Analysis
-
max time kernel
351s -
max time network
362s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
28-05-2023 05:26
Static task
static1
Behavioral task
behavioral1
Sample
artifact.exe
Resource
win10v2004-20230220-en
General
-
Target
artifact.exe
-
Size
14KB
-
MD5
fba508c9bfff2ed07fa1ef7d622d9c77
-
SHA1
60f1d95d309161d95def4915a316c6b9e0aeeda1
-
SHA256
4ae8030b8c73dcfa41ce2b2bd78fd29369027eebcab58d20cbd95b904b19d8d5
-
SHA512
8a73c946c9bd1147a94d76f42f08e3555bdc89a76ccfb52edd52a86fd4e0f3d1d5785ec655fb340cd3608fdda34a9a8a8fc7769233d932c6bfb5baafcf4876e1
-
SSDEEP
192:kHCugRK83SxHn2OQ/dmBI4KBPwgir+xzRCvobqUqV/Qjo7AGa:ICxRKqbOCdWIVBPk+xzR/fCXAn
Malware Config
Extracted
metasploit
windows/download_exec
http://0.tcp.jp.ngrok.io:12337/FFdl
- headers User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ESES)
Extracted
cobaltstrike
305419896
http://0.tcp.jp.ngrok.io:12337/ga.js
-
access_type
512
-
host
0.tcp.jp.ngrok.io,/ga.js
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
polling_time
60000
-
port_number
12337
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCTUlJ7J79z/MkkV8+MsYlOvREE2hhdGNzrKPFZ10lY0K5legA+um5JxESEaC0woDgSmOGrkh1giz/aQwd6tG4mihFgpi0oIbfwu6XZbE6ghYGyu2F7+A5TifRUzvU0YLXjK78EW12XhjHx4KopMF/AtOAueGwfiI2DmXwNzrBDvwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.php
-
user_agent
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.4; InfoPath.2)
-
watermark
305419896
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
artifact.exedescription pid process target process PID 864 set thread context of 2600 864 artifact.exe rundll32.exe PID 864 set thread context of 4608 864 artifact.exe rundll32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
NOTEPAD.EXEpid process 2116 NOTEPAD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
artifact.exedescription pid process target process PID 864 wrote to memory of 2600 864 artifact.exe rundll32.exe PID 864 wrote to memory of 2600 864 artifact.exe rundll32.exe PID 864 wrote to memory of 2600 864 artifact.exe rundll32.exe PID 864 wrote to memory of 2600 864 artifact.exe rundll32.exe PID 864 wrote to memory of 4608 864 artifact.exe rundll32.exe PID 864 wrote to memory of 4608 864 artifact.exe rundll32.exe PID 864 wrote to memory of 4608 864 artifact.exe rundll32.exe PID 864 wrote to memory of 4608 864 artifact.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\artifact.exe"C:\Users\Admin\AppData\Local\Temp\artifact.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\syswow64\rundll32.exe2⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\syswow64\rundll32.exe2⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Text Document.txt1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/864-133-0x0000000000030000-0x0000000000031000-memory.dmpFilesize
4KB
-
memory/864-134-0x0000000003930000-0x0000000003D30000-memory.dmpFilesize
4.0MB
-
memory/864-135-0x0000000003D30000-0x0000000003D6D000-memory.dmpFilesize
244KB
-
memory/864-136-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/864-137-0x0000000003D30000-0x0000000003D6D000-memory.dmpFilesize
244KB
-
memory/864-164-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/864-165-0x0000000003D30000-0x0000000003D6D000-memory.dmpFilesize
244KB
-
memory/2600-143-0x0000000000110000-0x0000000000138000-memory.dmpFilesize
160KB
-
memory/2600-145-0x00000000001D0000-0x00000000001FC000-memory.dmpFilesize
176KB
-
memory/2600-148-0x00000000001D0000-0x00000000001FC000-memory.dmpFilesize
176KB
-
memory/4608-161-0x0000000000760000-0x00000000007A7000-memory.dmpFilesize
284KB
-
memory/4608-163-0x00000000024E0000-0x000000000252A000-memory.dmpFilesize
296KB