Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
128s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
-
submitted
24/12/2022, 06:46
General
-
Target
friend.dat.dll
-
Size
1.1MB
-
MD5
5480ba73eb7195173e792b67e1b0bebe
-
SHA1
c181c010cac35af3cc57d09e415190ca2f09ce6d
-
SHA256
114bcc91d144bf62815ea51a8536049346e9d075937820e29f25605b0088d833
-
SHA512
cd4310154ec3d3eb96bdac2c8a9a474edf43f280ab3c29d2f2913cabf68ae8f3102915349f97ff63262b70ea7c8d2ad2df43c4921f2b35b70139361f509dee5d
-
SSDEEP
24576:N5RoPW4nM9vmoAzdszdM9R+Y+itLNl/ezF8jByCC:NboP0vmoAzdadM9R+Y+2NBeZ
Malware Config
Extracted
cobaltstrike
666
http://johnjeffriesphotography.com:443/wp-content/unsalted-condensed-soups/
-
access_type
512
-
beacon_type
2048
-
dns_idle
6.7372036e+07
-
dns_sleep
8.1297408e+08
-
host
johnjeffriesphotography.com,/wp-content/unsalted-condensed-soups/
-
http_header1
AAAACgAAAF1BY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LGltYWdlL2F2aWYsaW1hZ2Uvd2VicCwqLyo7cT0wLjgAAAAKAAAAH0FjY2VwdC1MYW5ndWFnZTogZW4tVVMsZW47cT0wLjUAAAAKAAAAIkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZSwgYnIAAAAKAAAAFkNvbm5lY3Rpb246IGtlZXAtYWxpdmUAAAAHAAAAAAAAAA8AAAANAAAAAQAAAAkvc291cC5naWYAAAAMAAAAAAAAAA==
-
http_header2
AAAACgAAAB5Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL2pzb24AAAAKAAAAEUNvbm5lY3Rpb246IGNsb3NlAAAABwAAAAAAAAAPAAAACAAAAAYAAAAOQXV0aGVudGljYXRpb24AAAAHAAAAAQAAAAMAAAACAAAATXsiaW1hZ2VfdXJsIiA6ICJodHRwOi8vbWVtZXNtaXgubmV0L21lZGlhL2NyZWF0ZWQvam9vd2RqLmpwZyIsICJhdXRoZGF0YSIgOiAiAAAAAQAAAAIifQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
jitter
7680
-
maxdns
235
-
polling_time
60000
-
port_number
443
-
sc_process32
%windir%\syswow64\dfrgui.exe
-
sc_process64
%windir%\sysnative\dfrgui.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnOM3nXx+7HBhkbDd+AwFrFisSunK999w2tM0uTpuuEiBalcJhcL+QgQWtf6S7zPp5hjImG+2YcPl18geU4f5JlSPXHwilbK4DFb/ePWyKFjhrA7emVRqhM21QMlo1ANsn14rY/RO2pzuft8P7TXoIjjI/B2GGVuzYNZX6X4I2EwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
3.154317312e+09
-
unknown2
AAAABAAAAAIAAAAwAAAAAgAAADAAAAACAAAAMAAAAAIAAAAwAAAAAgAAADAAAAACAAAAMAAAAAIAAAAwAAAAAgAAADAAAAACAAAAMAAAAAIAAAAwAAAAAgAAADAAAAACAAAAMAAAAAIAAAAwAAAAAgAAADAAAAACAAAAMAAAAAIAAAAwAAAAAgAAADAAAAACAAAAMAAAAAIAAAAwAAAAAgAAACwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/imagedata/
-
user_agent
Mozilla/5.0 (X11; CrOS x86_64 13597.94.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.186 Safari/537.36
-
watermark
666
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\friend.dat.dll2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\System32\conhost.exe\??\C:\Windows\system32\conhost.exe 0x42⤵
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
8KB