Analysis
-
max time kernel
141s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
18-02-2024 19:33
Static task
static1
Behavioral task
behavioral1
Sample
efb39ef02375a4b9d93d4f62efb40f95896d87bd18988f5d740ce1d117992876.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
efb39ef02375a4b9d93d4f62efb40f95896d87bd18988f5d740ce1d117992876.exe
Resource
win10v2004-20231215-en
General
-
Target
efb39ef02375a4b9d93d4f62efb40f95896d87bd18988f5d740ce1d117992876.exe
-
Size
3.4MB
-
MD5
112e6b1a7fa7ce6b2679a2fcdba7570a
-
SHA1
8b38f0e256a98d713b09d78c1d1ff69b502b9577
-
SHA256
efb39ef02375a4b9d93d4f62efb40f95896d87bd18988f5d740ce1d117992876
-
SHA512
b604d4c5d77d98c532e304f33729b92d94b5800745f38e116f038d276b6ceaa9912ac15b62f1a69e4bab286eb884b8137d3dd442301c6a602ae5e2d29096223e
-
SSDEEP
49152:wI1BMSvHH9sufzgtSN9t9/y8MH31Q+QVc5GxJxn+mqEvzHyZsUocVIIR6qW+LKNR:wDSvxrg+t9/ypFQ+QuKJ9TyZ9JKz
Malware Config
Extracted
cobaltstrike
http://154.9.255.31:6666/vSFN
-
user_agent
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; qdesk 2.4.1263.203; Windows NT 6.1; WOW64; Trident/5.0)
Extracted
cobaltstrike
100000
http://154.9.255.31:6666/pixel.gif
-
access_type
512
-
host
154.9.255.31,/pixel.gif
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
polling_time
60000
-
port_number
6666
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDK3rLzrZjUM9JHGk+MkyiweizMh1UN5SghOUGMem0V661GlZU3VFjgj0GjDCZ7n7BB/ZxZlZW3+AyFk84CWktpKLetpsqUQfwVZXXybglwzxC6dgLck3I5vbXIPgyQwgUBW57GNmFiabvB1aCn90NMXnSeNSQypauXKIbsXCYtEwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.php
-
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; LG; LG-E906)
-
watermark
100000
Extracted
cobaltstrike
0
-
watermark
0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
efb39ef02375a4b9d93d4f62efb40f95896d87bd18988f5d740ce1d117992876.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation efb39ef02375a4b9d93d4f62efb40f95896d87bd18988f5d740ce1d117992876.exe -
Executes dropped EXE 2 IoCs
Processes:
ak.exeak.exepid process 4508 ak.exe 4900 ak.exe -
Loads dropped DLL 4 IoCs
Processes:
ak.exepid process 4900 ak.exe 4900 ak.exe 4900 ak.exe 4900 ak.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
efb39ef02375a4b9d93d4f62efb40f95896d87bd18988f5d740ce1d117992876.exeak.exedescription pid process target process PID 3376 wrote to memory of 4508 3376 efb39ef02375a4b9d93d4f62efb40f95896d87bd18988f5d740ce1d117992876.exe ak.exe PID 3376 wrote to memory of 4508 3376 efb39ef02375a4b9d93d4f62efb40f95896d87bd18988f5d740ce1d117992876.exe ak.exe PID 4508 wrote to memory of 4900 4508 ak.exe ak.exe PID 4508 wrote to memory of 4900 4508 ak.exe ak.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\efb39ef02375a4b9d93d4f62efb40f95896d87bd18988f5d740ce1d117992876.exe"C:\Users\Admin\AppData\Local\Temp\efb39ef02375a4b9d93d4f62efb40f95896d87bd18988f5d740ce1d117992876.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ak.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\ak.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\onefile_4508_133527584010422185\ak.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\ak.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ak.exeFilesize
