Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2023 10:30
Behavioral task
behavioral1
Sample
335d2147d98401bc9b9f8e7cd765513a58ee643624ea5fc6bc12ba7173681432.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
335d2147d98401bc9b9f8e7cd765513a58ee643624ea5fc6bc12ba7173681432.exe
Resource
win10v2004-20231215-en
General
-
Target
335d2147d98401bc9b9f8e7cd765513a58ee643624ea5fc6bc12ba7173681432.exe
-
Size
4.4MB
-
MD5
32d056a2aa49444e85234ed0fab81cdb
-
SHA1
c9e154ce4f6d12980d1aa4d7ba7e3b447bfa6626
-
SHA256
335d2147d98401bc9b9f8e7cd765513a58ee643624ea5fc6bc12ba7173681432
-
SHA512
69e24b858b88abeb2ad800ef916d198c7bb9d2ae2cbb398851ae2ae2316923a93e7f50ca7a73dcefba5da932c8c98b9780876b7e5bd0862c6058204d1bd8cc84
-
SSDEEP
98304:lR+MuHOJeihJ7GNUOiGyUu+mkZjkqaJlb2WPspkFO+/W83:lmHm7oFfTu+DZgtOWUpGt
Malware Config
Extracted
cobaltstrike
100000
http://121.36.230.220:1433/mp/getapp/msgext
-
access_type
512
-
host
121.36.230.220,/mp/getapp/msgext
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAfQWNjZXB0LUxhbmd1YWdlOiB6aC1DTix6aDtxPTAuOQAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAACgAAACFSZWZlcmVyOiBodHRwOi8vbXAud2VpeGluLnFxLmNvbS8AAAAHAAAAAAAAAAMAAAACAAAABU1ZTXp6AAAABgAAAAxYLVdlY2hhdC1VaW4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAI9BY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LGltYWdlL2F2aWYsaW1hZ2Uvd2VicCxpbWFnZS9hcG5nLCovKjtxPTAuOCxhcHBsaWNhdGlvbi9zaWduZWQtZXhjaGFuZ2U7dj1iMztxPTAuOQAAAAoAAAAfQWNjZXB0LUxhbmd1YWdlOiB6aC1DTix6aDtxPTAuOQAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAACgAAAC9Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZAAAAAoAAAAhUmVmZXJlcjogaHR0cDovL21wLndlaXhpbi5xcS5jb20vAAAABwAAAAAAAAADAAAAAgAAAAVNWU16egAAAAYAAAAMWC1XZWNoYXQtVWluAAAABwAAAAEAAAADAAAAAgAAAAhNTWRhdGE9QQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
9472
-
polling_time
5000
-
port_number
1433
-
sc_process32
%windir%\syswow64\gpupdate.exe
-
sc_process64
%windir%\sysnative\gpupdate.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCFuKYQt1zNXFqCdxN+bU8dNSNp4sOpNTjHqGGpTaKDTeq1XYdsr0D/D+jxTBDSbrZNRFlpYch0PII1QMy1ptYfAeX5tblsjgLIkuPE6gPNc6XzoXkJe3kPsP00ZUy18cWH+cmm8XMoEf5Vul5KRg/hXvsr5L5vKzVUi1py/JDGowIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
1.532302592e+09
-
unknown2
AAAABAAAAAIAAAADAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/mp/wapcommon/report
-
user_agent
WeChat/8.0.5.32 CFNetwork/1237 Darwin/20.4.0
-
watermark
100000
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Loads dropped DLL 4 IoCs
Processes:
335d2147d98401bc9b9f8e7cd765513a58ee643624ea5fc6bc12ba7173681432.exepid process 2944 335d2147d98401bc9b9f8e7cd765513a58ee643624ea5fc6bc12ba7173681432.exe 2944 335d2147d98401bc9b9f8e7cd765513a58ee643624ea5fc6bc12ba7173681432.exe 2944 335d2147d98401bc9b9f8e7cd765513a58ee643624ea5fc6bc12ba7173681432.exe 2944 335d2147d98401bc9b9f8e7cd765513a58ee643624ea5fc6bc12ba7173681432.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\_MEI32602\python39.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI32602\python39.dll upx behavioral2/memory/2944-16-0x00007FF88F210000-0x00007FF88F663000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI32602\_ctypes.pyd upx behavioral2/memory/2944-21-0x00007FF8A4160000-0x00007FF8A4186000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI32602\libffi-7.dll upx behavioral2/memory/2944-31-0x00007FF8A4F20000-0x00007FF8A4F2F000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI32602\_socket.