Analysis
-
max time kernel
143s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
28-12-2023 15:45
Static task
static1
Behavioral task
behavioral1
Sample
e78cf21e556c3092fd4fd69502d5afec.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
e78cf21e556c3092fd4fd69502d5afec.exe
Resource
win10v2004-20231222-en
General
-
Target
e78cf21e556c3092fd4fd69502d5afec.exe
-
Size
172KB
-
MD5
e78cf21e556c3092fd4fd69502d5afec
-
SHA1
6e07a503ed35db15fe4abe554c262b352e65856a
-
SHA256
b228ab1c794a255e2b655e4f559f60d0f727125e33038a1f717fd50dc978c1d1
-
SHA512
09fa20c2527f67a040d8e47e9a7a3c05ab9893e46c749de7232c3bdabfc62ba51fac93f8da9f70f5970aae058f05360aef8f2de52fa4291485fa9bc45812668f
-
SSDEEP
3072:FiHCy8NpD2VLKivsvnzmsJTUFAUFUd+0JgkibU4jLj8VgRCiyz+Qd3yoWZzb:AHCygULKUsbHJTUFOd+0etbrLj8VfrEo
Malware Config
Extracted
cobaltstrike
972041620
http://52.15.212.124:443/telemetry_1
-
access_type
512
-
beacon_type
2048
-
host
52.15.212.124,/telemetry_1
-
http_header1
AAAACgAAADFBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsKi8qLHE9MC44AAAACgAAABlBY2NlcHQtTGFuZ3VhZ2U6IGVuLVVTLGVuAAAACgAAABZDb25uZWN0aW9uOiBrZWVwLWFsaXZlAAAABwAAAAAAAAAPAAAADQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAABdDYWNoZS1jb250cm9sOiBuby1jYWNoZQAAAAoAAAAWQ29udGVudC1FbmNvZGluZzogZ3ppcAAAAAoAAAARQ29ubmVjdGlvbjogY2xvc2UAAAAHAAAAAQAAAAQAAAAHAAAAAAAAAA0AAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
8448
-
polling_time
300000
-
port_number
443
-
sc_process32
%windir%\syswow64\backgroundTaskHost.exe
-
sc_process64
%windir%\sysnative\mobsync.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCXy7bqekll06mHUWMDlxK9wwJZzgn71reF9u1pCbTVBkBDJPWLpN8yrjpaxz9tsvKdAwjuiIi8OpKuFrHOfJey6nFg+KbGTmpO0JoW//BQlPWpfYYmJfnS+kvpZMEg+tKDndK1Klq16qAF/f0eCLlFqxketa5EvbyrIfOnvr5IrQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
1.700074752e+09
-
unknown2
AAAABAAAAAIAAAAJAAAAAwAAAA8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit/telemetry/
-
user_agent
Mozilla/5.0 (Windows NT 10.0; WOW64; rv:63.0) Gecko/20100101 Firefox/63.0
-
watermark
972041620
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
e78cf21e556c3092fd4fd69502d5afec.exedescription pid process target process PID 4040 created 3492 4040 e78cf21e556c3092fd4fd69502d5afec.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
e78cf21e556c3092fd4fd69502d5afec.exepid process 4040 e78cf21e556c3092fd4fd69502d5afec.exe 4040 e78cf21e556c3092fd4fd69502d5afec.exe 4040 e78cf21e556c3092fd4fd69502d5afec.exe 4040 e78cf21e556c3092fd4fd69502d5afec.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
e78cf21e556c3092fd4fd69502d5afec.exedescription pid process Token: SeDebugPrivilege 4040 e78cf21e556c3092fd4fd69502d5afec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
e78cf21e556c3092fd4fd69502d5afec.exedescription pid process target process PID 4040 wrote to memory of 4672 4040 e78cf21e556c3092fd4fd69502d5afec.exe backgroundTaskHost.exe PID 4040 wrote to memory of 4672 4040 e78cf21e556c3092fd4fd69502d5afec.exe backgroundTaskHost.exe PID 4040 wrote to memory of 4672 4040 e78cf21e556c3092fd4fd69502d5afec.exe backgroundTaskHost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e78cf21e556c3092fd4fd69502d5afec.exe"C:\Users\Admin\AppData\Local\Temp\e78cf21e556c3092fd4fd69502d5afec.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\windows\system32\backgroundTaskHost.exe"C:\windows\system32\backgroundTaskHost.exe"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4040-0-0x00000000003C0000-0x00000000003F2000-memory.dmpFilesize
200KB
-
memory/4040-4-0x00007FFF93ED0000-0x00007FFF94991000-memory.dmpFilesize
10.8MB
-
memory/4040-6-0x00007FFF93ED0000-0x00007FFF94991000-memory.dmpFilesize
10.8MB
-
memory/4672-1-0x0000024DC75F0000-0x0000024DC7630000-memory.dmpFilesize
256KB
-
memory/4672-2-0x0000024DC7900000-0x0000024DC7A28000-memory.dmpFilesize
1.2MB
-
memory/4672-5-0x0000024DC7900000-0x0000024DC7A28000-memory.dmpFilesize
1.2MB