Analysis
-
max time kernel
35s -
max time network
41s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30-11-2022 13:35
Behavioral task
behavioral1
Sample
be066a26daf68e43deddd23a33c5ef641be66b543c60552c939d4250c2e56141.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
be066a26daf68e43deddd23a33c5ef641be66b543c60552c939d4250c2e56141.exe
Resource
win10v2004-20220812-en
General
-
Target
be066a26daf68e43deddd23a33c5ef641be66b543c60552c939d4250c2e56141.exe
-
Size
144KB
-
MD5
c404859150b29d1074d511b435098ff3
-
SHA1
221260c4c12f810768f795bb3ccb1431f45583a2
-
SHA256
be066a26daf68e43deddd23a33c5ef641be66b543c60552c939d4250c2e56141
-
SHA512
6cda78e86fbcbc1ee7e84576f5f130cb4c10031b97e4f39a5c989da7039cd5fc9165d5107d6c71079d672a03c2b2648439346c8c46097db8cc5ba61f9dbad09a
-
SSDEEP
3072:s0IYwk7xA1hBO7bvZreljmHITlbbxHZyVnVpaJ0opb+g9H:nIYwkdV7bBreRdBbbiRam++yH
Malware Config
Extracted
pony
http://74.53.97.66:8080/forum/viewtopic.php
http://74.53.97.67:8080/forum/viewtopic.php
-
payload_url
http://boletin.puntoimpresion.com/Qnrnh53B.exe
http://www.vivaidiportanova.it/55V7.exe
http://www.urbyagri.es/s56k5.exe
http://etradi.webgenshop.nl/xWP.exe
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
be066a26daf68e43deddd23a33c5ef641be66b543c60552c939d4250c2e56141.exedescription pid process target process PID 1348 wrote to memory of 1560 1348 be066a26daf68e43deddd23a33c5ef641be66b543c60552c939d4250c2e56141.exe be066a26daf68e43deddd23a33c5ef641be66b543c60552c939d4250c2e56141.exe PID 1348 wrote to memory of 1560 1348 be066a26daf68e43deddd23a33c5ef641be66b543c60552c939d4250c2e56141.exe be066a26daf68e43deddd23a33c5ef641be66b543c60552c939d4250c2e56141.exe PID 1348 wrote to memory of 1560 1348 be066a26daf68e43deddd23a33c5ef641be66b543c60552c939d4250c2e56141.exe be066a26daf68e43deddd23a33c5ef641be66b543c60552c939d4250c2e56141.exe PID 1348 wrote to memory of 1560 1348 be066a26daf68e43deddd23a33c5ef641be66b543c60552c939d4250c2e56141.exe be066a26daf68e43deddd23a33c5ef641be66b543c60552c939d4250c2e56141.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\be066a26daf68e43deddd23a33c5ef641be66b543c60552c939d4250c2e56141.exe"C:\Users\Admin\AppData\Local\Temp\be066a26daf68e43deddd23a33c5ef641be66b543c60552c939d4250c2e56141.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\be066a26daf68e43deddd23a33c5ef641be66b543c60552c939d4250c2e56141.exe"C:\Users\Admin\AppData\Local\Temp\be066a26daf68e43deddd23a33c5ef641be66b543c60552c939d4250c2e56141.exe"2⤵