Analysis
-
max time kernel
256s -
max time network
258s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
26-02-2024 18:39
General
-
Target
pfexec.exe
-
Size
1.0MB
-
MD5
f44d91b5ada6238eb2d6e619163cc62a
-
SHA1
66ef3d305e393c9b4f6bae7f418d4f7fb537ce4d
-
SHA256
2c9193641261c691300cff1d18f149126036da623b475dfc36fde27fca102b91
-
SHA512
edea071c90ec67b47ecee3b9913bab4f31bab2f36a4e397a0df801e4034306a77806bf0cb3cfeb1ba5b4272e737eba7ddfcdaf29bf749d0bfdf10cf0c8a329f1
-
SSDEEP
12288:Mhl2WxEAiGRklbSwZ4llEFEK3AbHjmM2HdaZJrQCNWK4KHFeMdMZW6tq2oZsErrc:6l2VN4lpFFcChMZW6tqzZ7XrP3I2JpS
Malware Config
Extracted
cobaltstrike
100000000
http://upserver.updateservice.store:443/common.html
-
access_type
512
-
beacon_type
2048
-
host
upserver.updateservice.store,/common.html
-
http_header1
AAAAEAAAACJIb3N0OiB1cHNlcnZlci51cGRhdGVzZXJ2aWNlLnN0b3JlAAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAcAAAAAAAAACwAAAAMAAAACAAAAA2x1PQAAAAYAAAAGQ29va2llAAAACQAAAAt2ZXJpZnk9dHJ1ZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAAEAAAACJIb3N0OiB1cHNlcnZlci51cGRhdGVzZXJ2aWNlLnN0b3JlAAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAAvQ29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQAAAAHAAAAAQAAAAMAAAADAAAAAgAAAAhhdXRob3JzPQAAAAQAAAAHAAAAAAAAAAMAAAACAAAADl9fc2Vzc2lvbl9faWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
9472
-
polling_time
58666
-
port_number
443
-
sc_process32
%windir%\syswow64\svchost.exe
-
sc_process64
%windir%\sysnative\svchost.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCdQ5nVpJ13O9CwiQRtLOdTAwGg6oj4mvtVqZvCbSy9YyU3ngZSDBgmWjSMwrTqMvvKUr5RvigK1N00xTGT4LVtDESUaUvyGU79G24yPaF5rUOJjnAIRazosjB87DvXbI6k45HQsVyZD7wgEXnKFmv3E0Tk9ti5G0eVOKL5tqdS5QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
6.1158912e+08
-
unknown2
AAAABAAAAAIAAAJYAAAAAwAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/r-arrow
-
user_agent
Mozilla/5.0 (Windows Phone 10.0; Android 6.0.1; Microsoft; RM-1152) AppleWebKit/537.36 (KHTML, like Gecko)
-
watermark
100000000
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
Processes
-
C:\Users\Admin\AppData\Local\Temp\pfexec.exe"C:\Users\Admin\AppData\Local\Temp\pfexec.exe"1⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1828-0-0x0000000000900000-0x0000000000934000-memory.dmpFilesize
208KB
-
memory/1828-1-0x0000000000F20000-0x0000000000FA8000-memory.dmpFilesize
544KB
-
memory/1828-2-0x0000000000F20000-0x0000000000FA8000-memory.dmpFilesize
544KB