Analysis
-
max time kernel
142s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
21-09-2023 12:30
Behavioral task
behavioral1
Sample
d2c0ecfa7eebd8667ae34b12757ed7ab746050bc97dbc6725dcd46c2c973ce78.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
d2c0ecfa7eebd8667ae34b12757ed7ab746050bc97dbc6725dcd46c2c973ce78.exe
Resource
win10v2004-20230915-en
General
-
Target
d2c0ecfa7eebd8667ae34b12757ed7ab746050bc97dbc6725dcd46c2c973ce78.exe
-
Size
6.5MB
-
MD5
717cb37e928a3e08fad96159c8dcbed5
-
SHA1
0f6b47a998f66554fb2ce6d55047f0d0d72544e0
-
SHA256
d2c0ecfa7eebd8667ae34b12757ed7ab746050bc97dbc6725dcd46c2c973ce78
-
SHA512
275092a3e3ffa4705c2ea1b52738ee1a032cf8b47ca5e9689e7f0d113a294bb25a442a0334111b0c62f58f4904a17cc8bdfae01734189a46a0813c3f698bfe37
-
SSDEEP
196608:fMaOjdQmRJ8dA6l7aycBIGpEyUXIZVcfEL:cdQusl29bcf
Malware Config
Extracted
cobaltstrike
http://194.29.187.194:443/jquery-3.3.2.slim.min.js
-
user_agent
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: http://code.jquery.com/ Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
Extracted
cobaltstrike
100000
http://194.29.187.194:443/jquery-3.3.1.min.js
-
access_type
512
-
beacon_type
2048
-
host
194.29.187.194,/jquery-3.3.1.min.js
-
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADQAAAAIAAAAJX19jZmR1aWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADwAAAA0AAAAFAAAACF9fY2ZkdWlkAAAABwAAAAEAAAAPAAAADQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
9472
-
polling_time
45000
-
port_number
443
-
sc_process32
%windir%\syswow64\dllhost.exe
-
sc_process64
%windir%\sysnative\dllhost.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCuPf3kkkjVLT/eFY5OYOqyRdaP1EHIMlX3z1BkoOdRmjXH7+NIq/yUmJmsne/2K4NzNIuzy7otrj8rXzipEB1wGK6meWzYGenK10sK1sYD+dYZcxbp5d9tD8t8tvTbyJ1Ghulc0rl5FsMIWK9NAlbltnqwAuAPbellIARSBC/xwwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4.234810624e+09
-
unknown2
AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/jquery-3.3.2.min.js
-
user_agent
Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
-
watermark
100000
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Loads dropped DLL 5 IoCs
Processes:
d2c0ecfa7eebd8667ae34b12757ed7ab746050bc97dbc6725dcd46c2c973ce78.exepid process 744 d2c0ecfa7eebd8667ae34b12757ed7ab746050bc97dbc6725dcd46c2c973ce78.exe 744 d2c0ecfa7eebd8667ae34b12757ed7ab746050bc97dbc6725dcd46c2c973ce78.exe 744 d2c0ecfa7eebd8667ae34b12757ed7ab746050bc97dbc6725dcd46c2c973ce78.exe 744 d2c0ecfa7eebd8667ae34b12757ed7ab746050bc97dbc6725dcd46c2c973ce78.exe 744 d2c0ecfa7eebd8667ae34b12757ed7ab746050bc97dbc6725dcd46c2c973ce78.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
d2c0ecfa7eebd8667ae34b12757ed7ab746050bc97dbc6725dcd46c2c973ce78.exedescription pid process target process PID 4404 wrote to memory of 744 4404 d2c0ecfa7eebd8667ae34b12757ed7ab746050bc97dbc6725dcd46c2c973ce78.exe d2c0ecfa7eebd8667ae34b12757ed7ab746050bc97dbc6725dcd46c2c973ce78.exe PID 4404 wrote to memory of 744 4404 d2c0ecfa7eebd8667ae34b12757ed7ab746050bc97dbc6725dcd46c2c973ce78.exe d2c0ecfa7eebd8667ae34b12757ed7ab746050bc97dbc6725dcd46c2c973ce78.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d2c0ecfa7eebd8667ae34b12757ed7ab746050bc97dbc6725dcd46c2c973ce78.exe"C:\Users\Admin\AppData\Local\Temp\d2c0ecfa7eebd8667ae34b12757ed7ab746050bc97dbc6725dcd46c2c973ce78.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d2c0ecfa7eebd8667ae34b12757ed7ab746050bc97dbc6725dcd46c2c973ce78.exe"C:\Users\Admin\AppData\Local\Temp\d2c0ecfa7eebd8667ae34b12757ed7ab746050bc97dbc6725dcd46c2c973ce78.exe"2⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\_MEI44042\VCRUNTIME140.dllFilesize
106KB
MD5870fea4e961e2fbd00110d3783e529be
