Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
20-07-2023 02:57
Behavioral task
behavioral1
Sample
悬赏1w收到这组苹果代码的联系我 .exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
悬赏1w收到这组苹果代码的联系我 .exe
Resource
win10v2004-20230703-en
General
-
Target
悬赏1w收到这组苹果代码的联系我 .exe
-
Size
2.7MB
-
MD5
4b3ccee2b42858c38612853cb5550acf
-
SHA1
19d1707b393b214d5aaf4e1bc66d12c1b16955be
-
SHA256
71bf6619ee3fccd8197a973907809f6df347304d4d848f6aa7cfdf80968c0c42
-
SHA512
42289cb63620f14102d801bfcb42942d1d86a1d4723925b20fde9ad8f481dabb19606751bf56f4dfbc78ec93b86ab6c8fb2183d92242470d2edec17995eaf6a5
-
SSDEEP
49152:UG5S4ao5/nJMPmOr0vJV+N2b3wyHDOk4kJtWEJaE02GQrnbboG1/XHELm9Do:UGWcfJMVoL7TwCyvE02Bh1/3EuD
Malware Config
Extracted
metasploit
windows/download_exec
http://101.43.16.149:80/login.js
- headers User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Extracted
cobaltstrike
305419896
http://101.43.16.149:80/admin/login
-
access_type
512
-
host
101.43.16.149,/admin/login
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAnUmVmZXJlcjogaHR0cHM6Ly93d3cuYmp0LmJlaWppbmcuZ292LmNuAAAABwAAAAAAAAADAAAAAgAAAApTRVNTSU9OSUQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAnUmVmZXJlcjogaHR0cHM6Ly93d3cuYmp0LmJlaWppbmcuZ292LmNuAAAABwAAAAAAAAADAAAAAgAAAAlKU0VTU0lPTj0AAAAGAAAABkNvb2tpZQAAAAcAAAABAAAAAwAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
polling_time
5000
-
port_number
80
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCTUlJ7J79z/MkkV8+MsYlOvREE2hhdGNzrKPFZ10lY0K5legA+um5JxESEaC0woDgSmOGrkh1giz/aQwd6tG4mihFgpi0oIbfwu6XZbE6ghYGyu2F7+A5TifRUzvU0YLXjK78EW12XhjHx4KopMF/AtOAueGwfiI2DmXwNzrBDvwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
3.82554112e+09
-
unknown2
AAAABAAAAAEAAANBAAAAAgAAAqMAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/admin/user
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
-
watermark
305419896
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 1 IoCs
Processes:
sunu.exepid process 2556 sunu.exe -
Processes:
resource yara_rule behavioral1/memory/2664-54-0x0000000001100000-0x0000000001729000-memory.dmp upx C:\Users\Public\sunu.exe upx behavioral1/memory/2556-62-0x0000000000C60000-0x0000000000E0F000-memory.dmp upx behavioral1/memory/2664-63-0x0000000001100000-0x0000000001729000-memory.dmp upx C:\Users\Public\sunu.exe upx C:\Users\Public\sunu.exe upx behavioral1/memory/2556-119-0x0000000000C60000-0x0000000000E0F000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
悬赏1w收到这组苹果代码的联系我 .exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde 悬赏1w收到这组苹果代码的联系我 .exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 悬赏1w收到这组苹果代码的联系我 .exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
悬赏1w收到这组苹果代码的联系我 .exepid process 2664 悬赏1w收到这组苹果代码的联系我 .exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
悬赏1w收到这组苹果代码的联系我 .exedescription pid process target process PID 2664 wrote to memory of 1432 2664 悬赏1w收到这组苹果代码的联系我 .exe cmd.exe PID 2664 wrote to memory of 1432 2664 悬赏1w收到这组苹果代码的联系我 .exe cmd.exe PID 2664 wrote to memory of 1432 2664 悬赏1w收到这组苹果代码的联系我 .exe cmd.exe PID 2664 wrote to memory of 2556 2664 悬赏1w收到这组苹果代码的联系我 .exe sunu.exe PID 2664 wrote to memory of 2556 2664 悬赏1w收到这组苹果代码的联系我 .exe sunu.exe PID 2664 wrote to memory of 2556 2664 悬赏1w收到这组苹果代码的联系我 .exe sunu.exe PID 2664 wrote to memory of 2556 2664 悬赏1w收到这组苹果代码的联系我 .exe sunu.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\悬赏1w收到这组苹果代码的联系我 .exe"C:\Users\Admin\AppData\Local\Temp\悬赏1w收到这组苹果代码的联系我 .exe"1⤵
- Modifies system certificate store
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd " /c " C:\Users\Admin\AppData\Local\Temp\1.png2⤵
-
C:\Users\Public\sunu.exeC:\Users\Public\sunu.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\sunu.exeFilesize
594KB
MD54dde5f4596302ffaeca3ccc4bcddd594
SHA1a1364682f49c15989ba1eead02ae0b50fb20be80
SHA2567eb0e3319d0571c9e6a893ea95d5343c0e703203ad1a30e2ba93a000ff8d789f
SHA512fb0dd421d3dc1aa412a15becc4244073ee784d375dd4caa2702f3109ed2489083c6bb86b9952f9968b074fdd10500df63ec509420e1e2b8dd2791fb68e530418
-
C:\Users\Public\sunu.exeFilesize
594KB
MD54dde5f4596302ffaeca3ccc4bcddd594
SHA1a1364682f49c15989ba1eead02ae0b50fb20be80
SHA2567eb0e3319d0571c9e6a893ea95d5343c0e703203ad1a30e2ba93a000ff8d789f
SHA512fb0dd421d3dc1aa412a15becc4244073ee784d375dd4caa2702f3109ed2489083c6bb86b9952f9968b074fdd10500df63ec509420e1e2b8dd2791fb68e530418
-
C:\Users\Public\sunu.exeFilesize
594KB
MD54dde5f4596302ffaeca3ccc4bcddd594
SHA1a1364682f49c15989ba1eead02ae0b50fb20be80
SHA2567eb0e3319d0571c9e6a893ea95d5343c0e703203ad1a30e2ba93a000ff8d789f
SHA512fb0dd421d3dc1aa412a15becc4244073ee784d375dd4caa2702f3109ed2489083c6bb86b9952f9968b074fdd10500df63ec509420e1e2b8dd2791fb68e530418
-
memory/1432-116-0x0000000000500000-0x0000000000510000-memory.dmpFilesize
64KB
-
memory/2556-62-0x0000000000C60000-0x0000000000E0F000-memory.dmpFilesize
1.7MB
-
memory/2556-96-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB
-
memory/2556-118-0x0000000033900000-0x0000000033D00000-memory.dmpFilesize
4.0MB
-
memory/2556-117-0x00000000332C0000-0x000000003333D000-memory.dmpFilesize
500KB
-
memory/2556-119-0x0000000000C60000-0x0000000000E0F000-memory.dmpFilesize
1.7MB
-
memory/2664-54-0x0000000001100000-0x0000000001729000-memory.dmpFilesize
6.2MB
-
memory/2664-63-0x0000000001100000-0x0000000001729000-memory.dmpFilesize
6.2MB