Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
11/10/2023, 11:01
Static task
static1
Behavioral task
behavioral1
Sample
03ccd9ab1ff49b374c233aa89e45b683cbf3b7ee87b3a257421c4e541330ae3e.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
03ccd9ab1ff49b374c233aa89e45b683cbf3b7ee87b3a257421c4e541330ae3e.exe
Resource
win10v2004-20230915-en
General
-
Target
03ccd9ab1ff49b374c233aa89e45b683cbf3b7ee87b3a257421c4e541330ae3e.exe
-
Size
5.6MB
-
MD5
2e73b0ade618cdc967165d1310eec29c
-
SHA1
b56638a0e6d46f29bb32bcd5274bb9c8d58b56d8
-
SHA256
03ccd9ab1ff49b374c233aa89e45b683cbf3b7ee87b3a257421c4e541330ae3e
-
SHA512
264aea5bff72ca246f1b0b5219220a215aa5bbcc0efd716bc65c7c642702050ef87d50c39cf8479a28dfdc4e04624e5c365a7c01791dcfd18f3c8e8d6e5debbb
-
SSDEEP
98304:XMWfDc9W4i3yiI7HuSjOCf6xD/RRI+iZ7q1zPPXNAjtVa/u:UruyiYHs1xlRI+7NAjtVa/u
Malware Config
Extracted
cobaltstrike
666666
http://css.bustring.com:443/safebrowsing/QVXHQf/QVXHQfXdpinARC06MctcJ4hprcWoBIZaDp2-M
-
access_type
512
-
beacon_type
2048
-
host
css.bustring.com,/safebrowsing/QVXHQf/QVXHQfXdpinARC06MctcJ4hprcWoBIZaDp2-M
-
http_header1
AAAAEAAAAB5Ib3N0OiBhcGkuYWN0aXZlLW1pY3Jvc29mdC5jb20AAAAKAAAAR0FjY2VwdDogdGV4dC9odG1sLGFwcGxpY2F0aW9uL3hodG1sK3htbCxhcHBsaWNhdGlvbi94bWw7cT0wLjksKi8qO3E9MC44AAAACgAAAB9BY2NlcHQtTGFuZ3VhZ2U6IGVuLVVTLGVuO3E9MC41AAAABwAAAAAAAAALAAAAAgAAAA9SRUY9SUQ9UVZYSFFmeWYAAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAAEAAAAB5Ib3N0OiBhcGkuYWN0aXZlLW1pY3Jvc29mdC5jb20AAAAKAAAAR0FjY2VwdDogdGV4dC9odG1sLGFwcGxpY2F0aW9uL3hodG1sK3htbCxhcHBsaWNhdGlvbi94bWw7cT0wLjksKi8qO3E9MC44AAAACgAAAB9BY2NlcHQtTGFuZ3VhZ2U6IGVuLVVTLGVuO3E9MC41AAAABwAAAAAAAAALAAAAAgAAAA9SRUY9SUQ9UVZYSFFmeWYAAAAGAAAABkNvb2tpZQAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
5120
-
polling_time
30000
-
port_number
443
-
sc_process32
%windir%\syswow64\gpupdate.exe
-
sc_process64
%windir%\sysnative\gpupdate.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCZFVu69HEHoxtabkylaXLTONOa7sbbaTxinK8LCf7IOw6k9xtHahhn/phltzTgYu9ZYS1ugMrlB8Ik2/F8CTX+o5xgIQJU6is7Dj7ggXGamS89VZdp9f5U58EGa97acrc6Ga9zXeW/q1HBFfSnEuEt7SlJlVZOTgNldOiN5zpXTQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/safebrowsing/QVXHQf/QVXHQfyfH5BrChprcWoBIZaDp2-M
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3943.0 Safari/537.36 Edg/79.0.308.1
-
watermark
666666
Extracted
cobaltstrike
0
-
watermark
0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Executes dropped EXE 1 IoCs
pid Process 2188 dmws.exe -
Loads dropped DLL 1 IoCs
pid Process 1696 03ccd9ab1ff49b374c233aa89e45b683cbf3b7ee87b3a257421c4e541330ae3e.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1696 03ccd9ab1ff49b374c233aa89e45b683cbf3b7ee87b3a257421c4e541330ae3e.exe 1696 03ccd9ab1ff49b374c233aa89e45b683cbf3b7ee87b3a257421c4e541330ae3e.exe 2188 dmws.exe 2188 dmws.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1696 wrote to memory of 2188 1696 03ccd9ab1ff49b374c233aa89e45b683cbf3b7ee87b3a257421c4e541330ae3e.exe 28 PID 1696 wrote to memory of 2188 1696 03ccd9ab1ff49b374c233aa89e45b683cbf3b7ee87b3a257421c4e541330ae3e.exe 28 PID 1696 wrote to memory of 2188 1696 03ccd9ab1ff49b374c233aa89e45b683cbf3b7ee87b3a257421c4e541330ae3e.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\03ccd9ab1ff49b374c233aa89e45b683cbf3b7ee87b3a257421c4e541330ae3e.exe"C:\Users\Admin\AppData\Local\Temp\03ccd9ab1ff49b374c233aa89e45b683cbf3b7ee87b3a257421c4e541330ae3e.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Users\Public\dmws.exeC:\Users\Public2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2188
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.6MB
MD52e73b0ade618cdc967165d1310eec29c
SHA1b56638a0e6d46f29bb32bcd5274bb9c8d58b56d8
SHA25603ccd9ab1ff49b374c233aa89e45b683cbf3b7ee87b3a257421c4e541330ae3e
SHA512264aea5bff72ca246f1b0b5219220a215aa5bbcc0efd716bc65c7c642702050ef87d50c39cf8479a28dfdc4e04624e5c365a7c01791dcfd18f3c8e8d6e5debbb
-
Filesize
5.6MB
MD52e73b0ade618cdc967165d1310eec29c
SHA1b56638a0e6d46f29bb32bcd5274bb9c8d58b56d8
SHA25603ccd9ab1ff49b374c233aa89e45b683cbf3b7ee87b3a257421c4e541330ae3e
SHA512264aea5bff72ca246f1b0b5219220a215aa5bbcc0efd716bc65c7c642702050ef87d50c39cf8479a28dfdc4e04624e5c365a7c01791dcfd18f3c8e8d6e5debbb