Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
-
submitted
23-10-2023 05:29
General
-
Target
b73a0c2f32dbb99514b8c19d6bf7bac6631b22bd18133cee34246f68ec5f9f3b.exe
-
Size
3.3MB
-
MD5
d75b6e2eb4c0b32d994f792c327aaab2
-
SHA1
6d2406e2e6bc7a5a950a896dece74e7a8cc25fd8
-
SHA256
b73a0c2f32dbb99514b8c19d6bf7bac6631b22bd18133cee34246f68ec5f9f3b
-
SHA512
e20c1f650eabb3c6dfbce6e5e246ad09b51b60456ee58fed449e8c39d228e7072ac9b3725360d65df0dca14b4569f3e8f6b8bc966e3d414fcef3348098de36c2
-
SSDEEP
49152:dMvmQWgAi4Jl/Oh3drciJhuHsv8cRqWkqv4ED:OOQzQD/ipcEVRZv
Malware Config
Extracted
cobaltstrike
100000
http://config.dnslogik.com:8443/mp/getapp/msgext
-
access_type
512
-
beacon_type
2048
-
host
config.dnslogik.com,/mp/getapp/msgext
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAfQWNjZXB0LUxhbmd1YWdlOiB6aC1DTix6aDtxPTAuOQAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAACgAAACFSZWZlcmVyOiBodHRwOi8vbXAud2VpeGluLnFxLmNvbS8AAAAHAAAAAAAAAAMAAAACAAAABU1ZTXp6AAAABgAAAAxYLVdlY2hhdC1VaW4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAI9BY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LGltYWdlL2F2aWYsaW1hZ2Uvd2VicCxpbWFnZS9hcG5nLCovKjtxPTAuOCxhcHBsaWNhdGlvbi9zaWduZWQtZXhjaGFuZ2U7dj1iMztxPTAuOQAAAAoAAAAfQWNjZXB0LUxhbmd1YWdlOiB6aC1DTix6aDtxPTAuOQAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAACgAAAC9Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZAAAAAoAAAAhUmVmZXJlcjogaHR0cDovL21wLndlaXhpbi5xcS5jb20vAAAABwAAAAAAAAADAAAAAgAAAAVNWU16egAAAAYAAAAMWC1XZWNoYXQtVWluAAAABwAAAAEAAAADAAAAAgAAAAhNTWRhdGE9QQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
9472
-
polling_time
5000
-
port_number
8443
-
sc_process32
%windir%\syswow64\gpupdate.exe
-
sc_process64
%windir%\sysnative\gpupdate.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCQzecnJRAPh6p98s1qDfvFyh/+NR2r3duROrEqeGgp6EouIkvj9MAgZk9VYBb6iflW2V9XRp2pUHeikwuSEkQOHmktOsm3Ke2s/+NHBRURolOpNIXFcpuhTQaJ8NQqLMbwxdoQSVj3/cL0Ilhq6TKSIiROp2JnMgnvrazZQUGBEwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
1.532302592e+09
-
unknown2
AAAABAAAAAIAAAADAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/mp/wapcommon/report
-
user_agent
WeChat/8.0.5.32 CFNetwork/1237 Darwin/20.4.0
-
watermark
100000
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b73a0c2f32dbb99514b8c19d6bf7bac6631b22bd18133cee34246f68ec5f9f3b.exe"C:\Users\Admin\AppData\Local\Temp\b73a0c2f32dbb99514b8c19d6bf7bac6631b22bd18133cee34246f68ec5f9f3b.exe"1⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2520-0-0x0000000047D70000-0x00000000481E2000-memory.dmpFilesize
4.4MB
-
memory/2520-1-0x0000000047C60000-0x0000000047CA1000-memory.dmpFilesize
260KB
-
memory/2520-2-0x0000000047C60000-0x0000000047CA1000-memory.dmpFilesize
260KB