3072:sCo+6DIwRCIfgxfsYJIKdG5vOVpa/guB7nGj65aZf+HtEY/zuh6y7:u+6DIwRNgOuQ5GVpInI6kIy77

    • PLAY Ransomware, PlayCrypt

      Ransomware family first seen in mid 2022.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v6

Tasks