Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
24-03-2023 17:17
Static task
static1
Behavioral task
behavioral1
Sample
vx.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
vx.exe
Resource
win10v2004-20230220-en
General
-
Target
vx.exe
-
Size
385KB
-
MD5
0483d8bc0a1258011f297d1984f040c7
-
SHA1
fe2ed57c265d6e99eeba2118e500765354afdcff
-
SHA256
17ab123e35e0532b63a09c89db6d57ad19b17488f2211f6e6e2fcc3f091b90f2
-
SHA512
5d7ddc1a9a4a760c3b19387c7a1c8a898093b55ff52b095d1b9c5db0d043375cad79e804b82f1d7375c17190f054f357d4e62224e30b1dc263161b84168a926f
-
SSDEEP
3072:0orV6p1eJaaPASzaq/13Ja27/7qUF7+3WiXhNivSJFIjHr2oXcWcHDNVRMyObobL:R6WaafB7/OUtiXhNoSJ2GFWeNDw0Ou1
Malware Config
Extracted
cobaltstrike
666666
http://124.223.3.43:8044/_/scs/mail-static/_/js/
-
access_type
512
-
host
124.223.3.43,/_/scs/mail-static/_/js/
-
http_header1
AAAABwAAAAAAAAADAAAAAgAAAAVPU0lEPQAAAAYAAAAGQ29va2llAAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAfQWNjZXB0LUxhbmd1YWdlOiBlbi1VUyxlbjtxPTAuNQAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAACgAAAAZETlQ6IDEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACQAAAA11aT1kMzI0NGM0NzA3AAAACQAAAAtob3A9NjkyODYzMgAAAAkAAAAHc3RhcnQ9MAAAAAoAAAA9Q29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQ7Y2hhcnNldD11dGYtOAAAAAcAAAAAAAAAAwAAAAIAAAAFT1NJRD0AAAAGAAAABkNvb2tpZQAAAAcAAAABAAAAAwAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
3840
-
polling_time
60000
-
port_number
8044
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCcG2kqoSw8E9T8Cl9ycqidjuKPzv5EblAlDcEXeYDWavhJj4c7w1gqyJNT4v8+gowa/baCxxAWamdmIMA24OZv3FI2ei/sDD9Pklhapa7P3cremdIeGotOLoscwepsVXG+NOEZ0tVsC0hKGMHwk9Qz/2KKMCVG005Im2muwaj5WQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
5.37071616e+08
-
unknown2
AAAABAAAAAEAAAF3AAAAAQAAAPoAAAACAAAABAAAAAIAAAAcAAAAAgAAACQAAAACAAAAEgAAAAIAAAAEAAAAAgAAABwAAAACAAAAJAAAAAIAAAARAAAAAgAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/mail/u/0/
-
user_agent
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.4; .NET4.0C)
-
watermark
666666
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
vx.exedescription pid process target process PID 1732 wrote to memory of 900 1732 vx.exe cmd.exe PID 1732 wrote to memory of 900 1732 vx.exe cmd.exe PID 1732 wrote to memory of 900 1732 vx.exe cmd.exe
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Temp\R8QDM0EXOA2EYF7R36BEA.tmpFilesize
259KB
MD5fb2e1f5b1fb0d27c73ad588f53e8760c
SHA12f74ac46bdac425e6434060cefb90d83d3711668
SHA256a5fa5e0b3e8cddcc93588c56f1e08f94c17ac2736be6c7f16fb762ac03ce5ce6
SHA5122f1ca8c5fe0457a5f7058040fb87b42f8f758ecbc593f2a89ef709282268d2cdc9ade6650e26a1f85bb8072cc9a47ab351f2029537eccf40dcdedf6aa1339496
-
memory/1732-59-0x0000000001D40000-0x0000000001D81000-memory.dmpFilesize
260KB
-
memory/1732-60-0x0000000002350000-0x000000000239F000-memory.dmpFilesize
316KB
-
memory/1732-61-0x0000000002350000-0x000000000239F000-memory.dmpFilesize
316KB