Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    16-11-2023 07:41

General

  • Target

    李志-账号密码记录-解压密码-20231116.exe

  • Size

    13.4MB

  • MD5

    2c8fb8705dbce5899bf596163a9b077a

  • SHA1

    7233623d12b409760193c0be6fbb4b330fc74788

  • SHA256

    ec799e2ed133c709d9eb321b3876c8c3167314ff14ea407f2bffea51322e1ad3

  • SHA512

    22a63989d76dfc48c59f91196759b724ec7ff50bd41f61f5a590381e1563cc1059003e4087a6d65bcd95d50cc3991364d255343658b074193fcc8a949df21f40

  • SSDEEP

    98304:83Xn/gtuU2ICoM6f465FjjnrZ/cfMKpSw6Z5Vc1EboPkywplb:MX/gtuU2IY6PBcfMbN5VcGbo8Z

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000

C2

http://service-ho26i50l-1306669097.bj.apigw.tencentcs.com:443/assets/code-3d7b701fc6eb.css

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    service-ho26i50l-1306669097.bj.apigw.tencentcs.com,/assets/code-3d7b701fc6eb.css

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAeQ29udGVudC1MYW5ndWFnZTogZGUtREUsIGVuLUNBAAAABwAAAAAAAAADAAAAAgAAAApTRVNTSU9OSUQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAeQ29udGVudC1MYW5ndWFnZTogZGUtREUsIGVuLUNBAAAABwAAAAAAAAADAAAAAgAAAAlKU0VTU0lPTj0AAAAGAAAABkNvb2tpZQAAAAcAAAABAAAAAwAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    2560

  • polling_time

    5

  • port_number

    443

  • sc_process32

    %windir%\syswow64\esentutl.exe

  • sc_process64

    %windir%\sysnative\esentutl.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCAjLA3M+TgpQGM45UvhVjbFFxsA/w5baPizJxsN/CASGrNAwDXLRXCu1MHpgNtbbHqHlkqnavFZUT71H1FIeyPxKQz+0CqnrBJuFWXSGn0QTBxjYUUhx2aAcf7BqeLzQ1OgbOg/SahLDHGR6G5XRXQLVj8zXEUj/+3/46p0MqHXwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    2.702512128e+09

  • unknown2

    AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /qiyi

  • user_agent

    Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0)

  • watermark

    100000

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\李志-账号密码记录-解压密码-20231116.exe
    "C:\Users\Admin\AppData\Local\Temp\李志-账号密码记录-解压密码-20231116.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2984
    • C:\Windows\system32\cmd.exe
      cmd /c start C:\ProgramData\win.exe
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2356
      • C:\ProgramData\win.exe
        C:\ProgramData\win.exe
        3⤵
        • Executes dropped EXE
        • Modifies system certificate store
        PID:1944

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\win.exe

    Filesize

    405KB

    MD5

    ac7d9cbf94a9e1ed5cbe640639a488f4

    SHA1

    1d0baedcb76ae27d62138d5dda11a6f69cb12511

    SHA256

    6e35326ea33f4f17ce8a1be50d8b107044b0256b7e773d90746ce6b56552898c

    SHA512

    dfd97b318ce7ba452d70d69d72a8093a7a5ce685757c490e806c571493a55a923b0d60039dab98193958d6aca0acc02d15502abc43becb32460daca29434c41e

  • \ProgramData\win.exe

    Filesize

    405KB

    MD5

    ac7d9cbf94a9e1ed5cbe640639a488f4

    SHA1

    1d0baedcb76ae27d62138d5dda11a6f69cb12511

    SHA256

    6e35326ea33f4f17ce8a1be50d8b107044b0256b7e773d90746ce6b56552898c

    SHA512

    dfd97b318ce7ba452d70d69d72a8093a7a5ce685757c490e806c571493a55a923b0d60039dab98193958d6aca0acc02d15502abc43becb32460daca29434c41e

  • \ProgramData\win.exe

    Filesize

    405KB

    MD5

    ac7d9cbf94a9e1ed5cbe640639a488f4

    SHA1

    1d0baedcb76ae27d62138d5dda11a6f69cb12511

    SHA256

    6e35326ea33f4f17ce8a1be50d8b107044b0256b7e773d90746ce6b56552898c

    SHA512

    dfd97b318ce7ba452d70d69d72a8093a7a5ce685757c490e806c571493a55a923b0d60039dab98193958d6aca0acc02d15502abc43becb32460daca29434c41e

  • \ProgramData\win.exe

    Filesize

    405KB

    MD5

    ac7d9cbf94a9e1ed5cbe640639a488f4

    SHA1

    1d0baedcb76ae27d62138d5dda11a6f69cb12511

    SHA256

    6e35326ea33f4f17ce8a1be50d8b107044b0256b7e773d90746ce6b56552898c

    SHA512

    dfd97b318ce7ba452d70d69d72a8093a7a5ce685757c490e806c571493a55a923b0d60039dab98193958d6aca0acc02d15502abc43becb32460daca29434c41e

  • memory/1944-8-0x0000000000060000-0x0000000000160000-memory.dmp

    Filesize

    1024KB

  • memory/1944-9-0x0000000002C00000-0x0000000002C4F000-memory.dmp

    Filesize

    316KB

  • memory/1944-10-0x0000000000060000-0x0000000000160000-memory.dmp

    Filesize

    1024KB

  • memory/1944-11-0x0000000000060000-0x0000000000160000-memory.dmp

    Filesize

    1024KB

  • memory/2984-6-0x000000013F550000-0x000000014031A000-memory.dmp

    Filesize

    13.8MB