Analysis
-
max time kernel
150s -
max time network
158s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
23-07-2023 10:27
Static task
static1
Behavioral task
behavioral1
Sample
Daisy.rar
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
Daisy.rar
Resource
win10v2004-20230703-en
Behavioral task
behavioral3
Sample
Daisy/7B639216.exe
Resource
win7-20230712-en
Behavioral task
behavioral4
Sample
Daisy/7B639216.exe
Resource
win10v2004-20230703-en
Behavioral task
behavioral5
Sample
Daisy/8488E511.exe
Resource
win7-20230712-en
Behavioral task
behavioral6
Sample
Daisy/8488E511.exe
Resource
win10v2004-20230703-en
Behavioral task
behavioral7
Sample
Daisy/A2D0A16E.exe
Resource
win7-20230712-en
General
-
Target
Daisy/7B639216.exe
-
Size
11.3MB
-
MD5
0524573ad4bbd1bed2204c312bd2277e
-
SHA1
9e05dbba1d53b806b3b626a643a9f874f6806b8b
-
SHA256
e4805a5d8f387e4f1663dc5b86f146c2f86417479bf7836008c22fe32d189621
-
SHA512
a094b3c4777cc4272ad81082f6c484fd5045d273f2b30a97d1d007e3fdab42955650009c0c20b89c49740fca91de423321308065e9a8e59f9dbecd87510e551c
-
SSDEEP
98304:YD5Ta9Ea18OYywznMOzTV+hF7ZEbbOPK4uvOolNrcZcXthCWcA2E3E4rbT:YNTa9Y/YyQK4IOeNrcZc9Q02E3E4j
Malware Config
Extracted
metasploit
windows/download_exec
http://101.43.2.116:80/login.js
- headers User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Extracted
cobaltstrike
305419896
http://101.43.2.116:80/admin/login
-
access_type
512
-
host
101.43.2.116,/admin/login
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAnUmVmZXJlcjogaHR0cHM6Ly93d3cuYmp0LmJlaWppbmcuZ292LmNuAAAABwAAAAAAAAADAAAAAgAAAApTRVNTSU9OSUQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAnUmVmZXJlcjogaHR0cHM6Ly93d3cuYmp0LmJlaWppbmcuZ292LmNuAAAABwAAAAAAAAADAAAAAgAAAAlKU0VTU0lPTj0AAAAGAAAABkNvb2tpZQAAAAcAAAABAAAAAwAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
polling_time
5000
-
port_number
80
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCTUlJ7J79z/MkkV8+MsYlOvREE2hhdGNzrKPFZ10lY0K5legA+um5JxESEaC0woDgSmOGrkh1giz/aQwd6tG4mihFgpi0oIbfwu6XZbE6ghYGyu2F7+A5TifRUzvU0YLXjK78EW12XhjHx4KopMF/AtOAueGwfiI2DmXwNzrBDvwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
3.82554112e+09
-
unknown2
AAAABAAAAAEAAANBAAAAAgAAAqMAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/admin/user
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
-
watermark
305419896
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: RenamesItself 1 IoCs
Processes:
7B639216.exepid process 780 7B639216.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
DllHost.exepid process 2840 DllHost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
7B639216.exedescription pid process target process PID 780 wrote to memory of 1288 780 7B639216.exe cmd.exe PID 780 wrote to memory of 1288 780 7B639216.exe cmd.exe PID 780 wrote to memory of 1288 780 7B639216.exe cmd.exe PID 780 wrote to memory of 1288 780 7B639216.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Daisy\7B639216.exe"C:\Users\Admin\AppData\Local\Temp\Daisy\7B639216.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd " /c " C:\Users\Admin\AppData\Local\Temp\Daisy\cc8e4e20a281fbea7a07d19afa041fb.png2⤵
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Daisy\cc8e4e20a281fbea7a07d19afa041fb.pngFilesize
148KB
MD598df0998cf6af88dee25e25e7544158d
SHA1cebeae0b0897339cafb8c2170f148d330f586842
SHA2566f62988b48953c7027b270189e2243d98b0f6048b408c39f1c3ced07f435702e
SHA512e0279cd37f7791863fb1682de2ba8b3ca054421c1183896cd26847d789fb9865583688b057a15a3e20443ef90b029c4a34d6543496d76530f5c640f8fea1f660
-
memory/780-55-0x0000000000F90000-0x0000000000F91000-memory.dmpFilesize
4KB
-
memory/780-109-0x0000000033F70000-0x0000000033FED000-memory.dmpFilesize
500KB
-
memory/780-110-0x0000000034110000-0x0000000034510000-memory.dmpFilesize
4.0MB
-
memory/1288-106-0x0000000000490000-0x0000000000492000-memory.dmpFilesize
8KB
-
memory/2840-107-0x00000000000F0000-0x00000000000F2000-memory.dmpFilesize
8KB
-
memory/2840-108-0x0000000000210000-0x0000000000211000-memory.dmpFilesize
4KB
-
memory/2840-112-0x0000000000210000-0x0000000000211000-memory.dmpFilesize
4KB