Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20230824-en -
resource tags
arch:x64arch:x86image:win10v2004-20230824-enlocale:en-usos:windows10-2004-x64system -
submitted
30-08-2023 23:31
Behavioral task
behavioral1
Sample
7064244922c5e1f8e345d25137c7e3f69fdf1b9987b1c4870e29f15d01096fa5.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
7064244922c5e1f8e345d25137c7e3f69fdf1b9987b1c4870e29f15d01096fa5.exe
Resource
win10v2004-20230824-en
General
-
Target
7064244922c5e1f8e345d25137c7e3f69fdf1b9987b1c4870e29f15d01096fa5.exe
-
Size
7.6MB
-
MD5
43debafbb713c0e027d8e50090b89b59
-
SHA1
696c57d149d06d24447611bfe53bb16ab452d7a5
-
SHA256
7064244922c5e1f8e345d25137c7e3f69fdf1b9987b1c4870e29f15d01096fa5
-
SHA512
eb18586223b937acf5f46c9b4bcb9f38970d60325c4f856570b25a261ebc87fa7f4b7e74c48c3a316f73c205c4f9528586f18c72e1f9c0add6ba072dcc3cdf11
-
SSDEEP
196608:CeY0sQOz7iDfyGR21X5Sp6GemDMPw0NHW2+YPnkyR:XY0sl7iDfDspfaMPOA
Malware Config
Extracted
cobaltstrike
http://119.3.177.241:8888/Yhf6
-
user_agent
User-Agent: Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/5.0)
Extracted
cobaltstrike
100000
http://119.3.177.241:8888/activity
-
access_type
512
-
host
119.3.177.241,/activity
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
polling_time
60000
-
port_number
8888
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCYWGnCK3yIBrh+3iB1BRTsqIt+Lt6zA8e3Smr9rVXdLrowL/CDbqMAH8bc4oEo810pkFMl4CGIF3KtsM0GwrvtcaPMhYueGoSaxE+VatKRrNdhBmQQ02Av/RmRwKJgXbeOQlxJmw2CPDfOwVbThPai6bO70CaZO27GwhyubAqX7QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.php
-
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; ; NCLIENT50_AAPCDA5841E333)
-
watermark
100000
Extracted
cobaltstrike
0
-
watermark
0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Loads dropped DLL 5 IoCs
Processes:
7064244922c5e1f8e345d25137c7e3f69fdf1b9987b1c4870e29f15d01096fa5.exepid process 1068 7064244922c5e1f8e345d25137c7e3f69fdf1b9987b1c4870e29f15d01096fa5.exe 1068 7064244922c5e1f8e345d25137c7e3f69fdf1b9987b1c4870e29f15d01096fa5.exe 1068 7064244922c5e1f8e345d25137c7e3f69fdf1b9987b1c4870e29f15d01096fa5.exe 1068 7064244922c5e1f8e345d25137c7e3f69fdf1b9987b1c4870e29f15d01096fa5.exe 1068 7064244922c5e1f8e345d25137c7e3f69fdf1b9987b1c4870e29f15d01096fa5.exe -
Drops file in System32 directory 1 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{47BB79F0-B694-4A8A-BB86-7F781212A891}.catalogItem svchost.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU svchost.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
7064244922c5e1f8e345d25137c7e3f69fdf1b9987b1c4870e29f15d01096fa5.exedescription pid process target process PID 820 wrote to memory of 1068 820 7064244922c5e1f8e345d25137c7e3f69fdf1b9987b1c4870e29f15d01096fa5.exe 7064244922c5e1f8e345d25137c7e3f69fdf1b9987b1c4870e29f15d01096fa5.exe PID 820 wrote to memory of 1068 820 7064244922c5e1f8e345d25137c7e3f69fdf1b9987b1c4870e29f15d01096fa5.exe 7064244922c5e1f8e345d25137c7e3f69fdf1b9987b1c4870e29f15d01096fa5.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7064244922c5e1f8e345d25137c7e3f69fdf1b9987b1c4870e29f15d01096fa5.exe"C:\Users\Admin\AppData\Local\Temp\7064244922c5e1f8e345d25137c7e3f69fdf1b9987b1c4870e29f15d01096fa5.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Users\Admin\AppData\Local\Temp\7064244922c5e1f8e345d25137c7e3f69fdf1b9987b1c4870e29f15d01096fa5.exe"C:\Users\Admin\AppData\Local\Temp\7064244922c5e1f8e345d25137c7e3f69fdf1b9987b1c4870e29f15d01096fa5.exe"2⤵
- Loads dropped DLL
PID:1068
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:2772
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\_MEI8202\VCRUNTIME140.dllFilesize
106KB
MD54585a96cc4eef6aafd5e27ea09147dc6
SHA1489cfff1b19abbec98fda26ac8958005e88dd0cb
