Analysis
-
max time kernel
126s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
25-08-2023 23:56
Static task
static1
Behavioral task
behavioral1
Sample
190443cbf65c0898f914fc760934caea.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
190443cbf65c0898f914fc760934caea.exe
Resource
win10v2004-20230703-en
General
-
Target
190443cbf65c0898f914fc760934caea.exe
-
Size
517KB
-
MD5
190443cbf65c0898f914fc760934caea
-
SHA1
2038226438b0d02d675bde2253866329c69af1e6
-
SHA256
3922b22af71946fc376884c6bd78cb725e903456a3e5481819b55312c745367f
-
SHA512
03bc60cb328d59d40dcd6270f058ebdbd3d1fbed0e86f28cd357179c95c7f89fdb9bf35cc1020b834c6eaeeb631500814a90169d02c6f2334db3d0451b8b3544
-
SSDEEP
6144:EdmZWccb2kii5Z44P/fBlqjQJWYgARXIQ6BDDm5nYh6i74H:qmYHfia44PvqIdPXJ6BfInxi7i
Malware Config
Extracted
cobaltstrike
http://208.70.76.100:3443/sJUK
-
user_agent
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; NP09; NP09; MAAU)
Extracted
cobaltstrike
100000
http://208.70.76.100:3443/cx
-
access_type
512
-
beacon_type
2048
-
host
208.70.76.100,/cx
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
polling_time
60000
-
port_number
3443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDBJDSs318FAZ2e8d95toadIBJrb+Ly91RAoANFy4ietcRWyyKMBmgp/MbMk2D59Pcp7kb2aL1oOkwVCodoIGcszvToWK0YwuNknqiH9MxQbhalfck7SpglxHKTg2gNB0HGdzaMLl00qHyzeutQ9G3Yqk/7ySHKCaOsh7jdRv2fdwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.php
-
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; MAAU; NP08)
-
watermark
100000
Extracted
cobaltstrike
0
-
watermark
0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Executes dropped EXE 1 IoCs
Processes:
HXhr.exepid process 3948 HXhr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
190443cbf65c0898f914fc760934caea.exeexplorer.exedescription pid process target process PID 3640 wrote to memory of 5084 3640 190443cbf65c0898f914fc760934caea.exe werfault.exe PID 3640 wrote to memory of 5084 3640 190443cbf65c0898f914fc760934caea.exe werfault.exe PID 3640 wrote to memory of 5084 3640 190443cbf65c0898f914fc760934caea.exe werfault.exe PID 3640 wrote to memory of 4524 3640 190443cbf65c0898f914fc760934caea.exe explorer.exe PID 3640 wrote to memory of 4524 3640 190443cbf65c0898f914fc760934caea.exe explorer.exe PID 5096 wrote to memory of 3948 5096 explorer.exe HXhr.exe PID 5096 wrote to memory of 3948 5096 explorer.exe HXhr.exe PID 5096 wrote to memory of 3948 5096 explorer.exe HXhr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\190443cbf65c0898f914fc760934caea.exe"C:\Users\Admin\AppData\Local\Temp\190443cbf65c0898f914fc760934caea.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Windows\system32\werfault.exe"C:\Windows\system32\werfault.exe"2⤵PID:5084
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe" C:\Windows\temp\HXhr.exe2⤵PID:4524
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\Temp\HXhr.exe"C:\Windows\Temp\HXhr.exe"2⤵
- Executes dropped EXE
PID:3948
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Temp\HXhr.exeFilesize
478KB
MD52f2fde496d0ddae2f1db630fabee52ae
SHA1f62ea05c48fde8b639504439e9b82d6c785ef83b
SHA256dc04b1613773697123ae3c87072b6b3a7a2b5627d4b31bb0046e1fafbd2dd337
SHA5126b2237233ea93e1c8a51ca1e2fc850c1ae5f21f2e655de98bc2041515bd7c2a2cae07913f9503ec72d1c553c3ec66b52652a6a7f27c1b65b3247d1b95c77445d
-
C:\Windows\Temp\HXhr.exeFilesize
478KB
MD52f2fde496d0ddae2f1db630fabee52ae
SHA1f62ea05c48fde8b639504439e9b82d6c785ef83b
SHA256dc04b1613773697123ae3c87072b6b3a7a2b5627d4b31bb0046e1fafbd2dd337
SHA5126b2237233ea93e1c8a51ca1e2fc850c1ae5f21f2e655de98bc2041515bd7c2a2cae07913f9503ec72d1c553c3ec66b52652a6a7f27c1b65b3247d1b95c77445d
-
memory/3640-0-0x00007FFA9EDB0000-0x00007FFA9EFA5000-memory.dmpFilesize
2.0MB
-
memory/3948-11-0x0000000005EB0000-0x0000000006454000-memory.dmpFilesize
5.6MB
-
memory/3948-13-0x0000000005BF0000-0x0000000005C00000-memory.dmpFilesize
64KB
-
memory/3948-19-0x0000000005BF0000-0x0000000005C00000-memory.dmpFilesize
64KB
-
memory/3948-10-0x0000000000EC0000-0x0000000000F3E000-memory.dmpFilesize
504KB
-
memory/3948-9-0x0000000074580000-0x0000000074D30000-memory.dmpFilesize
7.7MB
-
memory/3948-18-0x0000000005BF0000-0x0000000005C00000-memory.dmpFilesize
64KB
-
memory/3948-12-0x00000000059A0000-0x0000000005A32000-memory.dmpFilesize
584KB
-
memory/3948-17-0x0000000074580000-0x0000000074D30000-memory.dmpFilesize
7.7MB
-
memory/3948-14-0x0000000005940000-0x000000000594A000-memory.dmpFilesize
40KB
-
memory/3948-15-0x0000000005BF0000-0x0000000005C00000-memory.dmpFilesize
64KB
-
memory/5084-16-0x000001710C850000-0x000001710C89F000-memory.dmpFilesize
316KB
-
memory/5084-6-0x000001710C850000-0x000001710C89F000-memory.dmpFilesize
316KB
-
memory/5084-1-0x000001710C4C0000-0x000001710C4C1000-memory.dmpFilesize
4KB
-
memory/5084-5-0x000001710E6D0000-0x000001710EAD0000-memory.dmpFilesize
4.0MB