Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
28-10-2022 09:03
Static task
static1
Behavioral task
behavioral1
Sample
收到这张2000苹果卡慢卡的找我领赏.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
收到这张2000苹果卡慢卡的找我领赏.exe
Resource
win10v2004-20220812-en
General
-
Target
收到这张2000苹果卡慢卡的找我领赏.exe
-
Size
4.0MB
-
MD5
f8f36048e8649de529a91866fc331b0f
-
SHA1
3da23481f21a3a956b675185343445069370918d
-
SHA256
fb8c5724b33c3c5d8685158994e84a3b6a5dece566795cbd7161124e2800425d
-
SHA512
895d86d11e60a3e3ca983d90982a767ff336c0765ab5f58bcba5bd5f9365777f0443ed0329a3937cc9015bd41a43ba0cf6a2de6bae74105d2c86d5d92086dd35
-
SSDEEP
49152:i6pxLnOTkiJh7b7ULzddXKpZ1RJGswEyi4LreDUUERtRIwn0VF1iD+BM:ppxjOJ70zdd6pZe6CDn
Malware Config
Extracted
cobaltstrike
305419896
http://42.192.134.128:80/admin/login
-
access_type
512
-
host
42.192.134.128,/admin/login
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAnUmVmZXJlcjogaHR0cHM6Ly93d3cuYmp0LmJlaWppbmcuZ292LmNuAAAABwAAAAAAAAADAAAAAgAAAApTRVNTSU9OSUQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAnUmVmZXJlcjogaHR0cHM6Ly93d3cuYmp0LmJlaWppbmcuZ292LmNuAAAABwAAAAAAAAADAAAAAgAAAAlKU0VTU0lPTj0AAAAGAAAABkNvb2tpZQAAAAcAAAABAAAAAwAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
polling_time
5000
-
port_number
80
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCIf+L6CRq3zedgU1uZz4WOlB5l3w5EVVWHZ6p1yS6ZMJbWzyRDP004C9SyOdlHOEanHAbFHM4En1P/hLVjfGgf0CcN3Us546Z6dXynqT3lqxDm+X0Svfu1fb1Dj2UqQofIOV61p5nbh9HTzbsyOq0f6BeQWZkdQjYV+pbtOecc3wIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
3.82554112e+09
-
unknown2
AAAABAAAAAEAAANBAAAAAgAAAqMAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/admin/user
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
-
watermark
305419896
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
Processes:
description flow ioc HTTP User-Agent header 2 Go-http-client/1.1 -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
收到这张2000苹果卡慢卡的找我领赏.exepid process 1504 收到这张2000苹果卡慢卡的找我领赏.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
DllHost.exepid process 1724 DllHost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
收到这张2000苹果卡慢卡的找我领赏.exedescription pid process target process PID 1504 wrote to memory of 1336 1504 收到这张2000苹果卡慢卡的找我领赏.exe cmd.exe PID 1504 wrote to memory of 1336 1504 收到这张2000苹果卡慢卡的找我领赏.exe cmd.exe PID 1504 wrote to memory of 1336 1504 收到这张2000苹果卡慢卡的找我领赏.exe cmd.exe PID 1504 wrote to memory of 1336 1504 收到这张2000苹果卡慢卡的找我领赏.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\收到这张2000苹果卡慢卡的找我领赏.exe"C:\Users\Admin\AppData\Local\Temp\收到这张2000苹果卡慢卡的找我领赏.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd " /c " "C:\Users\Admin\AppData\Local\Temp\Apple card 500-2.png"2⤵
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Apple card 500-2.pngFilesize
169KB
MD5f1a4555c164ca40c3d526fb209b6aef7
SHA12d731620a44163a620810dbfb439cf5355c79fe3
SHA2563218b8f6548f14f580cc919bf6dfc815b92ace9c7ec9b260f9ed815ac811c76e
SHA512292b64b6c16f9f9f8fb03080138b33214217d1e9713ad327c85a651d81f90e9e218471947ee7a38d8f25412b4764470d7998bdbdd7bf13a14d2a94cdc55ced9f
-
memory/1336-54-0x0000000000000000-mapping.dmp
-
memory/1504-55-0x00000000768A1000-0x00000000768A3000-memory.dmpFilesize
8KB
-
memory/1504-59-0x0000000033DA0000-0x0000000033E1D000-memory.dmpFilesize
500KB
-
memory/1504-60-0x0000000033860000-0x0000000033A24000-memory.dmpFilesize
1.8MB
-
memory/1504-61-0x0000000033860000-0x0000000033A24000-memory.dmpFilesize
1.8MB