Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230831-en -
resource tags
arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system -
submitted
14-09-2023 23:43
Static task
static1
Behavioral task
behavioral1
Sample
rODyUVpxfY.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
rODyUVpxfY.exe
Resource
win10v2004-20230831-en
General
-
Target
rODyUVpxfY.exe
-
Size
1.3MB
-
MD5
5d8edb411af48165a5c7ad86b66470c3
-
SHA1
2cd2fa06855a98d8d4ad5c75cef9f7c58fbc32aa
-
SHA256
3d98abe8a8429aff34af70e1c0e339a1c7ee52ba1370eaf1d1856076d470ea17
-
SHA512
9c3f9b59f27945b4ea374498cf5dc93ddb06556353bb62abf24dfd47b12434d3b5c73254eb3b78803e110fe61f7ef913f8e8ab4f28b50c9f580302f89994c584
-
SSDEEP
24576:KQwobX+5icdw3Mz+NZ7frSegXSOAvqBknl+t:KWq5C3ye2QqBknl+t
Malware Config
Extracted
cobaltstrike
http://62.234.14.38:1443/ajax/jquery/jquery-3.6.4.min.js
-
user_agent
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.9 Accept-Encoding: gzip, deflate Referer: http://mp.weixin.qq.com/ User-Agent: WeChat/8.0.5.32 CFNetwork/1237 Darwin/20.4.0
Extracted
cobaltstrike
100000
http://62.234.14.38:1443/mp/getapp/msgext
-
access_type
512
-
host
62.234.14.38,/mp/getapp/msgext
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAfQWNjZXB0LUxhbmd1YWdlOiB6aC1DTix6aDtxPTAuOQAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAACgAAACFSZWZlcmVyOiBodHRwOi8vbXAud2VpeGluLnFxLmNvbS8AAAAHAAAAAAAAAAMAAAACAAAABU1ZTXp6AAAABgAAAAxYLVdlY2hhdC1VaW4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAI9BY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LGltYWdlL2F2aWYsaW1hZ2Uvd2VicCxpbWFnZS9hcG5nLCovKjtxPTAuOCxhcHBsaWNhdGlvbi9zaWduZWQtZXhjaGFuZ2U7dj1iMztxPTAuOQAAAAoAAAAfQWNjZXB0LUxhbmd1YWdlOiB6aC1DTix6aDtxPTAuOQAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAACgAAAC9Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZAAAAAoAAAAhUmVmZXJlcjogaHR0cDovL21wLndlaXhpbi5xcS5jb20vAAAABwAAAAAAAAADAAAAAgAAAAVNWU16egAAAAYAAAAMWC1XZWNoYXQtVWluAAAABwAAAAEAAAADAAAAAgAAAAhNTWRhdGE9QQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
9472
-
polling_time
5000
-
port_number
1443
-
sc_process32
%windir%\syswow64\gpupdate.exe
-
sc_process64
%windir%\sysnative\gpupdate.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCHFQjnAnUbEXD+c5GiuPpC/L5pH2AnHxcutfvep6LOO4ik5oTdUI5q7KAsEzt7oUQI06rl0seBjlfZlXoAbwfbSbtvYJDKZMeDPvaY6QJRM9SYTgD+nlUiAR0qeMpbvhj68n3khnS1Cu2IS9GJpCMa7kRYn7ylraIWKBIArzaEQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
1.532302592e+09
-
unknown2
AAAABAAAAAIAAAADAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/mp/wapcommon/report
-
user_agent
WeChat/8.0.5.32 CFNetwork/1237 Darwin/20.4.0
-
watermark
100000
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Drops file in System32 directory 1 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{F32B4FA1-E90E-4C09-8A22-89E1328E3A2A}.catalogItem svchost.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU svchost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:4920
-
C:\Users\Admin\AppData\Local\Temp\rODyUVpxfY.exe"C:\Users\Admin\AppData\Local\Temp\rODyUVpxfY.exe"1⤵PID:2792
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2792-0-0x000001D6B6A80000-0x000001D6B6A81000-memory.dmpFilesize
4KB
-
memory/2792-3-0x000001D6B8770000-0x000001D6B8B70000-memory.dmpFilesize
4.0MB
-
memory/2792-2-0x000001D6B8B70000-0x000001D6B8FE2000-memory.dmpFilesize
4.4MB
-
memory/2792-10-0x000001D6B8770000-0x000001D6B8B70000-memory.dmpFilesize
4.0MB