Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
82s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
-
submitted
18/08/2023, 02:43
General
-
Target
extractor.exe
-
Size
6.8MB
-
MD5
96e6770b7fb1b91fbbf7da53fe80c0d8
-
SHA1
51424b25cb1151242755ab4f28484093aba3baf9
-
SHA256
9d0302af3cd6fb88ccc2cf022a6abe0ecb502f1a7d8226ecea45731cd09c7cef
-
SHA512
504a7bb19403d027634ad6f8ca5cd895b6a0f758b716acc710522466d2a044b1522002d7381875fb8a5b97d36df8f36795117282ced9808132399f8b8211a90e
-
SSDEEP
98304:w3Jzct4drEm7pn9f3ez9A/PUvYQgQK90fejU1:IJ84d4mdVue3pQKah
Malware Config
Extracted
cobaltstrike
1580103824
http://60.204.140.244:2333/activity
-
access_type
512
-
beacon_type
2048
-
host
60.204.140.244,/activity
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
polling_time
60000
-
port_number
2333
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCQzeS7XpUi+1Lg6sZxI9EpB5Dof9htZC5f6J0XJ2Ooshhw9JP6Cbwk62FvCwdZ/lJosbGvz+ZndymEYjdbagsaFzwi13r+U8XWRDswOy2SajPfQe8oqB/Wyq8/iZSkD8HqbyTTNctvHPx3RI+nyrN8MCC80ejHHNbZG1rOSrzKcQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.php
-
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; UHS)
-
watermark
1580103824
Extracted
cobaltstrike
0
-
watermark
0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
GoLang User-Agent 2 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\extractor.exe"C:\Users\Admin\AppData\Local\Temp\extractor.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c KEGhFi3Oshellcode_loader.exe hMU7Rhzrshika_beacon.bin2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\KEGhFi3Oshellcode_loader.exeKEGhFi3Oshellcode_loader.exe hMU7Rhzrshika_beacon.bin3⤵
- Executes dropped EXE
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD53ae7f6d1bf87e3f53e2499434eb9d3c7
SHA10057c8625a6d28c342a639ef1e9fb6ae5892ac50
SHA2567ef1087dcb61458bb91cedd9fb00c8864ba8851bbd2b37cabdb4bf484b94ec59
SHA5123d70d0d7e38877482897132a2768d643a55d85cf82cd30674d673e9d711dd501ac908abe4e858204651525d65ea8fbcd6f7e4ce6ac2b47fbc90d875dff787a47
-
Filesize
2.0MB
MD53ae7f6d1bf87e3f53e2499434eb9d3c7
SHA10057c8625a6d28c342a639ef1e9fb6ae5892ac50
SHA2567ef1087dcb61458bb91cedd9fb00c8864ba8851bbd2b37cabdb4bf484b94ec59
SHA5123d70d0d7e38877482897132a2768d643a55d85cf82cd30674d673e9d711dd501ac908abe4e858204651525d65ea8fbcd6f7e4ce6ac2b47fbc90d875dff787a47
-
Filesize
257KB
MD5f96a947b21ab7ea80adca2b12ef06b20
SHA195ed4d3fdc7fd58abcc157cca97d32a97468463c
SHA2564ad3076eb61f96abed4a02b82e41e98728d43539dd637056e039bf6aafec7749
SHA512aa5d9c9e5d666ee71b0be08809ed0a9a4a3d7ca3ba8cbbe1e62c723a3331c46444b133aea17d4090d3c7e8c66db7afd4b49bbdea1bfd59a2a0f1c2d3985c8d11
-
Filesize
260KB
-
Filesize
312KB
-
Filesize
312KB