Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-01-2023 16:41
Static task
static1
Behavioral task
behavioral1
Sample
1ddaa29d9abfb09a4923ae9b71a645b016d9c8b8f60c6294b2d487059a06758a.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
1ddaa29d9abfb09a4923ae9b71a645b016d9c8b8f60c6294b2d487059a06758a.exe
Resource
win10v2004-20220812-en
General
-
Target
1ddaa29d9abfb09a4923ae9b71a645b016d9c8b8f60c6294b2d487059a06758a.exe
-
Size
754KB
-
MD5
6e0d26d4cf0dcd22d93916130cadd233
-
SHA1
483af7efbe0e8c4ae80bad7c2ab03b7dbca0b434
-
SHA256
1ddaa29d9abfb09a4923ae9b71a645b016d9c8b8f60c6294b2d487059a06758a
-
SHA512
8e8d49f09c3af5e0ccac1b47fb22e7575bceb7004f83ffd900c07bca198cbc2c9ef1bf5891830a0a7e746fb01b25dd128705f54d7c81944d432f312324b9f3bc
-
SSDEEP
12288:IQ77VbXViKvXMiDRVnEbH3J8cbvqvhtfFC15eYxz4z35jAznDMqyeQubPjs3i+LG:IY75dMF42
Malware Config
Extracted
cobaltstrike
1359593325
http://172.18.12.65:443/IE9CompatViewList.xml
-
access_type
512
-
beacon_type
2048
-
host
172.18.12.65,/IE9CompatViewList.xml
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
polling_time
60000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD49+men5LazOiHMMcfoeq+95wwX1485eIMu4JZqgOE54RLZAGZTOzVOFezyb0oebLL9BDqRO4v8m876eGEjDp6IHLunfexk0a+SAeMYr9LJX+LRhgoNia9j1/iGt0eMzgcHGYA5P357qKHshUMNTXCK6VYp8q0+Yo++Am2ABaoaQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.php
-
user_agent
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0)
-
watermark
1359593325
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
1ddaa29d9abfb09a4923ae9b71a645b016d9c8b8f60c6294b2d487059a06758a.exepid process 1868 1ddaa29d9abfb09a4923ae9b71a645b016d9c8b8f60c6294b2d487059a06758a.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1ddaa29d9abfb09a4923ae9b71a645b016d9c8b8f60c6294b2d487059a06758a.exedescription pid process Token: SeDebugPrivilege 1868 1ddaa29d9abfb09a4923ae9b71a645b016d9c8b8f60c6294b2d487059a06758a.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ddaa29d9abfb09a4923ae9b71a645b016d9c8b8f60c6294b2d487059a06758a.exe"C:\Users\Admin\AppData\Local\Temp\1ddaa29d9abfb09a4923ae9b71a645b016d9c8b8f60c6294b2d487059a06758a.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1868-132-0x00000000005D0000-0x0000000000692000-memory.dmpFilesize
776KB
-
memory/1868-133-0x0000000005740000-0x0000000005D68000-memory.dmpFilesize
6.2MB
-
memory/1868-134-0x0000000005440000-0x000000000545A000-memory.dmpFilesize
104KB
-
memory/1868-135-0x00000000054A0000-0x00000000054D6000-memory.dmpFilesize
216KB
-
memory/1868-136-0x00000000063F0000-0x0000000006A6A000-memory.dmpFilesize
6.5MB
-
memory/1868-137-0x0000000005580000-0x0000000005616000-memory.dmpFilesize
600KB
-
memory/1868-138-0x0000000005510000-0x0000000005532000-memory.dmpFilesize
136KB
-
memory/1868-139-0x0000000005690000-0x00000000056F6000-memory.dmpFilesize
408KB
-
memory/1868-140-0x0000000006A70000-0x0000000007014000-memory.dmpFilesize
5.6MB
-
memory/1868-141-0x0000000005640000-0x000000000565E000-memory.dmpFilesize
120KB
-
memory/1868-142-0x0000000005DC0000-0x0000000005E0A000-memory.dmpFilesize
296KB
-
memory/1868-143-0x00000000062E0000-0x0000000006346000-memory.dmpFilesize
408KB
-
memory/1868-144-0x0000000006380000-0x00000000063A2000-memory.dmpFilesize
136KB
-
memory/1868-145-0x0000000008800000-0x0000000008833000-memory.dmpFilesize
204KB
-
memory/1868-146-0x0000000008840000-0x000000000887D000-memory.dmpFilesize
244KB