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI32602\_lzma.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI32602\_hashlib.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI32602\_bz2.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI32602\libcrypto-1_1.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI32602\unicodedata.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI32602\select.pyd upx behavioral2/memory/2944-33-0x00007FF88F210000-0x00007FF88F663000-memory.dmp upx behavioral2/memory/2944-34-0x00007FF8A4160000-0x00007FF8A4186000-memory.dmp upx -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
335d2147d98401bc9b9f8e7cd765513a58ee643624ea5fc6bc12ba7173681432.exedescription pid process target process PID 3260 wrote to memory of 2944 3260 335d2147d98401bc9b9f8e7cd765513a58ee643624ea5fc6bc12ba7173681432.exe 335d2147d98401bc9b9f8e7cd765513a58ee643624ea5fc6bc12ba7173681432.exe PID 3260 wrote to memory of 2944 3260 335d2147d98401bc9b9f8e7cd765513a58ee643624ea5fc6bc12ba7173681432.exe 335d2147d98401bc9b9f8e7cd765513a58ee643624ea5fc6bc12ba7173681432.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\335d2147d98401bc9b9f8e7cd765513a58ee643624ea5fc6bc12ba7173681432.exe"C:\Users\Admin\AppData\Local\Temp\335d2147d98401bc9b9f8e7cd765513a58ee643624ea5fc6bc12ba7173681432.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\335d2147d98401bc9b9f8e7cd765513a58ee643624ea5fc6bc12ba7173681432.exe"C:\Users\Admin\AppData\Local\Temp\335d2147d98401bc9b9f8e7cd765513a58ee643624ea5fc6bc12ba7173681432.exe"2⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\_MEI32602\VCRUNTIME140.dllFilesize
87KB
MD523105a395b807d9335219958b4d0cec1
SHA1fb60050d82e3bc1be3b10877b9355f5d48e04854
SHA25661832990e364dca5bfa2c61d930f00acaae6d1aaa3130392403455ae9a1125a5
SHA512ef91d19e632d0d146fa68d52beb04ffcb9b972079cd9c255f44ea5201637a8b00907ec8e3358c7b5cc37338470e29e43dbaec7ddc0562810b49ab2e8115cc805
-
C:\Users\Admin\AppData\Local\Temp\_MEI32602\_bz2.pydFilesize
45KB
MD5219a8451c427fd23cfa262faa6041cf3
SHA16482e64500876c53deab98ca99864dd193e61a48
SHA256b91dd44566de3e84f0ecbc37166a21116be086ad7e93d9dbffa15c6f0218b42a
SHA5126d3c18b98cce0286ee5a4acce88a3647edac782872f10b41e70c046ef4743993eaa6829550eed02de6e72286f25b08b7e9c97287bc1711bb305f8e16912d13ec
-
C:\Users\Admin\AppData\Local\Temp\_MEI32602\_ctypes.pydFilesize
56KB
MD50c573f9d08786016219e33776d1260ac
SHA1c8f6b6abb6a9a519a008853ddf10742ab2f83985
SHA256f8a3ffe9ba2a26be3e0b55eab3e5bf6881ddb1b61bed09aa40920d4b0bf28c8d
SHA512ae12247280f8edd2835d7db698ec3d4104e2cc7b006c7403289872ab95e7f47ac49058e8b1159310eb579eee61ac95b06301f8d4007ffad3ff2dfbcf7bbcd206
-
C:\Users\Admin\AppData\Local\Temp\_MEI32602\_hashlib.pydFilesize
27KB
MD50b343828bf74e898f8c38331f4395071
SHA180425be1a4ac454073b1e906783c61cd51d90a15
SHA256c34421146b74b04420f1f046673742c60f9ff106c97b580e297ce107687b182c
SHA5129f9efffed9ff7044ef6935e8ec5e077a89fe5c4c581f93d7b838cb6ad90ff727c258e9fca7a1b143be2ba034a43f2329d3c77b045a2af324b49f7e4115093e87
-
C:\Users\Admin\AppData\Local\Temp\_MEI32602\_lzma.pydFilesize
81KB
MD550d602c2cc0cf817c39c63f80bf85d02
SHA15b8beba0bb5392d50c3a4b289d9f8321b3fb5c46
SHA2569ed00ec681e1da98288fc35940b81bffd00e67b5542da85ebfe99e2f3df392c1
SHA512851102810f8037aeb38bd32cfc8cb801c11faca2629f46b4f13bdda41dbc84ba5ef3a2cc0dca5f3b00156b8aea46da0281ff4c8d61e381eb188e6d100a1ea2f5
-
