Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

extractor.exe

windows7-x64

10

extractor.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    64s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    18/08/2023, 02:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    extractor.exe

  • Size

    6.8MB

  • MD5

    96e6770b7fb1b91fbbf7da53fe80c0d8

  • SHA1

    51424b25cb1151242755ab4f28484093aba3baf9

  • SHA256

    9d0302af3cd6fb88ccc2cf022a6abe0ecb502f1a7d8226ecea45731cd09c7cef

  • SHA512

    504a7bb19403d027634ad6f8ca5cd895b6a0f758b716acc710522466d2a044b1522002d7381875fb8a5b97d36df8f36795117282ced9808132399f8b8211a90e

  • SSDEEP

    98304:w3Jzct4drEm7pn9f3ez9A/PUvYQgQK90fejU1:IJ84d4mdVue3pQKah

Score
10/10
cobaltstrike01580103824backdoorpersistencetrojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

1580103824

C2

http://60.204.140.244:2333/activity

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    60.204.140.244,/activity

  • http_header1

    AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • polling_time

    60000

  • port_number

    2333

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCQzeS7XpUi+1Lg6sZxI9EpB5Dof9htZC5f6J0XJ2Ooshhw9JP6Cbwk62FvCwdZ/lJosbGvz+ZndymEYjdbagsaFzwi13r+U8XWRDswOy2SajPfQe8oqB/Wyq8/iZSkD8HqbyTTNctvHPx3RI+nyrN8MCC80ejHHNbZG1rOSrzKcQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /submit.php

  • user_agent

    Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; UHS)

  • watermark

    1580103824

Extracted

Family

cobaltstrike

Botnet

0

Attributes
  • watermark

    0

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • GoLang User-Agent 2 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\extractor.exe
    "C:\Users\Admin\AppData\Local\Temp\extractor.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2176
    • C:\Windows\system32\cmd.exe
      cmd.exe /c kCxKaFAyshellcode_loader.exe bgo2Nutfshika_beacon.bin
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2444
      • C:\Users\Admin\AppData\Local\Temp\kCxKaFAyshellcode_loader.exe
        kCxKaFAyshellcode_loader.exe bgo2Nutfshika_beacon.bin
        3⤵
        • Executes dropped EXE
        PID:2796

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Cab782E.tmp
    Filesize

    62KB

    MD5

    3ac860860707baaf32469fa7cc7c0192

    SHA1

    c33c2acdaba0e6fa41fd2f00f186804722477639

    SHA256

    d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

    SHA512

    d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\bgo2Nutfshika_beacon.bin
    Filesize

    257KB

    MD5

    f96a947b21ab7ea80adca2b12ef06b20

    SHA1

    95ed4d3fdc7fd58abcc157cca97d32a97468463c

    SHA256

    4ad3076eb61f96abed4a02b82e41e98728d43539dd637056e039bf6aafec7749

    SHA512

    aa5d9c9e5d666ee71b0be08809ed0a9a4a3d7ca3ba8cbbe1e62c723a3331c46444b133aea17d4090d3c7e8c66db7afd4b49bbdea1bfd59a2a0f1c2d3985c8d11

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\kCxKaFAyshellcode_loader.exe
    Filesize

    2.0MB

    MD5

    3ae7f6d1bf87e3f53e2499434eb9d3c7

    SHA1

    0057c8625a6d28c342a639ef1e9fb6ae5892ac50

    SHA256

    7ef1087dcb61458bb91cedd9fb00c8864ba8851bbd2b37cabdb4bf484b94ec59

    SHA512

    3d70d0d7e38877482897132a2768d643a55d85cf82cd30674d673e9d711dd501ac908abe4e858204651525d65ea8fbcd6f7e4ce6ac2b47fbc90d875dff787a47

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\kCxKaFAyshellcode_loader.exe
    Filesize

    2.0MB

    MD5

    3ae7f6d1bf87e3f53e2499434eb9d3c7

    SHA1

    0057c8625a6d28c342a639ef1e9fb6ae5892ac50

    SHA256

    7ef1087dcb61458bb91cedd9fb00c8864ba8851bbd2b37cabdb4bf484b94ec59

    SHA512

    3d70d0d7e38877482897132a2768d643a55d85cf82cd30674d673e9d711dd501ac908abe4e858204651525d65ea8fbcd6f7e4ce6ac2b47fbc90d875dff787a47

    Download Submit

  • \Users\Admin\AppData\Local\Temp\kCxKaFAyshellcode_loader.exe
    Filesize

    2.0MB

    MD5

    3ae7f6d1bf87e3f53e2499434eb9d3c7

    SHA1

    0057c8625a6d28c342a639ef1e9fb6ae5892ac50

    SHA256

    7ef1087dcb61458bb91cedd9fb00c8864ba8851bbd2b37cabdb4bf484b94ec59

    SHA512

    3d70d0d7e38877482897132a2768d643a55d85cf82cd30674d673e9d711dd501ac908abe4e858204651525d65ea8fbcd6f7e4ce6ac2b47fbc90d875dff787a47

    Download Submit

  • \Users\Admin\AppData\Local\Temp\kCxKaFAyshellcode_loader.exe
    Filesize

    2.0MB

    MD5

    3ae7f6d1bf87e3f53e2499434eb9d3c7

    SHA1

    0057c8625a6d28c342a639ef1e9fb6ae5892ac50

    SHA256

    7ef1087dcb61458bb91cedd9fb00c8864ba8851bbd2b37cabdb4bf484b94ec59

    SHA512

    3d70d0d7e38877482897132a2768d643a55d85cf82cd30674d673e9d711dd501ac908abe4e858204651525d65ea8fbcd6f7e4ce6ac2b47fbc90d875dff787a47

    Download Submit

  • memory/2796-61-0x0000000028590000-0x00000000285D1000-memory.dmp

    Filesize

    260KB

    Download

  • memory/2796-62-0x00000000286A0000-0x00000000286EE000-memory.dmp

    Filesize

    312KB

    Download

  • memory/2796-63-0x00000000286A0000-0x00000000286EE000-memory.dmp

    Filesize

    312KB

    Download