Analysis
-
max time kernel
150s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
23-07-2023 10:27
Static task
static1
Behavioral task
behavioral1
Sample
Daisy.rar
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
Daisy.rar
Resource
win10v2004-20230703-en
Behavioral task
behavioral3
Sample
Daisy/7B639216.exe
Resource
win7-20230712-en
Behavioral task
behavioral4
Sample
Daisy/7B639216.exe
Resource
win10v2004-20230703-en
Behavioral task
behavioral5
Sample
Daisy/8488E511.exe
Resource
win7-20230712-en
Behavioral task
behavioral6
Sample
Daisy/8488E511.exe
Resource
win10v2004-20230703-en
Behavioral task
behavioral7
Sample
Daisy/A2D0A16E.exe
Resource
win7-20230712-en
General
-
Target
Daisy/7B639216.exe
-
Size
11.3MB
-
MD5
0524573ad4bbd1bed2204c312bd2277e
-
SHA1
9e05dbba1d53b806b3b626a643a9f874f6806b8b
-
SHA256
e4805a5d8f387e4f1663dc5b86f146c2f86417479bf7836008c22fe32d189621
-
SHA512
a094b3c4777cc4272ad81082f6c484fd5045d273f2b30a97d1d007e3fdab42955650009c0c20b89c49740fca91de423321308065e9a8e59f9dbecd87510e551c
-
SSDEEP
98304:YD5Ta9Ea18OYywznMOzTV+hF7ZEbbOPK4uvOolNrcZcXthCWcA2E3E4rbT:YNTa9Y/YyQK4IOeNrcZc9Q02E3E4j
Malware Config
Extracted
metasploit
windows/download_exec
http://101.43.2.116:80/login.js
- headers User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Extracted
cobaltstrike
305419896
http://101.43.2.116:80/admin/login
-
access_type
512
-
host
101.43.2.116,/admin/login
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAnUmVmZXJlcjogaHR0cHM6Ly93d3cuYmp0LmJlaWppbmcuZ292LmNuAAAABwAAAAAAAAADAAAAAgAAAApTRVNTSU9OSUQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAnUmVmZXJlcjogaHR0cHM6Ly93d3cuYmp0LmJlaWppbmcuZ292LmNuAAAABwAAAAAAAAADAAAAAgAAAAlKU0VTU0lPTj0AAAAGAAAABkNvb2tpZQAAAAcAAAABAAAAAwAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
polling_time
5000
-
port_number
80
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCTUlJ7J79z/MkkV8+MsYlOvREE2hhdGNzrKPFZ10lY0K5legA+um5JxESEaC0woDgSmOGrkh1giz/aQwd6tG4mihFgpi0oIbfwu6XZbE6ghYGyu2F7+A5TifRUzvU0YLXjK78EW12XhjHx4KopMF/AtOAueGwfiI2DmXwNzrBDvwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
3.82554112e+09
-
unknown2
AAAABAAAAAEAAANBAAAAAgAAAqMAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/admin/user
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
-
watermark
305419896
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: RenamesItself 1 IoCs
Processes:
7B639216.exepid process 2336 7B639216.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
7B639216.exedescription pid process target process PID 2336 wrote to memory of 1472 2336 7B639216.exe cmd.exe PID 2336 wrote to memory of 1472 2336 7B639216.exe cmd.exe PID 2336 wrote to memory of 1472 2336 7B639216.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Daisy\7B639216.exe"C:\Users\Admin\AppData\Local\Temp\Daisy\7B639216.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd " /c " C:\Users\Admin\AppData\Local\Temp\Daisy\cc8e4e20a281fbea7a07d19afa041fb.png2⤵