Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    82s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/08/2023, 02:43

General

  • Target

    extractor.exe

  • Size

    6.8MB

  • MD5

    96e6770b7fb1b91fbbf7da53fe80c0d8

  • SHA1

    51424b25cb1151242755ab4f28484093aba3baf9

  • SHA256

    9d0302af3cd6fb88ccc2cf022a6abe0ecb502f1a7d8226ecea45731cd09c7cef

  • SHA512

    504a7bb19403d027634ad6f8ca5cd895b6a0f758b716acc710522466d2a044b1522002d7381875fb8a5b97d36df8f36795117282ced9808132399f8b8211a90e

  • SSDEEP

    98304:w3Jzct4drEm7pn9f3ez9A/PUvYQgQK90fejU1:IJ84d4mdVue3pQKah

Malware Config

Extracted

Family

cobaltstrike

Botnet

1580103824

C2

http://60.204.140.244:2333/activity

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    60.204.140.244,/activity

  • http_header1

    AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • polling_time

    60000

  • port_number

    2333

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCQzeS7XpUi+1Lg6sZxI9EpB5Dof9htZC5f6J0XJ2Ooshhw9JP6Cbwk62FvCwdZ/lJosbGvz+ZndymEYjdbagsaFzwi13r+U8XWRDswOy2SajPfQe8oqB/Wyq8/iZSkD8HqbyTTNctvHPx3RI+nyrN8MCC80ejHHNbZG1rOSrzKcQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /submit.php

  • user_agent

    Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; UHS)

  • watermark

    1580103824

Extracted

Family

cobaltstrike

Botnet

0

Attributes
  • watermark

    0

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • GoLang User-Agent 2 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\extractor.exe
    "C:\Users\Admin\AppData\Local\Temp\extractor.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4748
    • C:\Windows\system32\cmd.exe
      cmd.exe /c KEGhFi3Oshellcode_loader.exe hMU7Rhzrshika_beacon.bin
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3308
      • C:\Users\Admin\AppData\Local\Temp\KEGhFi3Oshellcode_loader.exe
        KEGhFi3Oshellcode_loader.exe hMU7Rhzrshika_beacon.bin
        3⤵
        • Executes dropped EXE
        PID:696

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\KEGhFi3Oshellcode_loader.exe

    Filesize

    2.0MB

    MD5

    3ae7f6d1bf87e3f53e2499434eb9d3c7

    SHA1

    0057c8625a6d28c342a639ef1e9fb6ae5892ac50

    SHA256

    7ef1087dcb61458bb91cedd9fb00c8864ba8851bbd2b37cabdb4bf484b94ec59

    SHA512

    3d70d0d7e38877482897132a2768d643a55d85cf82cd30674d673e9d711dd501ac908abe4e858204651525d65ea8fbcd6f7e4ce6ac2b47fbc90d875dff787a47

  • C:\Users\Admin\AppData\Local\Temp\KEGhFi3Oshellcode_loader.exe

    Filesize

    2.0MB

    MD5

    3ae7f6d1bf87e3f53e2499434eb9d3c7

    SHA1

    0057c8625a6d28c342a639ef1e9fb6ae5892ac50

    SHA256

    7ef1087dcb61458bb91cedd9fb00c8864ba8851bbd2b37cabdb4bf484b94ec59

    SHA512

    3d70d0d7e38877482897132a2768d643a55d85cf82cd30674d673e9d711dd501ac908abe4e858204651525d65ea8fbcd6f7e4ce6ac2b47fbc90d875dff787a47

  • C:\Users\Admin\AppData\Local\Temp\hMU7Rhzrshika_beacon.bin

    Filesize

    257KB

    MD5

    f96a947b21ab7ea80adca2b12ef06b20

    SHA1

    95ed4d3fdc7fd58abcc157cca97d32a97468463c

    SHA256

    4ad3076eb61f96abed4a02b82e41e98728d43539dd637056e039bf6aafec7749

    SHA512

    aa5d9c9e5d666ee71b0be08809ed0a9a4a3d7ca3ba8cbbe1e62c723a3331c46444b133aea17d4090d3c7e8c66db7afd4b49bbdea1bfd59a2a0f1c2d3985c8d11

  • memory/696-139-0x000001A13C340000-0x000001A13C381000-memory.dmp

    Filesize

    260KB

  • memory/696-140-0x000001A13C4D0000-0x000001A13C51E000-memory.dmp

    Filesize

    312KB

  • memory/696-143-0x000001A13C4D0000-0x000001A13C51E000-memory.dmp

    Filesize

    312KB