Analysis
-
max time kernel
143s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
17-02-2024 19:33
Static task
static1
Behavioral task
behavioral1
Sample
e019fc4655c07cc65a0e333eb7685a0b37a8a2513c93632c52473584681c0604.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
e019fc4655c07cc65a0e333eb7685a0b37a8a2513c93632c52473584681c0604.exe
Resource
win10v2004-20231215-en
General
-
Target
e019fc4655c07cc65a0e333eb7685a0b37a8a2513c93632c52473584681c0604.exe
-
Size
6.1MB
-
MD5
a5975a2be60dba4c3b4379748c8395df
-
SHA1
d7c3eadee9feb4fb419826a9e664f2bc2c68dcbc
-
SHA256
e019fc4655c07cc65a0e333eb7685a0b37a8a2513c93632c52473584681c0604
-
SHA512
2a7feec187aa119d1adfc8a6db467e955febe1324f3c0f46656c1804e21c0af1bc283db15ac172d05b9a2178c078ba62288fbb783a0b20c49f6d1b046843acc9
-
SSDEEP
196608:yD1qTulzVzGcsRIo6m1Yz2y3+0ZiBu2BbiIMQI0G/:Nu//9o6M42a+0ZmxLMQu
Malware Config
Extracted
cobaltstrike
http://154.9.255.31:6666/vSFN
-
user_agent
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; qdesk 2.4.1263.203; Windows NT 6.1; WOW64; Trident/5.0)
Extracted
cobaltstrike
100000
http://154.9.255.31:6666/pixel.gif
-
access_type
512
-
host
154.9.255.31,/pixel.gif
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
polling_time
60000
-
port_number
6666
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDK3rLzrZjUM9JHGk+MkyiweizMh1UN5SghOUGMem0V661GlZU3VFjgj0GjDCZ7n7BB/ZxZlZW3+AyFk84CWktpKLetpsqUQfwVZXXybglwzxC6dgLck3I5vbXIPgyQwgUBW57GNmFiabvB1aCn90NMXnSeNSQypauXKIbsXCYtEwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.php
-
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; LG; LG-E906)
-
watermark
100000
Extracted
cobaltstrike
0
-
watermark
0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e019fc4655c07cc65a0e333eb7685a0b37a8a2513c93632c52473584681c0604.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation e019fc4655c07cc65a0e333eb7685a0b37a8a2513c93632c52473584681c0604.exe -
Executes dropped EXE 1 IoCs
Processes:
ak.exepid process 4008 ak.exe -
Loads dropped DLL 5 IoCs
Processes:
ak.exepid process 4008 ak.exe 4008 ak.exe 4008 ak.exe 4008 ak.exe 4008 ak.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
e019fc4655c07cc65a0e333eb7685a0b37a8a2513c93632c52473584681c0604.exedescription pid process target process PID 2112 wrote to memory of 4008 2112 e019fc4655c07cc65a0e333eb7685a0b37a8a2513c93632c52473584681c0604.exe ak.exe PID 2112 wrote to memory of 4008 2112 e019fc4655c07cc65a0e333eb7685a0b37a8a2513c93632c52473584681c0604.exe ak.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e019fc4655c07cc65a0e333eb7685a0b37a8a2513c93632c52473584681c0604.exe"C:\Users\Admin\AppData\Local\Temp\e019fc4655c07cc65a0e333eb7685a0b37a8a2513c93632c52473584681c0604.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ak.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\ak.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\_ctypes.pydFilesize
114KB
MD5f3ee671a420e2b57afb685b6451b0a3e
SHA1d9e6e9c09532a485d748213d87adbb9cb00a1fbf
SHA25687a96b342caac2988beadc99fbcb0e800111f403e46876f091cd39e03337a7e2
SHA5126fa4f28532eeeb6cec0fd03e271e2b5e75f6e647036ad722f9da0f8d0aeb97df8cb46f8f8c9460e4d65b5ddb4a7178ebfce03bea410e64a1927d5823b1004334
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ak.exeFilesize
6.7MB
MD54139a1342b752e851e1bce6a09943d2d
SHA1a8f7fe1eb58ff06786aa974a346af72d86715a27
SHA256fc6bf4cac4681d5b782f87563e0234995cbcda6717dafd05280884f1bf000f96
SHA5125c3810c46806ed82f334a5e209ad7220a634abdf089329f6001bec9fa58e9925c03f13808a9274d20e157564f910bc8b9119a226ec6c8b84a722bab63f53ad4d
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ffi.dllFilesize
27KB
MD5006cc4f6b6fbe03521dc451f4f0a1d28
SHA1f04ed6572a304d5a4098e6e354518e4c61d7919f
SHA256812eeff28941d7a7f93cd64ec880eb8e773f613536ccba9d3cb1049dd884b027
SHA512f0119fc663a0aab7fbfe87519d131ebb539d962b7aa42f82882af29144bb3f1cade8032dedec83d29d3b9da0976e5b3bd8f33a7eae018f1d0ff3fff8b49f3351
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\python311.dllFilesize
193KB
MD53d3381d7603dd86156913e23a334dc58
SHA1607261f07402654d3a41b1cb83255303c9876199
SHA2561854b5bab36cc97247533c195d89f7e5cabde66e7c6fbd2d968e1437664ee698
SHA5127c6961013cbc7729a808c576639f8e93e83387e923a498ea177c3ac0c92b7c89618aea1fa01cc9a8dada447fbe90f932cd3d523ed629e088d0affb720329f2b4
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\python311.dllFilesize
5.7MB
MD534baa8088b479361208b691a87aa5238
SHA10034f14fbcb1328dd5a65395f47c00c7ef72cbaf
SHA256162e8557fbed5f39ae24983ee62b2d435b4796c937d9c1a34371888c7e43af00
SHA5126900da9a20bcefea0c334f07c758fdce991753dd0f65cc5587800c544110343f9beed7bce8b534b8531db009f1824d3e454157d45a1a95e1dff2472572b6edff
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\vcruntime140.dllFilesize
99KB
MD58697c106593e93c11adc34faa483c4a0
SHA1cd080c51a97aa288ce6394d6c029c06ccb783790
SHA256ff43e813785ee948a937b642b03050bb4b1c6a5e23049646b891a66f65d4c833
SHA512724bbed7ce6f7506e5d0b43399fb3861dda6457a2ad2fafe734f8921c9a4393b480cdd8a435dbdbd188b90236cb98583d5d005e24fa80b5a0622a6322e6f3987
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\zlib.dllFilesize
85KB
MD5d00d9d7b9e0215553c30bb974009356b
SHA14608882531ad0c106732682cbe746d911c38fc9a
SHA25654c755e6b90499a5ef49a65ce9472535286fe4db3565a06c4a53f8a4833532dc
SHA5128795959cdd8525b449193b90cebe81e8ae7876858a6cc706a255c6d2af5696be92e1dc93ef34551b4888b51c1f5dce920d834ef6ff8f8f4693cd4433e488dc56
-
memory/4008-47-0x000002A501DF0000-0x000002A501DF1000-memory.dmpFilesize
4KB
-
memory/4008-48-0x000002A5041A0000-0x000002A5045A0000-memory.dmpFilesize
4.0MB
-
memory/4008-49-0x000002A5045A0000-0x000002A5045EF000-memory.dmpFilesize
316KB
-
memory/4008-50-0x00007FF6D7AB0000-0x00007FF6D8176000-memory.dmpFilesize
6.8MB
-
memory/4008-52-0x000002A5045A0000-0x000002A5045EF000-memory.dmpFilesize
316KB