Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
20/09/2023, 02:27
Static task
static1
Behavioral task
behavioral1
Sample
2a58f558dc7c0848983e756fc0a81a811bc6a720a6db1b6431cae55b934227b6.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
2a58f558dc7c0848983e756fc0a81a811bc6a720a6db1b6431cae55b934227b6.exe
Resource
win10v2004-20230915-en
General
-
Target
2a58f558dc7c0848983e756fc0a81a811bc6a720a6db1b6431cae55b934227b6.exe
-
Size
3.3MB
-
MD5
2dc4ef09d611b9966a111103df84f0ba
-
SHA1
43627f5a50eb65f6922acb602cf1ed0a234b17ca
-
SHA256
2a58f558dc7c0848983e756fc0a81a811bc6a720a6db1b6431cae55b934227b6
-
SHA512
efbe0a8e71ed44807cbd9fa303c116c0423632847044cc8dfe982c2ab77b1d83bd55820ce34628c4f9773b3834f910d8b4b08086ba340c737cfd76b4582d997c
-
SSDEEP
49152:d94euq3I9N3qVTgK/TUMfKsZQJRcvUcbN:Eq3If6VTbUMfKsZP
Malware Config
Extracted
cobaltstrike
http://142.93.77.61:443/PcDf
-
user_agent
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; NP06)
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2392 wrote to memory of 2340 2392 2a58f558dc7c0848983e756fc0a81a811bc6a720a6db1b6431cae55b934227b6.exe 29 PID 2392 wrote to memory of 2340 2392 2a58f558dc7c0848983e756fc0a81a811bc6a720a6db1b6431cae55b934227b6.exe 29 PID 2392 wrote to memory of 2340 2392 2a58f558dc7c0848983e756fc0a81a811bc6a720a6db1b6431cae55b934227b6.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a58f558dc7c0848983e756fc0a81a811bc6a720a6db1b6431cae55b934227b6.exe"C:\Users\Admin\AppData\Local\Temp\2a58f558dc7c0848983e756fc0a81a811bc6a720a6db1b6431cae55b934227b6.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\System32\notepad.exeC:\Windows\System32\notepad.exe2⤵PID:2340
-