Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
82s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
18/08/2023, 02:43
Static task
static1
Behavioral task
behavioral1
Sample
extractor.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
extractor.exe
Resource
win10v2004-20230703-en
General
-
Target
extractor.exe
-
Size
6.8MB
-
MD5
96e6770b7fb1b91fbbf7da53fe80c0d8
-
SHA1
51424b25cb1151242755ab4f28484093aba3baf9
-
SHA256
9d0302af3cd6fb88ccc2cf022a6abe0ecb502f1a7d8226ecea45731cd09c7cef
-
SHA512
504a7bb19403d027634ad6f8ca5cd895b6a0f758b716acc710522466d2a044b1522002d7381875fb8a5b97d36df8f36795117282ced9808132399f8b8211a90e
-
SSDEEP
98304:w3Jzct4drEm7pn9f3ez9A/PUvYQgQK90fejU1:IJ84d4mdVue3pQKah
Malware Config
Extracted
cobaltstrike
1580103824
http://60.204.140.244:2333/activity
-
access_type
512
-
beacon_type
2048
-
host
60.204.140.244,/activity
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
polling_time
60000
-
port_number
2333
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCQzeS7XpUi+1Lg6sZxI9EpB5Dof9htZC5f6J0XJ2Ooshhw9JP6Cbwk62FvCwdZ/lJosbGvz+ZndymEYjdbagsaFzwi13r+U8XWRDswOy2SajPfQe8oqB/Wyq8/iZSkD8HqbyTTNctvHPx3RI+nyrN8MCC80ejHHNbZG1rOSrzKcQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.php
-
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; UHS)
-
watermark
1580103824
Extracted
cobaltstrike
0
-
watermark
0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 696 KEGhFi3Oshellcode_loader.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\extractor.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\extractor.exe" extractor.exe -
GoLang User-Agent 2 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 23 Go-http-client/1.1 HTTP User-Agent header 15 Go-http-client/1.1 -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4748 wrote to memory of 3308 4748 extractor.exe 89 PID 4748 wrote to memory of 3308 4748 extractor.exe 89 PID 3308 wrote to memory of 696 3308 cmd.exe 91 PID 3308 wrote to memory of 696 3308 cmd.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\extractor.exe"C:\Users\Admin\AppData\Local\Temp\extractor.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\system32\cmd.execmd.exe /c KEGhFi3Oshellcode_loader.exe hMU7Rhzrshika_beacon.bin2⤵
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Users\Admin\AppData\Local\Temp\KEGhFi3Oshellcode_loader.exeKEGhFi3Oshellcode_loader.exe hMU7Rhzrshika_beacon.bin3⤵
- Executes dropped EXE
PID:696
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD53ae7f6d1bf87e3f53e2499434eb9d3c7
SHA10057c8625a6d28c342a639ef1e9fb6ae5892ac50
SHA2567ef1087dcb61458bb91cedd9fb00c8864ba8851bbd2b37cabdb4bf484b94ec59
SHA5123d70d0d7e38877482897132a2768d643a55d85cf82cd30674d673e9d711dd501ac908abe4e858204651525d65ea8fbcd6f7e4ce6ac2b47fbc90d875dff787a47
-
Filesize
2.0MB
MD53ae7f6d1bf87e3f53e2499434eb9d3c7
SHA10057c8625a6d28c342a639ef1e9fb6ae5892ac50
SHA2567ef1087dcb61458bb91cedd9fb00c8864ba8851bbd2b37cabdb4bf484b94ec59
SHA5123d70d0d7e38877482897132a2768d643a55d85cf82cd30674d673e9d711dd501ac908abe4e858204651525d65ea8fbcd6f7e4ce6ac2b47fbc90d875dff787a47
-
Filesize
257KB
MD5f96a947b21ab7ea80adca2b12ef06b20
SHA195ed4d3fdc7fd58abcc157cca97d32a97468463c
SHA2564ad3076eb61f96abed4a02b82e41e98728d43539dd637056e039bf6aafec7749
SHA512aa5d9c9e5d666ee71b0be08809ed0a9a4a3d7ca3ba8cbbe1e62c723a3331c46444b133aea17d4090d3c7e8c66db7afd4b49bbdea1bfd59a2a0f1c2d3985c8d11