Analysis
-
max time kernel
153s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
-
submitted
12-10-2023 07:04
General
-
Target
4d889e881675138b5982c9f481130f5e0f284758145d3ab7a0c5eede66163dca.exe
-
Size
14KB
-
MD5
5676ecaa82a40a4f98f2a8cae324e63e
-
SHA1
01c5bfe1d663f2ba48c3c43bf15504568c3cfd9f
-
SHA256
4d889e881675138b5982c9f481130f5e0f284758145d3ab7a0c5eede66163dca
-
SHA512
cdfa8ec09a278a6aa8209efc3a26001edafd00d63cd303c7efde2853db5006d5ad4ad9b5cef1e85693b54d10acd8be300b78ea21ab7ea551a28ee6c9c42f795a
-
SSDEEP
192:A/H+DgGK83SxHn2OQ/dmBI4KBfTgir+xzDS6Jo1bqUqV/Qjo7AGa:Av+kGKqbOCdWIVBff+xzO6ahfCXAn
Malware Config
Extracted
metasploit
windows/download_exec
http://js.yalafix.com:443/Logo.jpg?typeid=6033
Extracted
cobaltstrike
100000
http://js.yalafix.com:443/checkin
-
access_type
512
-
beacon_type
2048
-
host
js.yalafix.com,/checkin
-
http_header1
AAAABwAAAAAAAAALAAAAAgAAAAV1c2VyPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAABJBY2NlcHQ6IHRleHQvcGxhaW4AAAAKAAAAFkFjY2VwdC1MYW5ndWFnZTogZW4tdXMAAAAKAAAAG0FjY2VwdC1FbmNvZGluZzogdGV4dC9wbGFpbgAAABAAAAAUSG9zdDoganMueWFsYWZpeC5jb20AAAAKAAAAL0NvbnRlbnQtVHlwZTogYXBwbGljYXRpb24veC13d3ctZm9ybS11cmxlbmNvZGVkAAAABwAAAAAAAAAIAAAABQAAAAJpZAAAAAcAAAABAAAAAwAAAAIAAABQJk9TPU1BQ09TJm9wPTMmaWQ9NTQzamhmZGtzakg4OTQmdWk9TW9vbmdvbGRAQ29ycCZncj1iYWNrb2ZmJnd2PTUxJmJ2PTEuMDYmZGF0YT0AAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
6400
-
polling_time
35590
-
port_number
443
-
sc_process32
%windir%\syswow64\dllhost.exe
-
sc_process64
%windir%\sysnative\dllhost.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCi5mYDeyxD6LfU/3JVw4tHFt8tWVcZ/GLqz+OOYlbWJXy35VXpj8otusxAaAeXgKcy9MFG2Tly4j42Kuh1CEuq4SHyqaENQYdCWQr+0kOB6eb7Ju5wVnKHbX8m74gUkg5knjHUBB3hb7rK321OlEIvXs5ORWCNkoM9vqa+UZiRhwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
1.481970944e+09
-
unknown2
AAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/aircanada/checkin.php
-
user_agent
Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
100000
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d889e881675138b5982c9f481130f5e0f284758145d3ab7a0c5eede66163dca.exe"C:\Users\Admin\AppData\Local\Temp\4d889e881675138b5982c9f481130f5e0f284758145d3ab7a0c5eede66163dca.exe"1⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
1.7MB
-
Filesize
4.0MB
-
Filesize
4.0MB