Analysis

  • max time kernel
    104s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    31-03-2023 12:54

General

  • Target

    Desktop/2f0812f7f7905937a82c3a755c40becf63e0d6ed39f212ac931774dfdf338d53.exe

  • Size

    373KB

  • MD5

    d82eb76b428bb814965baa059e4b15c0

  • SHA1

    468ad6d157589afbc055233ca6d9fb1e43f192ef

  • SHA256

    2f0812f7f7905937a82c3a755c40becf63e0d6ed39f212ac931774dfdf338d53

  • SHA512

    06cb2dc0f0c4de91ca579db6365092b415a626d7daca1775c433fb35f3ce79190b0853088b75168e4e87b301036600fe73649342e55f42f8a1d663f0ec1b805f

  • SSDEEP

    1536:2zrkW1mfdT631H2vvspStlLEWEqg6Gy2Jx/8LK6u3EwArdNuNUsWUzcdDs8cn8:s9mfRtXsYfFg6GlJ7GrdNOrCDshn

Malware Config

Extracted

Family

cobaltstrike

Botnet

99999

C2

http://service-pjo6e71f-1259689902.bj.apigw.tencentcs.com:443/api/getit

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    service-pjo6e71f-1259689902.bj.apigw.tencentcs.com,/api/getit

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAAAwAAAAIAAAAKU0VTU0lPTklEPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAAAwAAAAIAAAAJSlNFU1NJT049AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • polling_time

    3000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCU0m7H1l2AP44i7L/wgxQAhx3FVvY8t2GPssMT+CnCAm/OMdzDuwEeAoovm9zMGaOLQR22rnxnhBbzPfpLtOtIH8ItUoIzPY0O2+0Xw8mj9ctJlAFb5QBneSJhY7AldZD6ghCXWdEoLKe7cTnrO0t2etFCBILTaT+oSw2lqwFIYQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    1.481970944e+09

  • unknown2

    AAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /api/postit

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 Edg/110.0.1587.63

  • watermark

    99999

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • Modifies system certificate store 2 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Desktop\2f0812f7f7905937a82c3a755c40becf63e0d6ed39f212ac931774dfdf338d53.exe
    "C:\Users\Admin\AppData\Local\Temp\Desktop\2f0812f7f7905937a82c3a755c40becf63e0d6ed39f212ac931774dfdf338d53.exe"
    1⤵
    • Modifies system certificate store
    PID:1684

Network

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1684-54-0x00000000033D0000-0x00000000037D0000-memory.dmp
    Filesize

    4.0MB

  • memory/1684-55-0x0000000000FD0000-0x000000000100E000-memory.dmp
    Filesize

    248KB

  • memory/1684-56-0x0000000000FD0000-0x000000000100E000-memory.dmp
    Filesize

    248KB