Analysis

  • max time kernel
    146s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    11-10-2023 11:01

General

  • Target

    03ccd9ab1ff49b374c233aa89e45b683cbf3b7ee87b3a257421c4e541330ae3e.exe

  • Size

    5.6MB

  • MD5

    2e73b0ade618cdc967165d1310eec29c

  • SHA1

    b56638a0e6d46f29bb32bcd5274bb9c8d58b56d8

  • SHA256

    03ccd9ab1ff49b374c233aa89e45b683cbf3b7ee87b3a257421c4e541330ae3e

  • SHA512

    264aea5bff72ca246f1b0b5219220a215aa5bbcc0efd716bc65c7c642702050ef87d50c39cf8479a28dfdc4e04624e5c365a7c01791dcfd18f3c8e8d6e5debbb

  • SSDEEP

    98304:XMWfDc9W4i3yiI7HuSjOCf6xD/RRI+iZ7q1zPPXNAjtVa/u:UruyiYHs1xlRI+7NAjtVa/u

Malware Config

Extracted

Family

cobaltstrike

Botnet

666666

C2

http://css.bustring.com:443/safebrowsing/QVXHQf/QVXHQfXdpinARC06MctcJ4hprcWoBIZaDp2-M

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    css.bustring.com,/safebrowsing/QVXHQf/QVXHQfXdpinARC06MctcJ4hprcWoBIZaDp2-M

  • http_header1

    AAAAEAAAAB5Ib3N0OiBhcGkuYWN0aXZlLW1pY3Jvc29mdC5jb20AAAAKAAAAR0FjY2VwdDogdGV4dC9odG1sLGFwcGxpY2F0aW9uL3hodG1sK3htbCxhcHBsaWNhdGlvbi94bWw7cT0wLjksKi8qO3E9MC44AAAACgAAAB9BY2NlcHQtTGFuZ3VhZ2U6IGVuLVVTLGVuO3E9MC41AAAABwAAAAAAAAALAAAAAgAAAA9SRUY9SUQ9UVZYSFFmeWYAAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAAEAAAAB5Ib3N0OiBhcGkuYWN0aXZlLW1pY3Jvc29mdC5jb20AAAAKAAAAR0FjY2VwdDogdGV4dC9odG1sLGFwcGxpY2F0aW9uL3hodG1sK3htbCxhcHBsaWNhdGlvbi94bWw7cT0wLjksKi8qO3E9MC44AAAACgAAAB9BY2NlcHQtTGFuZ3VhZ2U6IGVuLVVTLGVuO3E9MC41AAAABwAAAAAAAAALAAAAAgAAAA9SRUY9SUQ9UVZYSFFmeWYAAAAGAAAABkNvb2tpZQAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    5120

  • polling_time

    30000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\gpupdate.exe

  • sc_process64

    %windir%\sysnative\gpupdate.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCZFVu69HEHoxtabkylaXLTONOa7sbbaTxinK8LCf7IOw6k9xtHahhn/phltzTgYu9ZYS1ugMrlB8Ik2/F8CTX+o5xgIQJU6is7Dj7ggXGamS89VZdp9f5U58EGa97acrc6Ga9zXeW/q1HBFfSnEuEt7SlJlVZOTgNldOiN5zpXTQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /safebrowsing/QVXHQf/QVXHQfyfH5BrChprcWoBIZaDp2-M

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3943.0 Safari/537.36 Edg/79.0.308.1

  • watermark

    666666

Extracted

Family

cobaltstrike

Botnet

0

Attributes
  • watermark

    0

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\03ccd9ab1ff49b374c233aa89e45b683cbf3b7ee87b3a257421c4e541330ae3e.exe
    "C:\Users\Admin\AppData\Local\Temp\03ccd9ab1ff49b374c233aa89e45b683cbf3b7ee87b3a257421c4e541330ae3e.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1696
    • C:\Users\Public\dmws.exe
      C:\Users\Public
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2188

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\dmws.exe
    Filesize

    5.6MB

    MD5

    2e73b0ade618cdc967165d1310eec29c

    SHA1

    b56638a0e6d46f29bb32bcd5274bb9c8d58b56d8

    SHA256

    03ccd9ab1ff49b374c233aa89e45b683cbf3b7ee87b3a257421c4e541330ae3e

    SHA512

    264aea5bff72ca246f1b0b5219220a215aa5bbcc0efd716bc65c7c642702050ef87d50c39cf8479a28dfdc4e04624e5c365a7c01791dcfd18f3c8e8d6e5debbb

  • \Users\Public\dmws.exe
    Filesize

    5.6MB

    MD5

    2e73b0ade618cdc967165d1310eec29c

    SHA1

    b56638a0e6d46f29bb32bcd5274bb9c8d58b56d8

    SHA256

    03ccd9ab1ff49b374c233aa89e45b683cbf3b7ee87b3a257421c4e541330ae3e

    SHA512

    264aea5bff72ca246f1b0b5219220a215aa5bbcc0efd716bc65c7c642702050ef87d50c39cf8479a28dfdc4e04624e5c365a7c01791dcfd18f3c8e8d6e5debbb

  • memory/2188-5-0x000007FEFDB60000-0x000007FEFDBCC000-memory.dmp
    Filesize

    432KB

  • memory/2188-4-0x000007FEBDB50000-0x000007FEBDB60000-memory.dmp
    Filesize

    64KB

  • memory/2188-6-0x000007FEFDB60000-0x000007FEFDBCC000-memory.dmp
    Filesize

    432KB

  • memory/2188-7-0x00000000030C0000-0x000000000322C000-memory.dmp
    Filesize

    1.4MB

  • memory/2188-8-0x000007FEFDB60000-0x000007FEFDBCC000-memory.dmp
    Filesize

    432KB

  • memory/2188-9-0x00000000030C0000-0x000000000322C000-memory.dmp
    Filesize

    1.4MB

  • memory/2188-11-0x00000000030C0000-0x000000000322C000-memory.dmp
    Filesize

    1.4MB

  • memory/2188-12-0x00000000030C0000-0x000000000322C000-memory.dmp
    Filesize

    1.4MB

  • memory/2188-14-0x00000000030C0000-0x000000000322C000-memory.dmp
    Filesize

    1.4MB

  • memory/2188-16-0x00000000030C0000-0x000000000322C000-memory.dmp
    Filesize

    1.4MB