Analysis
-
max time kernel
139s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2022 04:07
Behavioral task
behavioral1
Sample
cad9eb5a91c9e7ba6582ca727173c48a77ae60939c8bfa875d6bc03bcce86e49.exe
Resource
win7-20220901-en
General
-
Target
cad9eb5a91c9e7ba6582ca727173c48a77ae60939c8bfa875d6bc03bcce86e49.exe
-
Size
144KB
-
MD5
715232b95f71fb77c170bf0ed526f250
-
SHA1
2fd4c3f4c6988b4364a2d7f60b84ce182338ef29
-
SHA256
cad9eb5a91c9e7ba6582ca727173c48a77ae60939c8bfa875d6bc03bcce86e49
-
SHA512
c1be358f0e6720e85f38421acf1ef66b258b24daa07e5a2fde71204552136f043c314bd1be654d61120fd32916112f0eb7e92ecf18397a1105db8cd7d9152951
-
SSDEEP
3072:s0IYwk7xA1Ifra36ZbYNgLV3XJBbKuMHiJgpaJDK0rvox2qUQs:nIYwkdra3UbYuFPbUJavrEs
Malware Config
Extracted
pony
http://74.53.97.66:8080/forum/viewtopic.php
http://74.53.97.67:8080/forum/viewtopic.php
-
payload_url
http://entdeckeschweden.de/awk4jNK.exe
http://clubevidaboa.com.br/Skkos.exe
http://iglesiasdeldiosviviente.org/f2peMF.exe
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cad9eb5a91c9e7ba6582ca727173c48a77ae60939c8bfa875d6bc03bcce86e49.exedescription pid process target process PID 4988 wrote to memory of 3928 4988 cad9eb5a91c9e7ba6582ca727173c48a77ae60939c8bfa875d6bc03bcce86e49.exe cad9eb5a91c9e7ba6582ca727173c48a77ae60939c8bfa875d6bc03bcce86e49.exe PID 4988 wrote to memory of 3928 4988 cad9eb5a91c9e7ba6582ca727173c48a77ae60939c8bfa875d6bc03bcce86e49.exe cad9eb5a91c9e7ba6582ca727173c48a77ae60939c8bfa875d6bc03bcce86e49.exe PID 4988 wrote to memory of 3928 4988 cad9eb5a91c9e7ba6582ca727173c48a77ae60939c8bfa875d6bc03bcce86e49.exe cad9eb5a91c9e7ba6582ca727173c48a77ae60939c8bfa875d6bc03bcce86e49.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cad9eb5a91c9e7ba6582ca727173c48a77ae60939c8bfa875d6bc03bcce86e49.exe"C:\Users\Admin\AppData\Local\Temp\cad9eb5a91c9e7ba6582ca727173c48a77ae60939c8bfa875d6bc03bcce86e49.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cad9eb5a91c9e7ba6582ca727173c48a77ae60939c8bfa875d6bc03bcce86e49.exe"C:\Users\Admin\AppData\Local\Temp\cad9eb5a91c9e7ba6582ca727173c48a77ae60939c8bfa875d6bc03bcce86e49.exe"2⤵