Analysis
-
max time kernel
132s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01-11-2022 11:08
Static task
static1
Behavioral task
behavioral1
Sample
a3bad5dc407e91902f7f5f2b49f7e4cfa2d9387638723fbe7e94e0e93dce0f95.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
a3bad5dc407e91902f7f5f2b49f7e4cfa2d9387638723fbe7e94e0e93dce0f95.exe
Resource
win10v2004-20220812-en
General
-
Target
a3bad5dc407e91902f7f5f2b49f7e4cfa2d9387638723fbe7e94e0e93dce0f95.exe
-
Size
21KB
-
MD5
ff9e3c1137ebd473823c19a66ee8ca61
-
SHA1
151e1c8b63e0c39870b1dd84a537941b199a103f
-
SHA256
a3bad5dc407e91902f7f5f2b49f7e4cfa2d9387638723fbe7e94e0e93dce0f95
-
SHA512
eb84318c7fda81559183193ccb68fb61ea36b73fe30985b94b93ba28016670560fd4cc7344d7dd00ffb3480e2d02f912f6ff6f29a9405a464852bc3fce8c549d
-
SSDEEP
384:fx3V1yp0MZont1Bvytm2BJL3YpbwrNcq:ftunw1BvyL3Y1Sp
Malware Config
Extracted
cobaltstrike
1359593325
http://rngupdatem.buzz:443/nv.js
-
access_type
512
-
beacon_type
2048
-
host
rngupdatem.buzz,/nv.js
-
http_header1
AAAAEAAAABVIb3N0OiBybmd1cGRhdGVtLmJ1enoAAAAKAAAAPUFjY2VwdDogdGV4dC9odG1sLGFwcGxpY2F0aW9uL3hodG1sK3htbCxhcHBsaWNhdGlvbi94bWw7cT0wLjkAAAAKAAAAMGFjY2VwdC1sYW5ndWFnZTogcT0wLjgsZW4tR0I7cT0wLjcsZW4tVVM7cT0wLjkuNwAAAAkAAAAJZm9ybWF0PWpzAAAABwAAAAAAAAALAAAAAwAAAAIAAAAad29vY29tbWVyY2VfaXRlbXNfaW5fY2FydD0AAAAGAAAABkNvb2tpZQAAAAkAAAAMZWNob3N0cj10cnVlAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAAEAAAABVIb3N0OiBybmd1cGRhdGVtLmJ1enoAAAAKAAAAPUFjY2VwdDogdGV4dC9odG1sLGFwcGxpY2F0aW9uL3hodG1sK3htbCxhcHBsaWNhdGlvbi94bWw7cT0wLjkAAAAKAAAAMGFjY2VwdC1sYW5ndWFnZTogcT0wLjgsZW4tR0I7cT0wLjcsZW4tVVM7cT0wLjkuNwAAAAoAAAAYQ29udGVudC1UeXBlOiB0ZXh0L3BsYWluAAAABwAAAAEAAAALAAAAAwAAAAQAAAAHAAAAAAAAAAMAAAACAAAADl9fc2Vzc2lvbl9faWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
9472
-
polling_time
30000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpm3c7f2r8xUL9lc4ewj3q8vb7xa6mlqAaNLbJwSsTQOhTd6+t0JxpYvt5FisffawQiZstQ0ZMJYMuGL/kyXzNRPwRASIATmocdHDz1fsYga6Tzx4tWSAh8IJshSG9PqxUqX6dsq39V3+IGoTpi44BrMY09ODUUv+ASppbaDGEFwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4.272630272e+09
-
unknown2
AAAABAAAAAIAAAFSAAAAAwAAAAsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/en
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 Edg/99.0.1140.31
-
watermark
1359593325
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1900-54-0x000007FEFB9B1000-0x000007FEFB9B3000-memory.dmpFilesize
8KB
-
memory/1900-55-0x0000000002630000-0x00000000026B6000-memory.dmpFilesize
536KB
-
memory/1900-56-0x00000000022A0000-0x0000000002320000-memory.dmpFilesize
512KB
-
memory/1900-57-0x0000000002630000-0x00000000026B6000-memory.dmpFilesize
536KB
-
memory/1900-58-0x00000000022A0000-0x0000000002320000-memory.dmpFilesize
512KB