SHA256a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736
SHA512d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286
-
C:\Users\Admin\AppData\Local\Temp\_MEI8202\VCRUNTIME140.dllFilesize
106KB
MD54585a96cc4eef6aafd5e27ea09147dc6
SHA1489cfff1b19abbec98fda26ac8958005e88dd0cb
SHA256a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736
SHA512d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286
-
C:\Users\Admin\AppData\Local\Temp\_MEI8202\_ctypes.pydFilesize
120KB
MD59b344f8d7ce5b57e397a475847cc5f66
SHA1aff1ccc2608da022ecc8d0aba65d304fe74cdf71
SHA256b1214d7b7efd9d4b0f465ec3463512a1cbc5f59686267030f072e6ce4b2a95cf
SHA5122b0d9e1b550bf108fa842324ab26555f2a224aefff517fdb16df85693e05adaf0d77ebe49382848f1ec68dc9b5ae75027a62c33721e42a1566274d1a2b1baa41
-
C:\Users\Admin\AppData\Local\Temp\_MEI8202\_ctypes.pydFilesize
120KB
MD59b344f8d7ce5b57e397a475847cc5f66
SHA1aff1ccc2608da022ecc8d0aba65d304fe74cdf71
SHA256b1214d7b7efd9d4b0f465ec3463512a1cbc5f59686267030f072e6ce4b2a95cf
SHA5122b0d9e1b550bf108fa842324ab26555f2a224aefff517fdb16df85693e05adaf0d77ebe49382848f1ec68dc9b5ae75027a62c33721e42a1566274d1a2b1baa41
-
C:\Users\Admin\AppData\Local\Temp\_MEI8202\base_library.zipFilesize
1.7MB
MD5ca768a72c14315ee7dd60d660a368968
SHA150335eee728e9e3f369e9e06972b053776bc8d19
SHA2562456678e7aff9354b5a5bfbb94ac4e345d434b93ecb035ccbd41cd94369befaa
SHA512e10f2ffc4a88cfbb9d403464aacb339a438f96c0f4a8cc853e62141911181c7aa626e18af7721344a8ae1d5b50cd69eeac49ea0743d1a420342d8ec9352c9868
-
C:\Users\Admin\AppData\Local\Temp\_MEI8202\libffi-8.dllFilesize
38KB
MD50f8e4992ca92baaf54cc0b43aaccce21
SHA1c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA5126e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978
-
C:\Users\Admin\AppData\Local\Temp\_MEI8202\libffi-8.dllFilesize
38KB
MD50f8e4992ca92baaf54cc0b43aaccce21
SHA1c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA5126e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978
-
C:\Users\Admin\AppData\Local\Temp\_MEI8202\python311.dllFilesize
5.5MB
MD5e2bd5ae53427f193b42d64b8e9bf1943
SHA17c317aad8e2b24c08d3b8b3fba16dd537411727f
SHA256c4844b05e3a936b130adedb854d3c04d49ee54edb43e9d36f8c4ae94ccb78400
SHA512ae23a6707e539c619fd5c5b4fc6e4734edc91f89ebe024d25ff2a70168da6105ac0bd47cf6bf3715af6411963caf0acbb4632464e1619ca6361abf53adfe7036
-
C:\Users\Admin\AppData\Local\Temp\_MEI8202\python311.dllFilesize
5.5MB
MD5e2bd5ae53427f193b42d64b8e9bf1943
SHA17c317aad8e2b24c08d3b8b3fba16dd537411727f
SHA256c4844b05e3a936b130adedb854d3c04d49ee54edb43e9d36f8c4ae94ccb78400
SHA512ae23a6707e539c619fd5c5b4fc6e4734edc91f89ebe024d25ff2a70168da6105ac0bd47cf6bf3715af6411963caf0acbb4632464e1619ca6361abf53adfe7036
-
C:\Users\Admin\AppData\Local\Temp\_MEI8202\ucrtbase.dllFilesize
978KB
MD5cca4929ef8dd988d7221ef6ba398f1b5
SHA11d21e60e56a15038702dc18148be8cecee279890
SHA2564292c29e74d90aef21bbad50e8fe25858c5990846adb629372ca6fd717cd0ca3
SHA512d990d1370201541e7a1e1ec9b68e40a984d0195847010919148d0de80d2a2c51bcccfeeca59087fca95ab410c9e170c4585c8daa1383f1383b98500d797a41ca
-
C:\Users\Admin\AppData\Local\Temp\_MEI8202\ucrtbase.dllFilesize
978KB
MD5cca4929ef8dd988d7221ef6ba398f1b5
SHA11d21e60e56a15038702dc18148be8cecee279890
SHA2564292c29e74d90aef21bbad50e8fe25858c5990846adb629372ca6fd717cd0ca3
SHA512d990d1370201541e7a1e1ec9b68e40a984d0195847010919148d0de80d2a2c51bcccfeeca59087fca95ab410c9e170c4585c8daa1383f1383b98500d797a41ca
-
memory/1068-66-0x000002CA6DD20000-0x000002CA6DD21000-memory.dmpFilesize
4KB
-
memory/1068-71-0x000002CA6E970000-0x000002CA6ED70000-memory.dmpFilesize
4.0MB
-
memory/1068-72-0x000002CA6ED70000-0x000002CA6EDBF000-memory.dmpFilesize
316KB
-
memory/1068-75-0x000002CA6ED70000-0x000002CA6EDBF000-memory.dmpFilesize
316KB