3.2MB
MD51e9f06ff572008ae0fe723c01a19f51f
SHA180623cbd7d7ad0cc539fcc42e0fa5a2f4a6d1193
SHA256d0a790d8c8fa9147b6fd6d5bf0ef3c2a8907ec17eeb384dcc9b2611044928802
SHA5127b9d4a9294b931e5efdc02a86336ee8daa4cad83e0c8aa49f148ae3040e819ea483837614a22f66c033d025b6e9106c0198caf1f51db8b3c261c16a024063d8a
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\日记.txtFilesize
26KB
MD5839e6d240e7f072b5b101d803c4b3be3
SHA1b77a5649de8f5c146bc80773e6b61b62dd94fed0
SHA256561130e97c3f5434d25c0e224168ee2dab5f79a7863796ad2aeb28061de352c1
SHA512a668511cdceab97fc01d6645fe0aa7331752393f19969886aa4639d8d2d1a7a1745ecb3bda73ee0bfa1a17e430888c91ad4b0a0ac54edbd26267126c70b394cd
-
C:\Users\Admin\AppData\Local\Temp\onefile_4508_133527584010422185\VCRUNTIME140.dllFilesize
95KB
MD5f34eb034aa4a9735218686590cba2e8b
SHA12bc20acdcb201676b77a66fa7ec6b53fa2644713
SHA2569d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1
SHA512d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af
-
C:\Users\Admin\AppData\Local\Temp\onefile_4508_133527584010422185\_ctypes.pydFilesize
120KB
MD5462fd515ca586048459b9d90a660cb93
SHA106089f5d5e2a6411a0d7b106d24d5203eb70ec60
SHA256bf017767ac650420487ca3225b3077445d24260bf1a33e75f7361b0c6d3e96b4
SHA51267851bdbf9ba007012b89c89b86fd430fce24790466fefbb54431a7c200884fc9eb2f90c36d57acd300018f607630248f1a3addc2aa5f212458eb7a5c27054b3
-
C:\Users\Admin\AppData\Local\Temp\onefile_4508_133527584010422185\ak.exeFilesize
3.7MB
MD597922953ecfb1e38feceae49f5a1f4bf
SHA18080acd9863c61752b01af27671e459071aac66c
SHA256bc11e0801675911e2f36d8e61859762c1b7a2c9b3ce173cf65b3c37a3f9f5579
SHA5125a38fc28a137aac0028a002a5c42a31bccbbcb869762f8bf18dcdb5e4af447050bd3130c8880f37df188cc19307e1c0b9597870243307893637b9501f82c711b
-
C:\Users\Admin\AppData\Local\Temp\onefile_4508_133527584010422185\libffi-7.dllFilesize
32KB
MD5eef7981412be8ea459064d3090f4b3aa
SHA1c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016
-
C:\Users\Admin\AppData\Local\Temp\onefile_4508_133527584010422185\python310.dllFilesize
4.3MB
MD5e4533934b37e688106beac6c5919281e
SHA1ada39f10ef0bbdcf05822f4260e43d53367b0017
SHA2562bf761bae584ba67d9a41507b45ebd41ab6ae51755b1782496d0bc60cc1d41d5
SHA512fa681a48ddd81854c9907026d4f36b008e509729f1d9a18a621f1d86cd1176c1a1ff4f814974306fa4d9e3886e2ce112a4f79b66713e1401f5dae4bcd8b898b9
-
memory/4508-32-0x00007FF6AF310000-0x00007FF6AF65C000-memory.dmpFilesize
3.3MB
-
memory/4900-29-0x00000200EEE70000-0x00000200EEE71000-memory.dmpFilesize
4KB
-
memory/4900-30-0x00000200F1220000-0x00000200F1620000-memory.dmpFilesize
4.0MB
-
memory/4900-31-0x00000200F1620000-0x00000200F166F000-memory.dmpFilesize
316KB
-
memory/4900-33-0x00007FF662C80000-0x00007FF663037000-memory.dmpFilesize
3.7MB
-
memory/4900-36-0x00000200F1620000-0x00000200F166F000-memory.dmpFilesize
316KB