Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2023 11:48
Static task
static1
Behavioral task
behavioral1
Sample
07465599.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
07465599.exe
Resource
win10v2004-20230220-en
General
-
Target
07465599.exe
-
Size
7.4MB
-
MD5
e935248f8631314bbcb9bf90f2b496e5
-
SHA1
3ed3400e894db1205272161c06a6b8bcc5427853
-
SHA256
b242d9c143c8e1b9266bc2d2fb937ae933b58e1cd291e4807ced1df5237cb52c
-
SHA512
970c3dded9b2f6f1b2b064d1da511f6067043bdbbd80f56ba7c15724deafa5e953183fb160e260641c5d550909494c1c6a4d1aa5bced70f798b5fb73c777217d
-
SSDEEP
196608:nNgBf2V1N+u/JVhQ9onJ5hrZER7iLHdN2aV0:nNgBf2Vn+u/JVm9c5hlER7ix90
Malware Config
Extracted
cobaltstrike
http://123.207.211.161:6000/nC6v
-
user_agent
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Extracted
cobaltstrike
305419896
http://123.207.211.161:6000/ptj
-
access_type
512
-
host
123.207.211.161,/ptj
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
polling_time
60000
-
port_number
6000
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCTUlJ7J79z/MkkV8+MsYlOvREE2hhdGNzrKPFZ10lY0K5legA+um5JxESEaC0woDgSmOGrkh1giz/aQwd6tG4mihFgpi0oIbfwu6XZbE6ghYGyu2F7+A5TifRUzvU0YLXjK78EW12XhjHx4KopMF/AtOAueGwfiI2DmXwNzrBDvwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.php
-
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MANM)
-
watermark
305419896
Extracted
cobaltstrike
0
-
watermark
0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Loads dropped DLL 5 IoCs
Processes:
07465599.exepid process 1684 07465599.exe 1684 07465599.exe 1684 07465599.exe 1684 07465599.exe 1684 07465599.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
Processes:
07465599.exe07465599.exepid process 948 07465599.exe 948 07465599.exe 1684 07465599.exe 1684 07465599.exe 948 07465599.exe 1684 07465599.exe 948 07465599.exe 1684 07465599.exe 948 07465599.exe 1684 07465599.exe 948 07465599.exe 1684 07465599.exe 948 07465599.exe 1684 07465599.exe 948 07465599.exe 1684 07465599.exe 948 07465599.exe 1684 07465599.exe 948 07465599.exe 1684 07465599.exe 948 07465599.exe 1684 07465599.exe 948 07465599.exe 1684 07465599.exe 948 07465599.exe 1684 07465599.exe 948 07465599.exe 1684 07465599.exe 948 07465599.exe 1684 07465599.exe 948 07465599.exe 1684 07465599.exe 948 07465599.exe 1684 07465599.exe 948 07465599.exe 1684 07465599.exe 948 07465599.exe 1684 07465599.exe 948 07465599.exe 1684 07465599.exe 948 07465599.exe 1684 07465599.exe 948 07465599.exe 1684 07465599.exe 948 07465599.exe 1684 07465599.exe 948 07465599.exe 1684 07465599.exe 948 07465599.exe 1684 07465599.exe 948 07465599.exe 1684 07465599.exe 948 07465599.exe 1684 07465599.exe 948 07465599.exe 1684 07465599.exe 948 07465599.exe 1684 07465599.exe 948 07465599.exe 1684 07465599.exe 948 07465599.exe 1684 07465599.exe 948 07465599.exe 1684 07465599.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
07465599.exedescription pid process target process PID 948 wrote to memory of 1684 948 07465599.exe 07465599.exe PID 948 wrote to memory of 1684 948 07465599.exe 07465599.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\07465599.exe"C:\Users\Admin\AppData\Local\Temp\07465599.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\07465599.exe"C:\Users\Admin\AppData\Local\Temp\07465599.exe"2⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\_MEI9482\VCRUNTIME140.dllFilesize
99KB
MD518571d6663b7d9ac95f2821c203e471f
SHA13c186018df04e875d6b9f83521028a21f145e3be
SHA2560b040a314c19ff88f38fd9c89dca2d493113a6109adb8525733c3f6627da888f
SHA512c8cbca1072b8cb04f9d82135c91ff6d7a539cb7a488671cecb6b5e2f11a4807f47ad9af5a87ebee44984ab71d7c44fc87850f9d04fd2c5019ec1b6a1b483ca21
-
C:\Users\Admin\AppData\Local\Temp\_MEI9482\VCRUNTIME140.dllFilesize
99KB
MD518571d6663b7d9ac95f2821c203e471f
SHA13c186018df04e875d6b9f83521028a21f145e3be
SHA2560b040a314c19ff88f38fd9c89dca2d493113a6109adb8525733c3f6627da888f
SHA512c8cbca1072b8cb04f9d82135c91ff6d7a539cb7a488671cecb6b5e2f11a4807f47ad9af5a87ebee44984ab71d7c44fc87850f9d04fd2c5019ec1b6a1b483ca21
-
