Analysis
-
max time kernel
135s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
21-04-2023 13:57
Static task
static1
Behavioral task
behavioral1
Sample
111.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
111.exe
Resource
win10v2004-20230220-en
General
-
Target
111.exe
-
Size
398KB
-
MD5
606cdd3473606ff8fc2d16deea362c36
-
SHA1
307ac70d2420e71a4ac41f58894a2cac09cef8d7
-
SHA256
159777d6f03d56a5d1b6f8354347a44dea84be9f85b7ceb527b54f955922d461
-
SHA512
6296607550137dcc9b10da1822e272e1ebc313c3cc4e4743dd44abc817aa37c2ad4c40e9c1f03cee4938f5313dfb96f48195125496b11ae8d9334e8fe8ce9bc0
-
SSDEEP
6144:srBCf66A7WpXku3S75A8oS8lMSDkXcJJJ655ZZoMTuk76H2nqbc3rmv4s68dTlci:sc66A7UUu325A/AeGqbc3JcEPRsO4
Malware Config
Extracted
cobaltstrike
305419896
http://47.111.135.21:27001/j.ad
-
access_type
512
-
beacon_type
2048
-
host
47.111.135.21,/j.ad
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
polling_time
60000
-
port_number
27001
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnCZHWnYFqYB/6gJdkc4MPDTtBJ20nkEAd3tsY4tPKs8MV4yIjJb5CtlrbKHjzP1oD/1AQsj6EKlEMFIKtakLx5+VybrMYE+dDdkDteHmVX0AeFyw001FyQVlt1B+OSNPRscKI5sh1L/ZdwnrMy6S6nNbQ5N5hls6k2kgNO5nQ7QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.php
-
user_agent
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Trident/6.0; Touch)
-
watermark
305419896
Extracted
cobaltstrike
0
-
watermark
0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
111.exedescription pid process target process PID 2000 wrote to memory of 3504 2000 111.exe notepad.exe PID 2000 wrote to memory of 3504 2000 111.exe notepad.exe PID 2000 wrote to memory of 3504 2000 111.exe notepad.exe
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2000-133-0x00007FF693550000-0x00007FF6935AB000-memory.dmpFilesize
364KB
-
memory/3504-134-0x0000023F41470000-0x0000023F41870000-memory.dmpFilesize
4.0MB
-
memory/3504-135-0x0000023F41870000-0x0000023F418BC000-memory.dmpFilesize
304KB
-
memory/3504-136-0x0000023F41870000-0x0000023F418BC000-memory.dmpFilesize
304KB