Analysis
-
max time kernel
193s -
max time network
225s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
20-10-2022 12:32
Behavioral task
behavioral1
Sample
b5827aae668f29b68df6cc4b974c66f787c3a3ac11062ee719a3b1b286ddefbd.exe
Resource
win7-20220901-en
General
-
Target
b5827aae668f29b68df6cc4b974c66f787c3a3ac11062ee719a3b1b286ddefbd.exe
-
Size
1.7MB
-
MD5
0946f27e7ea817515c57de10d31be260
-
SHA1
265719038b95611c8df9064035533ea35cd0d18c
-
SHA256
b5827aae668f29b68df6cc4b974c66f787c3a3ac11062ee719a3b1b286ddefbd
-
SHA512
5bf84b2a704d7bb021c5639aa40f9bc3d093ef251ed0b9d33824560e98efa21188982bdfcea80e45a06587634d0022a77207c2c4a1338daeb1be016d05177bac
-
SSDEEP
49152:ZNTfjbw1drCTM3HS5LedtQSXyqmx44Vbx4I11ts3DT5BbYiH:L7bwbmTyHS5LedtHbmxzVbx4I11tsTtf
Malware Config
Extracted
cobaltstrike
305419896
http://114.132.241.103:443/admin/login
-
access_type
512
-
beacon_type
2048
-
host
114.132.241.103,/admin/login
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAnUmVmZXJlcjogaHR0cHM6Ly93d3cuYmp0LmJlaWppbmcuZ292LmNuAAAABwAAAAAAAAADAAAAAgAAAApTRVNTSU9OSUQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAnUmVmZXJlcjogaHR0cHM6Ly93d3cuYmp0LmJlaWppbmcuZ292LmNuAAAABwAAAAAAAAADAAAAAgAAAAlKU0VTU0lPTj0AAAAGAAAABkNvb2tpZQAAAAcAAAABAAAAAwAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCTUlJ7J79z/MkkV8+MsYlOvREE2hhdGNzrKPFZ10lY0K5legA+um5JxESEaC0woDgSmOGrkh1giz/aQwd6tG4mihFgpi0oIbfwu6XZbE6ghYGyu2F7+A5TifRUzvU0YLXjK78EW12XhjHx4KopMF/AtOAueGwfiI2DmXwNzrBDvwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
3.82554112e+09
-
unknown2
AAAABAAAAAEAAANBAAAAAgAAAqMAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/admin/user
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
-
watermark
305419896
Extracted
cobaltstrike
0
-
watermark
0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Processes:
resource yara_rule behavioral2/memory/760-132-0x0000000000C70000-0x000000000101B000-memory.dmp upx behavioral2/memory/760-134-0x0000000000C70000-0x000000000101B000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: RenamesItself 1 IoCs
Processes:
b5827aae668f29b68df6cc4b974c66f787c3a3ac11062ee719a3b1b286ddefbd.exepid process 760 b5827aae668f29b68df6cc4b974c66f787c3a3ac11062ee719a3b1b286ddefbd.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
b5827aae668f29b68df6cc4b974c66f787c3a3ac11062ee719a3b1b286ddefbd.exedescription pid process target process PID 760 wrote to memory of 4156 760 b5827aae668f29b68df6cc4b974c66f787c3a3ac11062ee719a3b1b286ddefbd.exe cmd.exe PID 760 wrote to memory of 4156 760 b5827aae668f29b68df6cc4b974c66f787c3a3ac11062ee719a3b1b286ddefbd.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b5827aae668f29b68df6cc4b974c66f787c3a3ac11062ee719a3b1b286ddefbd.exe"C:\Users\Admin\AppData\Local\Temp\b5827aae668f29b68df6cc4b974c66f787c3a3ac11062ee719a3b1b286ddefbd.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd " /c " C:\Users\Admin\AppData\Local\Temp\a.jpg2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/760-132-0x0000000000C70000-0x000000000101B000-memory.dmpFilesize
3.7MB
-
memory/760-134-0x0000000000C70000-0x000000000101B000-memory.dmpFilesize
3.7MB
-
memory/760-135-0x000002186C140000-0x000002186C1BD000-memory.dmpFilesize
500KB
-
memory/760-136-0x000002186BD40000-0x000002186C140000-memory.dmpFilesize
4.0MB
-
memory/4156-133-0x0000000000000000-mapping.dmp