SHA1a948e65c6f73d7da4ffde4e8533c098a00cc7311
SHA25676fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644
SHA5120b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88
-
C:\Users\Admin\AppData\Local\Temp\_MEI44042\VCRUNTIME140.dllFilesize
106KB
MD5870fea4e961e2fbd00110d3783e529be
SHA1a948e65c6f73d7da4ffde4e8533c098a00cc7311
SHA25676fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644
SHA5120b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88
-
C:\Users\Admin\AppData\Local\Temp\_MEI44042\_ctypes.pydFilesize
119KB
MD5ca4cef051737b0e4e56b7d597238df94
SHA1583df3f7ecade0252fdff608eb969439956f5c4a
SHA256e60a2b100c4fa50b0b144cf825fe3cde21a8b7b60b92bfc326cb39573ce96b2b
SHA51217103d6b5fa84156055e60f9e5756ffc31584cdb6274c686a136291c58ba0be00238d501f8acc1f1ca7e1a1fadcb0c7fefddcb98cedb9dd04325314f7e905df3
-
C:\Users\Admin\AppData\Local\Temp\_MEI44042\_ctypes.pydFilesize
119KB
MD5ca4cef051737b0e4e56b7d597238df94
SHA1583df3f7ecade0252fdff608eb969439956f5c4a
SHA256e60a2b100c4fa50b0b144cf825fe3cde21a8b7b60b92bfc326cb39573ce96b2b
SHA51217103d6b5fa84156055e60f9e5756ffc31584cdb6274c686a136291c58ba0be00238d501f8acc1f1ca7e1a1fadcb0c7fefddcb98cedb9dd04325314f7e905df3
-
C:\Users\Admin\AppData\Local\Temp\_MEI44042\base_library.zipFilesize
1.0MB
MD505ea8c2dacc3fdd039622cbd0bd89562
SHA1a2a836ab954ee894a55544082757c187fb3a5b23
SHA256cdc5b0ffc8132b7acd551505929c3a8fe98309f9cd011c9e5cafe6b084a3204f
SHA51223307435efe9132a577abd3bff7ce17c4563ccce0ed8fcae012e43673753ef510c7f15ca3c5feb04e199edcb743fdd12d99dc8f3c9b1268b7acc032c9382cab6
-
C:\Users\Admin\AppData\Local\Temp\_MEI44042\libffi-7.dllFilesize
32KB
MD5eef7981412be8ea459064d3090f4b3aa
SHA1c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016
-
C:\Users\Admin\AppData\Local\Temp\_MEI44042\libffi-7.dllFilesize
32KB
MD5eef7981412be8ea459064d3090f4b3aa
SHA1c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016
-
C:\Users\Admin\AppData\Local\Temp\_MEI44042\python310.dllFilesize
4.3MB
MD5deaf0c0cc3369363b800d2e8e756a402
SHA13085778735dd8badad4e39df688139f4eed5f954
SHA256156cf2b64dd0f4d9bdb346b654a11300d6e9e15a65ef69089923dafc1c71e33d
SHA5125cac1d92af7ee18425b5ee8e7cd4e941a9ddffb4bc1c12bb8aeabeed09acec1ff0309abc41a2e0c8db101fee40724f8bfb27a78898128f8746c8fe01c1631989
-
C:\Users\Admin\AppData\Local\Temp\_MEI44042\python310.dllFilesize
4.3MB
MD5deaf0c0cc3369363b800d2e8e756a402
SHA13085778735dd8badad4e39df688139f4eed5f954
SHA256156cf2b64dd0f4d9bdb346b654a11300d6e9e15a65ef69089923dafc1c71e33d
SHA5125cac1d92af7ee18425b5ee8e7cd4e941a9ddffb4bc1c12bb8aeabeed09acec1ff0309abc41a2e0c8db101fee40724f8bfb27a78898128f8746c8fe01c1631989
-
C:\Users\Admin\AppData\Local\Temp\_MEI44042\ucrtbase.dllFilesize
1.1MB
MD556c350293b27d61410f9d212f6f4b8f3
SHA14b11908f434e2eb1b253d0023660381b349eb09a
SHA256b30c5de351714e033b9e835158f008c96f17e492a85bfb1bddb3424d286b59fc
SHA5123281e85a741e73f134289b5cae5304b5f236117d605b98987a25251ea4cc1bc37718765485892f0163c4496f5ebd2290e23989573aea84f1537441dd33cb711b
-
C:\Users\Admin\AppData\Local\Temp\_MEI44042\ucrtbase.dllFilesize
1.1MB
MD556c350293b27d61410f9d212f6f4b8f3
SHA14b11908f434e2eb1b253d0023660381b349eb09a
SHA256b30c5de351714e033b9e835158f008c96f17e492a85bfb1bddb3424d286b59fc
SHA5123281e85a741e73f134289b5cae5304b5f236117d605b98987a25251ea4cc1bc37718765485892f0163c4496f5ebd2290e23989573aea84f1537441dd33cb711b
-
memory/744-66-0x000002310C260000-0x000002310C261000-memory.dmpFilesize
4KB
-
memory/744-67-0x000002310EC60000-0x000002310F0D2000-memory.dmpFilesize
4.4MB
-
memory/744-68-0x000002310E860000-0x000002310EC60000-memory.dmpFilesize
4.0MB
-
memory/744-69-0x000002310E860000-0x000002310EC60000-memory.dmpFilesize
4.0MB