cobaltstrike | 2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a

Resubmissions

11-08-2023 18:09

230811-wrxmsshg7w 10

10-08-2023 16:39

10-08-2023 16:00

10-08-2023 15:59

10-08-2023 15:56

Analysis

max time kernel
143s
max time network
153s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
10-08-2023 16:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe
Size

4.5MB
MD5

62f510d6c3ecf3c63f54240379a223d1
SHA1

b3d826c02cb856db7a4edc0599c885f054984973
SHA256

2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a
SHA512

8308c4445631bc305c3f25cb6c33c5f3c5c20d4e7ac55baff5fa0018a396ea5feea3b6adbda7107ea2e848565e73ea7c8d5503ace8a7c4cbaf2e987c90694e0a
SSDEEP

98304:OlHQcO/ki1LShsRT6q+LsnggYpdBs8R8YT6v/TwZVVABrxzB0RWcQ0b:Olwceki1LShOOq+L7gYpx+YnAJxpt0b

Score

10^/10

cobaltstrike metasploit 1359593325 backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

http://time.api.chinabm.cn:443/rpc

Extracted

Family

cobaltstrike

Botnet

1359593325

http://time.api.chinabm.cn:443/owa/

Attributes

access_type
512
beacon_type
2048
host
time.api.chinabm.cn,/owa/
http_header1
AAAAEAAAABZIb3N0OiBvdXRsb29rLmxpdmUuY29tAAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAACGQ29va2llOiBNaWNyb3NvZnRBcHBsaWNhdGlvbnNUZWxlbWV0cnlEZXZpY2VJZD05NWMxOGQ4LTRkY2U5ODU0O0NsaWVudElkPTFDMEY2QzVEOTEwRjk7TVNQQXV0aD0zRWtBakRLakk7eGlkPTczMGJmNzt3bGE0Mj1aRzB5TXpBMktqRXMAAAAHAAAAAAAAAA0AAAAFAAAAAndhAAAACQAAAA5wYXRoPS9jYWxlbmRhcgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAAEAAAABZIb3N0OiBvdXRsb29rLmxpdmUuY29tAAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAABAAAADQAAAAUAAAACd2EAAAAHAAAAAAAAAA0AAAACAAAABndsYTQyPQAAAAIAAAALeGlkPTczMGJmNzsAAAACAAAAEk1TUEF1dGg9M0VrQWpES2pJOwAAAAIAAAAXQ2xpZW50SWQ9MUMwRjZDNUQ5MTBGOTsAAAACAAAAOE1pY3Jvc29mdEFwcGxpY2F0aW9uc1RlbGVtZXRyeURldmljZUlkPTk1YzE4ZDgtNGRjZTk4NTQ7AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
GET
jitter
5120
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\gpupdate.exe
sc_process64
%windir%\sysnative\gpupdate.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCgwZtr5WmRWGqXa6bxdqQDUmj+XU+vA4zK2b7Nfzq4qy143458ufxXidOMjoSLVP3BqyJgWamd0KYY7Yt3bDmFbWashi7f+OYdWpDNixd5AvcGOOzQhShEZ/0Uz8CG/gc99swyssnxs0YBg9Hka4Wh0ufxO89KSApuLegLE5i1/QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
1.448416512e+09
unknown2
AAAABAAAAA0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown3
1.610612736e+09
uri
/OWA/
user_agent
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)
watermark
1359593325

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Loads dropped DLL 3 IoCs

Processes:

2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe

pid	process
2280	2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe
2280	2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe
2280	2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe

description pid process

Token: 35 2280 2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe

description	pid	process
Token: 35	2280	2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe

description	pid	process	target process
PID 284 wrote to memory of 2280	284	2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe	2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe
PID 284 wrote to memory of 2280	284	2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe	2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe
PID 284 wrote to memory of 2280	284	2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe	2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe
PID 284 wrote to memory of 2280	284	2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe	2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe

C:\Users\Admin\AppData\Local\Temp\2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe
"C:\Users\Admin\AppData\Local\Temp\2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:284

C:\Users\Admin\AppData\Local\Temp\2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe
"C:\Users\Admin\AppData\Local\Temp\2548b8a5a82c7db16055fbbaf2a4863ccf0caa92d661b6be0481432c48af818a.exe"
2⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2280

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
352eb5e60dc58e104ff5debbb99e483c

