Analysis
-
max time kernel
132s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
25-08-2023 23:56
Static task
static1
Behavioral task
behavioral1
Sample
190443cbf65c0898f914fc760934caea.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
190443cbf65c0898f914fc760934caea.exe
Resource
win10v2004-20230703-en
General
-
Target
190443cbf65c0898f914fc760934caea.exe
-
Size
517KB
-
MD5
190443cbf65c0898f914fc760934caea
-
SHA1
2038226438b0d02d675bde2253866329c69af1e6
-
SHA256
3922b22af71946fc376884c6bd78cb725e903456a3e5481819b55312c745367f
-
SHA512
03bc60cb328d59d40dcd6270f058ebdbd3d1fbed0e86f28cd357179c95c7f89fdb9bf35cc1020b834c6eaeeb631500814a90169d02c6f2334db3d0451b8b3544
-
SSDEEP
6144:EdmZWccb2kii5Z44P/fBlqjQJWYgARXIQ6BDDm5nYh6i74H:qmYHfia44PvqIdPXJ6BfInxi7i
Malware Config
Extracted
cobaltstrike
http://208.70.76.100:3443/sJUK
-
user_agent
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; NP09; NP09; MAAU)
Extracted
cobaltstrike
100000
http://208.70.76.100:3443/cx
-
access_type
512
-
beacon_type
2048
-
host
208.70.76.100,/cx
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
polling_time
60000
-
port_number
3443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDBJDSs318FAZ2e8d95toadIBJrb+Ly91RAoANFy4ietcRWyyKMBmgp/MbMk2D59Pcp7kb2aL1oOkwVCodoIGcszvToWK0YwuNknqiH9MxQbhalfck7SpglxHKTg2gNB0HGdzaMLl00qHyzeutQ9G3Yqk/7ySHKCaOsh7jdRv2fdwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.php
-
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; MAAU; NP08)
-
watermark
100000
Extracted
cobaltstrike
0
-
watermark
0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Executes dropped EXE 1 IoCs
Processes:
HXhr.exepid process 1608 HXhr.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
190443cbf65c0898f914fc760934caea.exeexplorer.exedescription pid process target process PID 2660 wrote to memory of 1992 2660 190443cbf65c0898f914fc760934caea.exe werfault.exe PID 2660 wrote to memory of 1992 2660 190443cbf65c0898f914fc760934caea.exe werfault.exe PID 2660 wrote to memory of 1992 2660 190443cbf65c0898f914fc760934caea.exe werfault.exe PID 2660 wrote to memory of 1992 2660 190443cbf65c0898f914fc760934caea.exe werfault.exe PID 2660 wrote to memory of 2256 2660 190443cbf65c0898f914fc760934caea.exe explorer.exe PID 2660 wrote to memory of 2256 2660 190443cbf65c0898f914fc760934caea.exe explorer.exe PID 2660 wrote to memory of 2256 2660 190443cbf65c0898f914fc760934caea.exe explorer.exe PID 1752 wrote to memory of 1608 1752 explorer.exe HXhr.exe PID 1752 wrote to memory of 1608 1752 explorer.exe HXhr.exe PID 1752 wrote to memory of 1608 1752 explorer.exe HXhr.exe PID 1752 wrote to memory of 1608 1752 explorer.exe HXhr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\190443cbf65c0898f914fc760934caea.exe"C:\Users\Admin\AppData\Local\Temp\190443cbf65c0898f914fc760934caea.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\system32\werfault.exe"C:\Windows\system32\werfault.exe"2⤵PID:1992
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe" C:\Windows\temp\HXhr.exe2⤵PID:2256
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\Temp\HXhr.exe"C:\Windows\Temp\HXhr.exe"2⤵
- Executes dropped EXE
PID:1608
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
61KB
MD5f3441b8572aae8801c04f3060b550443
SHA14ef0a35436125d6821831ef36c28ffaf196cda15
SHA2566720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA5125ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9
-
C:\Users\Admin\AppData\Local\Temp\TarAB54.tmpFilesize
163KB
MD59441737383d21192400eca82fda910ec
SHA1725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA5127608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf
-
C:\Windows\Temp\HXhr.exeFilesize
478KB
MD52f2fde496d0ddae2f1db630fabee52ae
SHA1f62ea05c48fde8b639504439e9b82d6c785ef83b
SHA256dc04b1613773697123ae3c87072b6b3a7a2b5627d4b31bb0046e1fafbd2dd337
SHA5126b2237233ea93e1c8a51ca1e2fc850c1ae5f21f2e655de98bc2041515bd7c2a2cae07913f9503ec72d1c553c3ec66b52652a6a7f27c1b65b3247d1b95c77445d
-
C:\Windows\Temp\HXhr.exeFilesize
478KB
MD52f2fde496d0ddae2f1db630fabee52ae
SHA1f62ea05c48fde8b639504439e9b82d6c785ef83b
SHA256dc04b1613773697123ae3c87072b6b3a7a2b5627d4b31bb0046e1fafbd2dd337
SHA5126b2237233ea93e1c8a51ca1e2fc850c1ae5f21f2e655de98bc2041515bd7c2a2cae07913f9503ec72d1c553c3ec66b52652a6a7f27c1b65b3247d1b95c77445d
-
memory/1608-29-0x0000000004D00000-0x0000000004D40000-memory.dmpFilesize
256KB
-
memory/1608-52-0x0000000074550000-0x0000000074C3E000-memory.dmpFilesize
6.9MB
-
memory/1608-9-0x0000000000980000-0x00000000009FE000-memory.dmpFilesize
504KB
-
memory/1608-10-0x0000000074550000-0x0000000074C3E000-memory.dmpFilesize
6.9MB
-
memory/1608-18-0x0000000004D00000-0x0000000004D40000-memory.dmpFilesize
256KB
-
memory/1608-54-0x0000000004D00000-0x0000000004D40000-memory.dmpFilesize
256KB
-
memory/1608-53-0x0000000004D00000-0x0000000004D40000-memory.dmpFilesize
256KB
-
memory/1992-31-0x0000000002280000-0x00000000022CF000-memory.dmpFilesize
316KB
-
memory/1992-4-0x0000000000060000-0x0000000000061000-memory.dmpFilesize
4KB
-
memory/1992-2-0x0000000000060000-0x0000000000061000-memory.dmpFilesize
4KB
-
memory/1992-30-0x0000000003040000-0x0000000003440000-memory.dmpFilesize
4.0MB
-
memory/1992-55-0x0000000002280000-0x00000000022CF000-memory.dmpFilesize
316KB
-
memory/2660-1-0x0000000077560000-0x0000000077709000-memory.dmpFilesize
1.7MB
-
memory/2660-6-0x0000000077560000-0x0000000077709000-memory.dmpFilesize
1.7MB