Overview

overview

10

Static

static

3

Daisy.rar

windows7-x64

3

Daisy.rar

windows10-2004-x64

3

Daisy/7B639216.exe

windows7-x64

10

Daisy/7B639216.exe

windows10-2004-x64

10

Daisy/8488E511.exe

windows7-x64

1

Daisy/8488E511.exe

windows10-2004-x64

1

Daisy/A2D0A16E.exe

windows7-x64

7

Daisy/A2D0A16E.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    158s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    23-07-2023 10:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Daisy/7B639216.exe

  • Size

    11.3MB

  • MD5

    0524573ad4bbd1bed2204c312bd2277e

  • SHA1

    9e05dbba1d53b806b3b626a643a9f874f6806b8b

  • SHA256

    e4805a5d8f387e4f1663dc5b86f146c2f86417479bf7836008c22fe32d189621

  • SHA512

    a094b3c4777cc4272ad81082f6c484fd5045d273f2b30a97d1d007e3fdab42955650009c0c20b89c49740fca91de423321308065e9a8e59f9dbecd87510e551c

  • SSDEEP

    98304:YD5Ta9Ea18OYywznMOzTV+hF7ZEbbOPK4uvOolNrcZcXthCWcA2E3E4rbT:YNTa9Y/YyQK4IOeNrcZc9Q02E3E4j

Score
10/10
cobaltstrikemetasploit305419896backdoortrojan

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://101.43.2.116:80/login.js

Attributes
  • headers User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36

Extracted

Family

cobaltstrike

Botnet

305419896

C2

http://101.43.2.116:80/admin/login

Attributes
  • access_type

    512

  • host

    101.43.2.116,/admin/login

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAnUmVmZXJlcjogaHR0cHM6Ly93d3cuYmp0LmJlaWppbmcuZ292LmNuAAAABwAAAAAAAAADAAAAAgAAAApTRVNTSU9OSUQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAnUmVmZXJlcjogaHR0cHM6Ly93d3cuYmp0LmJlaWppbmcuZ292LmNuAAAABwAAAAAAAAADAAAAAgAAAAlKU0VTU0lPTj0AAAAGAAAABkNvb2tpZQAAAAcAAAABAAAAAwAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • polling_time

    5000

  • port_number

    80

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCTUlJ7J79z/MkkV8+MsYlOvREE2hhdGNzrKPFZ10lY0K5legA+um5JxESEaC0woDgSmOGrkh1giz/aQwd6tG4mihFgpi0oIbfwu6XZbE6ghYGyu2F7+A5TifRUzvU0YLXjK78EW12XhjHx4KopMF/AtOAueGwfiI2DmXwNzrBDvwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    3.82554112e+09

  • unknown2

    AAAABAAAAAEAAANBAAAAAgAAAqMAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /admin/user

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36

  • watermark

    305419896

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Daisy\7B639216.exe
    "C:\Users\Admin\AppData\Local\Temp\Daisy\7B639216.exe"
    1⤵
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:780
    • C:\Windows\SysWOW64\cmd.exe
      cmd " /c " C:\Users\Admin\AppData\Local\Temp\Daisy\cc8e4e20a281fbea7a07d19afa041fb.png
      2⤵
        PID:1288
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
      1⤵
      • Suspicious use of FindShellTrayWindow
      PID:2840

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Daisy\cc8e4e20a281fbea7a07d19afa041fb.png
      Filesize

      148KB

      MD5

      98df0998cf6af88dee25e25e7544158d

      SHA1

      cebeae0b0897339cafb8c2170f148d330f586842

      SHA256

      6f62988b48953c7027b270189e2243d98b0f6048b408c39f1c3ced07f435702e

      SHA512

      e0279cd37f7791863fb1682de2ba8b3ca054421c1183896cd26847d789fb9865583688b057a15a3e20443ef90b029c4a34d6543496d76530f5c640f8fea1f660

      Download Submit
    • memory/780-55-0x0000000000F90000-0x0000000000F91000-memory.dmp
      Filesize

      4KB

      Download
    • memory/780-109-0x0000000033F70000-0x0000000033FED000-memory.dmp
      Filesize

      500KB

      Download
    • memory/780-110-0x0000000034110000-0x0000000034510000-memory.dmp
      Filesize

      4.0MB

      Download
    • memory/1288-106-0x0000000000490000-0x0000000000492000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2840-107-0x00000000000F0000-0x00000000000F2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2840-108-0x0000000000210000-0x0000000000211000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2840-112-0x0000000000210000-0x0000000000211000-memory.dmp
      Filesize

      4KB

      Download