Overview

overview

10

Static

static

7

悬赏1w... .exe

windows7-x64

10

悬赏1w... .exe

windows10-2004-x64

7

Resubmissions

20-07-2023 02:57

230720-dfp5gach9v 10

31-01-2023 07:41

230131-jjcanshb9x 10

Analysis

  • max time kernel
    146s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    20-07-2023 02:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    悬赏1w收到这组苹果代码的联系我 .exe

  • Size

    2.7MB

  • MD5

    4b3ccee2b42858c38612853cb5550acf

  • SHA1

    19d1707b393b214d5aaf4e1bc66d12c1b16955be

  • SHA256

    71bf6619ee3fccd8197a973907809f6df347304d4d848f6aa7cfdf80968c0c42

  • SHA512

    42289cb63620f14102d801bfcb42942d1d86a1d4723925b20fde9ad8f481dabb19606751bf56f4dfbc78ec93b86ab6c8fb2183d92242470d2edec17995eaf6a5

  • SSDEEP

    49152:UG5S4ao5/nJMPmOr0vJV+N2b3wyHDOk4kJtWEJaE02GQrnbboG1/XHELm9Do:UGWcfJMVoL7TwCyvE02Bh1/3EuD

Score
10/10
cobaltstrikemetasploit305419896backdoortrojanupx

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://101.43.16.149:80/login.js

Attributes
  • headers User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36

Extracted

Family

cobaltstrike

Botnet

305419896

C2

http://101.43.16.149:80/admin/login

Attributes
  • access_type

    512

  • host

    101.43.16.149,/admin/login

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAnUmVmZXJlcjogaHR0cHM6Ly93d3cuYmp0LmJlaWppbmcuZ292LmNuAAAABwAAAAAAAAADAAAAAgAAAApTRVNTSU9OSUQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAnUmVmZXJlcjogaHR0cHM6Ly93d3cuYmp0LmJlaWppbmcuZ292LmNuAAAABwAAAAAAAAADAAAAAgAAAAlKU0VTU0lPTj0AAAAGAAAABkNvb2tpZQAAAAcAAAABAAAAAwAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • polling_time

    5000

  • port_number

    80

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCTUlJ7J79z/MkkV8+MsYlOvREE2hhdGNzrKPFZ10lY0K5legA+um5JxESEaC0woDgSmOGrkh1giz/aQwd6tG4mihFgpi0oIbfwu6XZbE6ghYGyu2F7+A5TifRUzvU0YLXjK78EW12XhjHx4KopMF/AtOAueGwfiI2DmXwNzrBDvwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    3.82554112e+09

  • unknown2

    AAAABAAAAAEAAANBAAAAAgAAAqMAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /admin/user

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36

  • watermark

    305419896

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Executes dropped EXE 1 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\悬赏1w收到这组苹果代码的联系我 .exe
    "C:\Users\Admin\AppData\Local\Temp\悬赏1w收到这组苹果代码的联系我 .exe"
    1⤵
    • Modifies system certificate store
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:2664
    • C:\Windows\system32\cmd.exe
      cmd " /c " C:\Users\Admin\AppData\Local\Temp\1.png
      2⤵
        PID:1432
      • C:\Users\Public\sunu.exe
        C:\Users\Public\sunu.exe
        2⤵
        • Executes dropped EXE
        PID:2556

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Install Root Certificate

    1
    T1130

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Public\sunu.exe
      Filesize

      594KB

      MD5

      4dde5f4596302ffaeca3ccc4bcddd594

      SHA1

      a1364682f49c15989ba1eead02ae0b50fb20be80

      SHA256

      7eb0e3319d0571c9e6a893ea95d5343c0e703203ad1a30e2ba93a000ff8d789f

      SHA512

      fb0dd421d3dc1aa412a15becc4244073ee784d375dd4caa2702f3109ed2489083c6bb86b9952f9968b074fdd10500df63ec509420e1e2b8dd2791fb68e530418

      Download Submit
    • C:\Users\Public\sunu.exe
      Filesize

      594KB

      MD5

      4dde5f4596302ffaeca3ccc4bcddd594

      SHA1

      a1364682f49c15989ba1eead02ae0b50fb20be80

      SHA256

      7eb0e3319d0571c9e6a893ea95d5343c0e703203ad1a30e2ba93a000ff8d789f

      SHA512

      fb0dd421d3dc1aa412a15becc4244073ee784d375dd4caa2702f3109ed2489083c6bb86b9952f9968b074fdd10500df63ec509420e1e2b8dd2791fb68e530418

      Download Submit
    • C:\Users\Public\sunu.exe
      Filesize

      594KB

      MD5

      4dde5f4596302ffaeca3ccc4bcddd594

      SHA1

      a1364682f49c15989ba1eead02ae0b50fb20be80

      SHA256

      7eb0e3319d0571c9e6a893ea95d5343c0e703203ad1a30e2ba93a000ff8d789f

      SHA512

      fb0dd421d3dc1aa412a15becc4244073ee784d375dd4caa2702f3109ed2489083c6bb86b9952f9968b074fdd10500df63ec509420e1e2b8dd2791fb68e530418

      Download Submit
    • memory/1432-116-0x0000000000500000-0x0000000000510000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2556-62-0x0000000000C60000-0x0000000000E0F000-memory.dmp
      Filesize

      1.7MB

      Download
    • memory/2556-96-0x00000000001C0000-0x00000000001C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2556-118-0x0000000033900000-0x0000000033D00000-memory.dmp
      Filesize

      4.0MB

      Download
    • memory/2556-117-0x00000000332C0000-0x000000003333D000-memory.dmp
      Filesize

      500KB

      Download
    • memory/2556-119-0x0000000000C60000-0x0000000000E0F000-memory.dmp
      Filesize

      1.7MB

      Download
    • memory/2664-54-0x0000000001100000-0x0000000001729000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/2664-63-0x0000000001100000-0x0000000001729000-memory.dmp
      Filesize

      6.2MB

      Download