Analysis
-
max time kernel
256s -
max time network
372s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 02:47
Behavioral task
behavioral1
Sample
e8c74307732c397fe2ea5c4dd32637a574457e7c79c73a653d3b187f0159cf75.exe
Resource
win7-20220812-en
General
-
Target
e8c74307732c397fe2ea5c4dd32637a574457e7c79c73a653d3b187f0159cf75.exe
-
Size
146KB
-
MD5
99f5b94c1d1d31a82134b49237e5a92c
-
SHA1
9bdfc09ce414e8c266424621b3e9c264addecdab
-
SHA256
e8c74307732c397fe2ea5c4dd32637a574457e7c79c73a653d3b187f0159cf75
-
SHA512
138fe77c17f25249c2a326c99f5756ade3218466ebe30cca0df496e4b51b8f5dd60a7760e11580aab750ea1e2d358dd0c7d63486ba9b3e1afcd42b509a6255c7
-
SSDEEP
3072:xDDyMnV59baBA5ZjjYrx0Z01FAbZ3eAIplpaJgnGPeg9guc:ByWABAvjjY9JbAb0naePyguc
Malware Config
Extracted
pony
http://66.55.89.150:8080/forum/viewtopic.php
http://66.55.89.151:8080/forum/viewtopic.php
-
payload_url
http://boletin.puntoimpresion.com/Qnrnh53B.exe
http://www.vivaidiportanova.it/55V7.exe
http://www.urbyagri.es/s56k5.exe
http://etradi.webgenshop.nl/xWP.exe
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
e8c74307732c397fe2ea5c4dd32637a574457e7c79c73a653d3b187f0159cf75.exedescription pid process target process PID 2132 wrote to memory of 3672 2132 e8c74307732c397fe2ea5c4dd32637a574457e7c79c73a653d3b187f0159cf75.exe e8c74307732c397fe2ea5c4dd32637a574457e7c79c73a653d3b187f0159cf75.exe PID 2132 wrote to memory of 3672 2132 e8c74307732c397fe2ea5c4dd32637a574457e7c79c73a653d3b187f0159cf75.exe e8c74307732c397fe2ea5c4dd32637a574457e7c79c73a653d3b187f0159cf75.exe PID 2132 wrote to memory of 3672 2132 e8c74307732c397fe2ea5c4dd32637a574457e7c79c73a653d3b187f0159cf75.exe e8c74307732c397fe2ea5c4dd32637a574457e7c79c73a653d3b187f0159cf75.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e8c74307732c397fe2ea5c4dd32637a574457e7c79c73a653d3b187f0159cf75.exe"C:\Users\Admin\AppData\Local\Temp\e8c74307732c397fe2ea5c4dd32637a574457e7c79c73a653d3b187f0159cf75.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e8c74307732c397fe2ea5c4dd32637a574457e7c79c73a653d3b187f0159cf75.exe"C:\Users\Admin\AppData\Local\Temp\e8c74307732c397fe2ea5c4dd32637a574457e7c79c73a653d3b187f0159cf75.exe"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2132-132-0x00000000004E0000-0x0000000000510000-memory.dmpFilesize
192KB
-
memory/2132-133-0x00000000004E0000-0x0000000000510000-memory.dmpFilesize
192KB
-
memory/2132-135-0x00000000004E0000-0x0000000000510000-memory.dmpFilesize
192KB
-
memory/3672-134-0x0000000000000000-mapping.dmp