C:\Users\Admin\AppData\Local\Temp\_MEI32602\_socket.pydFilesize
39KB
MD569a3e66b0b1ea8d3c6a8735dbee1dd43
SHA10ce43638ef48a6463bb9b476e7aa8be116808357
SHA2566cf09c08586954315ecb17bd98a2c4a10ddbd4c57ec16449c298619f1470e56b
SHA5127acc80bb3081bd52823b9100e09a60540a988bb4171ca72e8cbd782a7d6b8b672340a80a33addb7eaf34d5437e1e70c4f9a5dc81cc4980fde2f7c379483c6992
-
C:\Users\Admin\AppData\Local\Temp\_MEI32602\base_library.zipFilesize
333KB
MD51128fea6907f538729731739de523169
SHA1ca92aeaa3f39a0fc215e5463b7dc41ce5f40313d
SHA25633c8a83d6f686dc9821d33e80f84e552824865be3f369b3c68c50b8acef05e77
SHA512f0d3236352cd7f85ea8ea13db882dbd46323b09d3de4ab356a97068ee69f1b999224360b80504f704d0ffbb532f342d45b60d8316095a58a18c4c5b0e4c0e6b9
-
C:\Users\Admin\AppData\Local\Temp\_MEI32602\libcrypto-1_1.dllFilesize
193KB
MD50a4467975594e2c1269fb16bcf6e807e
SHA121fb765f69cde28cb96da8c1e5b5439de734d48f
SHA256c3f84df38162aef9147ac8ac6e2a57eb731139c41ba0d607218e081ec456f160
SHA5120e96bd53b76e91f33643f9c82e4cc20e9bc1cd2ffa077f92293babad0165953f7079b03a5cfa34752bda6779b99bb81fd5e7b2d483892a6a8e266eb335610574
-
C:\Users\Admin\AppData\Local\Temp\_MEI32602\libffi-7.dllFilesize
23KB
MD5c8bce736d2b0dd3620bcdb85e99d91a1
SHA137fae34a4d0c0874a484e117d558209cedceb17c
SHA256fea8a1318c8b8d442ad2773a8ef84e0acac1f837326e8ded6636c4458f2ee399
SHA51239b3eb8c15d921736ce23d7630ff6b1242bf6ec76457f50e648470059ff453a98ded2a25dfe743b7ba910ab8c0dfca478f8a7e00989a5c12035283f28022d6eb
-
C:\Users\Admin\AppData\Local\Temp\_MEI32602\python39.dllFilesize
617KB
MD5f18bafd7d7aa37336a8e19987fdb96a2
SHA16ce6caaf3e094db57c49c9e32722340ad37cd172
SHA256e0237a0f50f5e90d49f52ac069a4075b3ee59061cbe0be5008fb38ff888b8728
SHA512db67bdbbd2316b9b2bff8cf00f33c4d56597d342a0a05431903c3f2c33ed8609ee9680a5317689cbe558a1934129a9e1dd1fe0bbb70bd8dad67503274c0e86f4
-
C:\Users\Admin\AppData\Local\Temp\_MEI32602\python39.dllFilesize
534KB
MD548a5212a2341e4368505b59d079a858d
SHA1cf2afc9854f181cdddcad33da533bb1d5a851e77
SHA2568bdea73c42f67b64bfa886bcdb67d1f9ef9615e7c346575ce5b11e8b11b56287
SHA51204665da167af8adeeb46583203cee3f819a4dcd55c385e8f8bcb0e889c9d64d104b81c67b17c4c2e788bc342142bb3b4e6f294978abf0b787a45238186603e4e
-
C:\Users\Admin\AppData\Local\Temp\_MEI32602\select.pydFilesize
21KB
MD5c8b0bbe4a7a935b8ff1ce780b246494e
SHA17d337a41556457d1a33978fe50ecefe9f458e72c
SHA256e2c0cc0cd9f86f9c7f949b3f77a41d8c8c19e55ce3a875d2513f33e71c77013e
SHA51262c11736c461ce4e308a64cdf50ecc8e7c0fa7a5673f9cb0b57596ae11de480cdb3d2b5dc54a839a4f2ec2bfec9d0e26583af48cbc4f7535c1943b25ac45e749
-
C:\Users\Admin\AppData\Local\Temp\_MEI32602\unicodedata.pydFilesize
257KB
MD5e4d602d01638ce6571b61a4e6fc590f4
SHA1bd950b2a26c97145d3e4751f0766a34294dfce8a
SHA256f95a1a557e14d1de6dc8cee3de5bc5a4fb01bb0e8481b612fe886104e2f42731
SHA512abd0f5db2d554c00edc1bd2e1c6a9ab54de71e47a6c96bd2c2b2571a1e53652543f95cb65a40997679885c5ff66af6f6b5ed33cdab8af33ce7b86fe28de71109
-
memory/2944-31-0x00007FF8A4F20000-0x00007FF8A4F2F000-memory.dmpFilesize
60KB
-
memory/2944-16-0x00007FF88F210000-0x00007FF88F663000-memory.dmpFilesize
4.3MB
-
memory/2944-30-0x0000026ABE1A0000-0x0000026ABE1E1000-memory.dmpFilesize
260KB
-
memory/2944-32-0x0000026ABE1F0000-0x0000026ABE662000-memory.dmpFilesize
4.4MB
-
memory/2944-21-0x00007FF8A4160000-0x00007FF8A4186000-memory.dmpFilesize
152KB
-
memory/2944-33-0x00007FF88F210000-0x00007FF88F663000-memory.dmpFilesize
4.3MB
-
memory/2944-34-0x00007FF8A4160000-0x00007FF8A4186000-memory.dmpFilesize
152KB