Analysis

  • max time kernel
    150s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    18-11-2023 15:09

General

  • Target

    a3babceed625938f1a8046899a17ae59f56eae3033bc37a0eaf398472dcf186d.exe

  • Size

    842KB

  • MD5

    214fae5a642240511b66047cc90a63a5

  • SHA1

    0c6f337c8419c09c1fb564a054777d94bcb5411c

  • SHA256

    a3babceed625938f1a8046899a17ae59f56eae3033bc37a0eaf398472dcf186d

  • SHA512

    c628d9a9e19ed1a19d84389cce3e08c70a3699457971c9c9d881ab99eeb228ec74a2eef9db5c7f66ee7242f397496757a1d9267fef7c21af29125a1c19f4efe3

  • SSDEEP

    6144:BEWhZP2Ubecc830D+SOgxLQXI966PehLgOo7YOPi7tq+yOYP96pRBwq3gzUWsm9o:pZei9SOgxn9PBrtwFyyjf3gg9m9o

Malware Config

Extracted

Family

cobaltstrike

C2

http://img.uioqwea.xyz:8443/messages/DALBNSFFT4Q

Attributes
  • user_agent

    Accept: text/html,application/*,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Host: img.uioqwea.xyz Referer: http://code.jquery.com/ Accept-Encoding: gzip, deflate User-Agent: Mozilla/6.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/7.0)

Extracted

Family

cobaltstrike

Botnet

100000

C2

http://172.67.182.142:8443/messages/xV5GdE

http://104.21.35.254:8443/messages/xV5GdE

http://2606:4700:3032::6815:23fe:8443/messages/xV5GdE

http://2606:4700:3033::ac43:b68e:8443/messages/xV5GdE

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    172.67.182.142,/messages/xV5GdE,104.21.35.254,/messages/xV5GdE,2606:4700:3032::6815:23fe,/messages/xV5GdE,2606:4700:3033::ac43:b68e,/messages/xV5GdE

  • http_header1

    AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAcAAAAAAAAAAwAAAAIAAAAKU0VTU0lPTklEPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAcAAAAAAAAAAwAAAAIAAAAJSlNFU1NJT049AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    2560

  • polling_time

    10000

  • port_number

    8443

  • sc_process32

    %windir%\syswow64\esentutl.exe

  • sc_process64

    %windir%\sysnative\esentutl.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCaQGOQzaqqQLDxqfNAdfZu7isKEAhtTHok92MhWQ6haLF6I92+W3zIHm5+FBWaPVxJ+LV5YaSDuXAwGrTKzYDu/MHzXYcuENLyL4dRuFbJBfJwRImaLDke8V2+zhN0vu0ZSNtDIE4xEKf/UzAj6i/Jdh0+Ha72abUlVMBRn37jLwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    3.092976896e+09

  • unknown2

    AAAABAAAAAEAAATAAAAAAQAAAAwAAAACAAABlAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /messages/96OpFu

  • user_agent

    Mozilla/6.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/7.0)

  • watermark

    100000

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a3babceed625938f1a8046899a17ae59f56eae3033bc37a0eaf398472dcf186d.exe
    "C:\Users\Admin\AppData\Local\Temp\a3babceed625938f1a8046899a17ae59f56eae3033bc37a0eaf398472dcf186d.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2660
    • C:\Windows\system32\cmd.exe
      "cmd" "/c start /b C:\Users\Admin\AppData\Local\Temp\a3babceed625938f1a8046899a17ae59f56eae3033bc37a0eaf398472dcf186d.pdf"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2664
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\a3babceed625938f1a8046899a17ae59f56eae3033bc37a0eaf398472dcf186d.pdf"
        3⤵
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:2812

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\a3babceed625938f1a8046899a17ae59f56eae3033bc37a0eaf398472dcf186d.pdf

    Filesize

    29KB

    MD5

    c6fb63f70f8da23539463eda84541bb4

    SHA1

    1fdde1112b05d2ea6e2851c7e1487793c5613357

    SHA256

    9daf831a61519ec9b44b463cde65eb3deafee438b30a5861213262b6465322f4

    SHA512

    c21596643c20eede83a21fd42a73daad46c929d017efa60ee5df7d60a8528add7a90ac1f24c215325dab00d662e88e31ce45dfd156feee1e2611b6702237192c

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

    Filesize

    3KB

    MD5

    a1049c7698eb8114916a399efdbbcc99

    SHA1

    a70fc2af65c933f1eb3eb7ad8a6dea8c1e28722e

    SHA256

    8777b90ef72d070706c360573dca04b60d5f3a4ea50d4988b4d6a2af634982dc

    SHA512

    1863a21e41204cf74e11299111cf610d3419de7ef34777733a8ad58656c478ed1a3e53139c001fc6debf60b3890dcfb83ea3ceed69b2a0f4927c4fdbdb467107

  • memory/2660-1-0x0000000000020000-0x0000000000021000-memory.dmp

    Filesize

    4KB

  • memory/2660-25-0x0000000000420000-0x0000000000481000-memory.dmp

    Filesize

    388KB