Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
18-11-2023 15:09
Static task
static1
Behavioral task
behavioral1
Sample
a3babceed625938f1a8046899a17ae59f56eae3033bc37a0eaf398472dcf186d.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
a3babceed625938f1a8046899a17ae59f56eae3033bc37a0eaf398472dcf186d.exe
Resource
win10v2004-20231023-en
General
-
Target
a3babceed625938f1a8046899a17ae59f56eae3033bc37a0eaf398472dcf186d.exe
-
Size
842KB
-
MD5
214fae5a642240511b66047cc90a63a5
-
SHA1
0c6f337c8419c09c1fb564a054777d94bcb5411c
-
SHA256
a3babceed625938f1a8046899a17ae59f56eae3033bc37a0eaf398472dcf186d
-
SHA512
c628d9a9e19ed1a19d84389cce3e08c70a3699457971c9c9d881ab99eeb228ec74a2eef9db5c7f66ee7242f397496757a1d9267fef7c21af29125a1c19f4efe3
-
SSDEEP
6144:BEWhZP2Ubecc830D+SOgxLQXI966PehLgOo7YOPi7tq+yOYP96pRBwq3gzUWsm9o:pZei9SOgxn9PBrtwFyyjf3gg9m9o
Malware Config
Extracted
cobaltstrike
http://img.uioqwea.xyz:8443/messages/DALBNSFFT4Q
-
user_agent
Accept: text/html,application/*,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Host: img.uioqwea.xyz Referer: http://code.jquery.com/ Accept-Encoding: gzip, deflate User-Agent: Mozilla/6.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/7.0)
Extracted
cobaltstrike
100000
http://172.67.182.142:8443/messages/xV5GdE
http://104.21.35.254:8443/messages/xV5GdE
http://2606:4700:3032::6815:23fe:8443/messages/xV5GdE
http://2606:4700:3033::ac43:b68e:8443/messages/xV5GdE
-
access_type
512
-
beacon_type
2048
-
host
172.67.182.142,/messages/xV5GdE,104.21.35.254,/messages/xV5GdE,2606:4700:3032::6815:23fe,/messages/xV5GdE,2606:4700:3033::ac43:b68e,/messages/xV5GdE
-
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAcAAAAAAAAAAwAAAAIAAAAKU0VTU0lPTklEPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAcAAAAAAAAAAwAAAAIAAAAJSlNFU1NJT049AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
2560
-
polling_time
10000
-
port_number
8443
-
sc_process32
%windir%\syswow64\esentutl.exe
-
sc_process64
%windir%\sysnative\esentutl.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCaQGOQzaqqQLDxqfNAdfZu7isKEAhtTHok92MhWQ6haLF6I92+W3zIHm5+FBWaPVxJ+LV5YaSDuXAwGrTKzYDu/MHzXYcuENLyL4dRuFbJBfJwRImaLDke8V2+zhN0vu0ZSNtDIE4xEKf/UzAj6i/Jdh0+Ha72abUlVMBRn37jLwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
3.092976896e+09
-
unknown2
AAAABAAAAAEAAATAAAAAAQAAAAwAAAACAAABlAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/messages/96OpFu
-
user_agent
Mozilla/6.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/7.0)
-
watermark
100000
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
AcroRd32.exepid process 2812 AcroRd32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2812 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
AcroRd32.exepid process 2812 AcroRd32.exe 2812 AcroRd32.exe 2812 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
a3babceed625938f1a8046899a17ae59f56eae3033bc37a0eaf398472dcf186d.execmd.exedescription pid process target process PID 2660 wrote to memory of 2664 2660 a3babceed625938f1a8046899a17ae59f56eae3033bc37a0eaf398472dcf186d.exe cmd.exe PID 2660 wrote to memory of 2664 2660 a3babceed625938f1a8046899a17ae59f56eae3033bc37a0eaf398472dcf186d.exe cmd.exe PID 2660 wrote to memory of 2664 2660 a3babceed625938f1a8046899a17ae59f56eae3033bc37a0eaf398472dcf186d.exe cmd.exe PID 2664 wrote to memory of 2812 2664 cmd.exe AcroRd32.exe PID 2664 wrote to memory of 2812 2664 cmd.exe AcroRd32.exe PID 2664 wrote to memory of 2812 2664 cmd.exe AcroRd32.exe PID 2664 wrote to memory of 2812 2664 cmd.exe AcroRd32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3babceed625938f1a8046899a17ae59f56eae3033bc37a0eaf398472dcf186d.exe"C:\Users\Admin\AppData\Local\Temp\a3babceed625938f1a8046899a17ae59f56eae3033bc37a0eaf398472dcf186d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\system32\cmd.exe"cmd" "/c start /b C:\Users\Admin\AppData\Local\Temp\a3babceed625938f1a8046899a17ae59f56eae3033bc37a0eaf398472dcf186d.pdf"2⤵
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\a3babceed625938f1a8046899a17ae59f56eae3033bc37a0eaf398472dcf186d.pdf"3⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2812
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\a3babceed625938f1a8046899a17ae59f56eae3033bc37a0eaf398472dcf186d.pdf
Filesize29KB
MD5c6fb63f70f8da23539463eda84541bb4
SHA11fdde1112b05d2ea6e2851c7e1487793c5613357
SHA2569daf831a61519ec9b44b463cde65eb3deafee438b30a5861213262b6465322f4
SHA512c21596643c20eede83a21fd42a73daad46c929d017efa60ee5df7d60a8528add7a90ac1f24c215325dab00d662e88e31ce45dfd156feee1e2611b6702237192c
-
Filesize
3KB
MD5a1049c7698eb8114916a399efdbbcc99
SHA1a70fc2af65c933f1eb3eb7ad8a6dea8c1e28722e
SHA2568777b90ef72d070706c360573dca04b60d5f3a4ea50d4988b4d6a2af634982dc
SHA5121863a21e41204cf74e11299111cf610d3419de7ef34777733a8ad58656c478ed1a3e53139c001fc6debf60b3890dcfb83ea3ceed69b2a0f4927c4fdbdb467107