C:\Users\Admin\AppData\Local\Temp\_MEI9482\_ctypes.pydFilesize
123KB
MD5890e9cfab85234fad3f1ae83b092c7cc
SHA185419a7cb1e1fa0275b07cf451c1125c31e8b1f7
SHA25699a40375974e560d0ed9756dcfb77ac3aaaecf2434b442f0f3df908cfe7e821f
SHA512421d5c161046f57b5d7f94eb628f041b029ff229f08bf0f211d1432b6501ffefa2a57829e74284101f6746f61add1461f1125aefdf3d39027492427a509aa511
-
C:\Users\Admin\AppData\Local\Temp\_MEI9482\_ctypes.pydFilesize
123KB
MD5890e9cfab85234fad3f1ae83b092c7cc
SHA185419a7cb1e1fa0275b07cf451c1125c31e8b1f7
SHA25699a40375974e560d0ed9756dcfb77ac3aaaecf2434b442f0f3df908cfe7e821f
SHA512421d5c161046f57b5d7f94eb628f041b029ff229f08bf0f211d1432b6501ffefa2a57829e74284101f6746f61add1461f1125aefdf3d39027492427a509aa511
-
C:\Users\Admin\AppData\Local\Temp\_MEI9482\base_library.zipFilesize
1005KB
MD5071472ae00d5f8650711c27117de77d3
SHA1abbcf898b0df3eacc29d8b257ec22bd6710da60c
SHA256deade67dbe5a4ae77194883b10dff18dc781180a685c181a3790e90e3499b3b7
SHA5127fe7acce319fde392f6fd403be1a3488e3f00862d900ef33b5506219467440662fef016142f0f390357ca3ce790f4beaf51a04c84afbff76875997542019b0a2
-
C:\Users\Admin\AppData\Local\Temp\_MEI9482\libffi-7.dllFilesize
32KB
MD5eef7981412be8ea459064d3090f4b3aa
SHA1c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016
-
C:\Users\Admin\AppData\Local\Temp\_MEI9482\libffi-7.dllFilesize
32KB
MD5eef7981412be8ea459064d3090f4b3aa
SHA1c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016
-
C:\Users\Admin\AppData\Local\Temp\_MEI9482\python38.dllFilesize
4.0MB
MD58a6a13127f64757556080d3e4a7e45a0
SHA18e9a8e85cebcab07bf62033529ca5631a6d725dd
SHA25654a34bd2efd0c3dd2ee950adf05d9344c70b0dac40311935763a3f171482a4d9
SHA5122d4f9cbc544be4c38fccaf618806744bda5065853fa0e7f08bf359994db4bfd29d1cc8ee188ce5e7bfd0c78f7e7625f257fc05e9e736df794fb19fa9738cca16
-
C:\Users\Admin\AppData\Local\Temp\_MEI9482\python38.dllFilesize
4.0MB
MD58a6a13127f64757556080d3e4a7e45a0
SHA18e9a8e85cebcab07bf62033529ca5631a6d725dd
SHA25654a34bd2efd0c3dd2ee950adf05d9344c70b0dac40311935763a3f171482a4d9
SHA5122d4f9cbc544be4c38fccaf618806744bda5065853fa0e7f08bf359994db4bfd29d1cc8ee188ce5e7bfd0c78f7e7625f257fc05e9e736df794fb19fa9738cca16
-
C:\Users\Admin\AppData\Local\Temp\_MEI9482\ucrtbase.dllFilesize
1020KB
MD52c8fe06966d5085a595ffa3c98fe3098
SHA1e82945e3e63ffef0974d6dd74f2aef2bf6d0a908
SHA256de8d08d01291df93821314176381f3d1ae863e6c5584a7f8ea42f0b94b15ef65
SHA512fb08838983c16082a362b3fc89d5b82e61ae629207c13c3cb76b8a0af557ad95c842ce5197ae458b5af61e5449cbab579f509fa72866308aa6fbd3d751522d0f
-
C:\Users\Admin\AppData\Local\Temp\_MEI9482\ucrtbase.dllFilesize
1020KB
MD52c8fe06966d5085a595ffa3c98fe3098
SHA1e82945e3e63ffef0974d6dd74f2aef2bf6d0a908
SHA256de8d08d01291df93821314176381f3d1ae863e6c5584a7f8ea42f0b94b15ef65
SHA512fb08838983c16082a362b3fc89d5b82e61ae629207c13c3cb76b8a0af557ad95c842ce5197ae458b5af61e5449cbab579f509fa72866308aa6fbd3d751522d0f
-
memory/948-207-0x0000000140000000-0x00000001401CF000-memory.dmpFilesize
1.8MB
-
memory/948-133-0x0000000140000000-0x00000001401CF000-memory.dmpFilesize
1.8MB
-
memory/948-136-0x0000000140000000-0x00000001401CF000-memory.dmpFilesize
1.8MB
-
memory/948-137-0x0000000140000000-0x00000001401CF000-memory.dmpFilesize
1.8MB
-
memory/948-134-0x0000000140000000-0x00000001401CF000-memory.dmpFilesize
1.8MB
-
memory/948-135-0x0000000140000000-0x00000001401CF000-memory.dmpFilesize
1.8MB
-
memory/1684-194-0x0000000140000000-0x00000001401CF000-memory.dmpFilesize
1.8MB
-
memory/1684-192-0x0000000140000000-0x00000001401CF000-memory.dmpFilesize
1.8MB
-
memory/1684-212-0x0000000004290000-0x00000000042DC000-memory.dmpFilesize
304KB
-
memory/1684-193-0x0000000140000000-0x00000001401CF000-memory.dmpFilesize
1.8MB
-
memory/1684-206-0x0000000002E20000-0x0000000002E21000-memory.dmpFilesize
4KB
-
memory/1684-208-0x0000000003E90000-0x0000000004290000-memory.dmpFilesize
4.0MB
-
memory/1684-209-0x0000000004290000-0x00000000042DC000-memory.dmpFilesize
304KB
-
memory/1684-210-0x0000000140000000-0x00000001401CF000-memory.dmpFilesize
1.8MB
-
memory/1684-191-0x0000000140000000-0x00000001401CF000-memory.dmpFilesize
1.8MB