Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
-
submitted
30-06-2023 14:35
General
-
Target
macchina.exe
-
Size
9.2MB
-
MD5
b672ffd7d21f78ab6e1aaca2d768ea45
-
SHA1
c0d6df27f6757b1b443915abdafc6a20ff0d7c3e
-
SHA256
fb57cac696e24c505a392895dc3fe4ae001afc03b9f9ceae0d7ed40c5f999548
-
SHA512
2b1a6bc26b9596a4a89a6e66aa7c1dbe57cf33b957412437f75dfd4c912b8fe98b7beab1d2da0645d300c6af99bf233613e8af1a65109280ff805dde7fbff300
-
SSDEEP
98304:j09J8Jr5xLHygh4YolijgrUuPR8SfwVG/haEKT4OiZrq1DfPHNADtV6v++Xh:j287xj4FfRbM4O7NADtV6v+G
Malware Config
Extracted
cobaltstrike
http://service-ikudci3k-1318310578.gz.apigw.tencentcs.com:80/icon.ico
-
user_agent
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Extracted
cobaltstrike
100000000
http://service-ikudci3k-1318310578.gz.apigw.tencentcs.com:80/search
-
access_type
512
-
host
service-ikudci3k-1318310578.gz.apigw.tencentcs.com,/search
-
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAA4Q29va2llOiBEVVA9UT1HcE8xbkpwTW5hbTRVbGxFZm1lTWRnMiZUPTI4Mzc2NzA4OCZBPTEmSUcAAAAKAAAAJlJlZmVyZXI6IGh0dHBzOi8vd3d3LmNsb3VkLnRlbmNlbnQuY29tAAAABwAAAAAAAAADAAAAAgAAAApTRVNTSU9OSUQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAA4Q29va2llOiBEVVA9UT1HcE8xbkpwTW5hbTRVbGxFZm1lTWRnMiZUPTI4Mzc2NzA4OCZBPTEmSUcAAAAHAAAAAAAAAAMAAAACAAAACUpTRVNTSU9OPQAAAAYAAAAGQ29va2llAAAABwAAAAEAAAADAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
2560
-
polling_time
5000
-
port_number
80
-
sc_process32
%windir%\syswow64\dllhost.exe
-
sc_process64
%windir%\sysnative\dllhost.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCvnw4I4y1Cf4vzl0C2rOZj3ttjTDDeqJGoW/Qpx47yXZ0KnJ+mHp6LKnyNgvcKV6XnOsVydRGZlpBFWMuS1pZVOdROArcl6QeYCGBRdxAZE+u/X4ywIsrsP/eVivln/DEDpoLo4soxPoYCI/nLfbs325RAGpXY/bhkyJUhpBAxFwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
3.82554112e+09
-
unknown2
AAAABAAAAAEAAANBAAAAAgAAAqMAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/switch
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
-
watermark
100000000
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
-
Suspicious behavior: RenamesItself 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\macchina.exe"C:\Users\Admin\AppData\Local\Temp\macchina.exe"1⤵
- Suspicious behavior: RenamesItself
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
500KB
-
Filesize
4.0MB