SHA1
656886a429eecb25859a091e191f326298ad0eda

SHA256
e0efd7c1e0d2b42944db669ea8b475ffe94b6ee2ad4add5df2f80361b0d76970

SHA512
6263fae431ef2ea858b2373a2ed0d9d4003a71279646d16408dbca3db27c50d8bb95a39ee29cee7ec821f15a92964220cc87090d1a94818af0012d0056738542

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD24F.tmp
Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD52F.tmp
Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2842\MSVCR100.dll
Filesize
755KB

MD5
bf38660a9125935658cfa3e53fdc7d65

SHA1
0b51fb415ec89848f339f8989d323bea722bfd70

SHA256
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

SHA512
25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2842\_ctypes.pyd
Filesize
83KB

MD5
673dc6681afb67384e923dc9bfd2cd90

SHA1
445fcab47381908214d0636be9604828f9d33a47

SHA256
d551e7fcafab97340e03a41ca2f7d5c2ade7eecf7cdaedf147abad63f09f263c

SHA512
801478c83727a59409c19afa9a3edce81c0139f58e3dc81696ffd690e3f1de9c595f100279b18180a9189feaf9fcc40fb74e609f181f2decbea13c6b2a49f6a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2842\base_library.zip
Filesize
708KB

MD5
0aecf93f79fccf4cecd0b8c40c1563b3

SHA1
36c406740615d9b5f1b89311e65931fe258fc4b1

SHA256
f751f64f4bd5018bd38a0cfe7e808856426b4076897d58abede01413c4fde80d

SHA512
b1e51e3ec81f659a78a5971cdc2e7d234ec0d87c5c787f64af02f90b32f665dda3b421139f88e36f55cda713e670f739178731ae4fe313d629eecc67c6856d27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2842\python34.dll
Filesize
2.6MB

MD5
2a78649eb1fe4354060623785f7f98aa

SHA1
85dcadf0b43db27f47713c433f8e31a8642cf8d5

SHA256
fdb01967868edc948d9e0ee128a26a3c76df2600262ca9d38034d45dbe39017d

SHA512
678b122bf318b78a7699f4417d6b74e65f3dc740d287c9a193a59c670d38579fa20180dd363f1e620fbce7e388d993e59321b19127fff3e6d6502a8e24a33d6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2842\shellcode_loader_1.exe.manifest
Filesize
1KB

MD5
737cee84004d9e7c1f1256d922490b40

SHA1
f642a0fc241104b7a0aa011e434dfbe3de0b71ce

SHA256
db9d564d53e46ee9ebb875443155f733d297d42a91f000153da1e29fede0a199

SHA512
d3193eb3c9ab1624e9949af78fed47223e88fceeb97b8a3a80161ac358be1018e5eecfeafa6117b6f5ac2ecbb6a179ce707b16a0ef8ffdcbd2114e46152e130b

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI2842\MSVCR100.dll
Filesize
755KB

MD5
bf38660a9125935658cfa3e53fdc7d65

SHA1
0b51fb415ec89848f339f8989d323bea722bfd70

SHA256
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

SHA512
25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI2842\_ctypes.pyd
Filesize
83KB

MD5
673dc6681afb67384e923dc9bfd2cd90

SHA1
445fcab47381908214d0636be9604828f9d33a47

SHA256
d551e7fcafab97340e03a41ca2f7d5c2ade7eecf7cdaedf147abad63f09f263c

SHA512
801478c83727a59409c19afa9a3edce81c0139f58e3dc81696ffd690e3f1de9c595f100279b18180a9189feaf9fcc40fb74e609f181f2decbea13c6b2a49f6a6

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI2842\python34.dll
Filesize
2.6MB

MD5
2a78649eb1fe4354060623785f7f98aa

SHA1
85dcadf0b43db27f47713c433f8e31a8642cf8d5

SHA256
fdb01967868edc948d9e0ee128a26a3c76df2600262ca9d38034d45dbe39017d

SHA512
678b122bf318b78a7699f4417d6b74e65f3dc740d287c9a193a59c670d38579fa20180dd363f1e620fbce7e388d993e59321b19127fff3e6d6502a8e24a33d6a

Download Submit
memory/284-79-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2280-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2280-78-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2280-124-0x00000000033C0000-0x00000000033FD000-memory.dmp

Filesize
244KB

Download
memory/2280-125-0x0000000004530000-0x0000000004930000-memory.dmp

Filesize
4.0MB

Download
memory/2280-154-0x00000000033C0000-0x00000000033FD000-memory.dmp

Filesize
244KB

Download
memory/2280-157-0x0000000004530000-0x0000000004930000-memory.dmp

Filesize
4.0MB

Download