Analysis
-
max time kernel
146s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
01-04-2023 05:28
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20230220-en
General
-
Target
tmp.exe
-
Size
645KB
-
MD5
779169ff3933adcd80e0dda02d5143af
-
SHA1
6e0c8081be19df6e6c10e18167d990ccda8ed8aa
-
SHA256
67707bb321d85362d9bc07770702cc1f9f64e6a9ba119c65abe1ed4e3f6627d8
-
SHA512
e5fc8d887deefc3de410badf7639c6498a96f20da3ebf3e67a96459713d77faf11531014764ef8027b82cf12a09e08b542464b645cb029ac3339b7c7759df12a
-
SSDEEP
12288:7nbsfvqgTnOOUWe1Z6YiEiK6jb8czDFvEa5RK2AosNfnnzHX8d:o1TNUj1mR
Malware Config
Extracted
metasploit
windows/download_exec
http://62.204.41.45:1599/feGJ
- headers User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MANM)
Extracted
cobaltstrike
0
http://62.204.41.45:1599/en_US/all.js
-
access_type
512
-
host
62.204.41.45,/en_US/all.js
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
polling_time
60000
-
port_number
1599
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnOM3nXx+7HBhkbDd+AwFrFisSunK999w2tM0uTpuuEiBalcJhcL+QgQWtf6S7zPp5hjImG+2YcPl18geU4f5JlSPXHwilbK4DFb/ePWyKFjhrA7emVRqhM21QMlo1ANsn14rY/RO2pzuft8P7TXoIjjI/B2GGVuzYNZX6X4I2EwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.php
-
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUS)
-
watermark
0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
tmp.exedescription pid process target process PID 1696 set thread context of 468 1696 tmp.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
RegSvcs.exepid process 468 RegSvcs.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
tmp.exeRegSvcs.exedescription pid process target process PID 1696 wrote to memory of 468 1696 tmp.exe RegSvcs.exe PID 1696 wrote to memory of 468 1696 tmp.exe RegSvcs.exe PID 1696 wrote to memory of 468 1696 tmp.exe RegSvcs.exe PID 1696 wrote to memory of 468 1696 tmp.exe RegSvcs.exe PID 1696 wrote to memory of 468 1696 tmp.exe RegSvcs.exe PID 1696 wrote to memory of 468 1696 tmp.exe RegSvcs.exe PID 1696 wrote to memory of 468 1696 tmp.exe RegSvcs.exe PID 1696 wrote to memory of 468 1696 tmp.exe RegSvcs.exe PID 1696 wrote to memory of 468 1696 tmp.exe RegSvcs.exe PID 1696 wrote to memory of 468 1696 tmp.exe RegSvcs.exe PID 1696 wrote to memory of 468 1696 tmp.exe RegSvcs.exe PID 1696 wrote to memory of 468 1696 tmp.exe RegSvcs.exe PID 1696 wrote to memory of 468 1696 tmp.exe RegSvcs.exe PID 1696 wrote to memory of 468 1696 tmp.exe RegSvcs.exe PID 1696 wrote to memory of 468 1696 tmp.exe RegSvcs.exe PID 468 wrote to memory of 1252 468 RegSvcs.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/468-68-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/468-76-0x00000000002A0000-0x00000000002DE000-memory.dmpFilesize
248KB
-
memory/468-66-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/468-84-0x00000000003F0000-0x00000000003F1000-memory.dmpFilesize
4KB
-
memory/468-67-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/468-80-0x00000000003F0000-0x00000000003F1000-memory.dmpFilesize
4KB
-
memory/468-60-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/468-61-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/468-62-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/468-63-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/468-64-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/468-65-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/468-83-0x00000000003E0000-0x00000000003E1000-memory.dmpFilesize
4KB
-
memory/468-79-0x00000000003E0000-0x00000000003E1000-memory.dmpFilesize
4KB
-
memory/468-75-0x0000000003A60000-0x0000000003E60000-memory.dmpFilesize
4.0MB
-
memory/468-70-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/468-71-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/468-73-0x0000000000020000-0x0000000000021000-memory.dmpFilesize
4KB
-
memory/1252-77-0x0000000002AE0000-0x0000000002AF5000-memory.dmpFilesize
84KB
-
memory/1252-78-0x0000000002AE0000-0x0000000002AF5000-memory.dmpFilesize
84KB
-
memory/1252-82-0x0000000002B00000-0x0000000002B19000-memory.dmpFilesize
100KB
-
memory/1252-81-0x0000000002B00000-0x0000000002B19000-memory.dmpFilesize
100KB
-
memory/1696-54-0x0000000000D60000-0x0000000000E06000-memory.dmpFilesize
664KB
-
memory/1696-55-0x00000000003E0000-0x00000000003EC000-memory.dmpFilesize
48KB
-
memory/1696-59-0x0000000000720000-0x000000000072A000-memory.dmpFilesize
40KB
-
memory/1696-58-0x0000000004250000-0x00000000042B0000-memory.dmpFilesize
384KB
-
memory/1696-57-0x00000000005F0000-0x0000000000630000-memory.dmpFilesize
256KB
-
memory/1696-56-0x00000000005F0000-0x0000000000630000-memory.dmpFilesize
256KB