Analysis
-
max time kernel
133s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05-03-2024 19:13
Static task
static1
Behavioral task
behavioral1
Sample
b576f3376717226f7e88a2a0950665bc.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b576f3376717226f7e88a2a0950665bc.exe
Resource
win10v2004-20240226-en
General
-
Target
b576f3376717226f7e88a2a0950665bc.exe
-
Size
799KB
-
MD5
b576f3376717226f7e88a2a0950665bc
-
SHA1
fc6cb60995aadbff13ba36a13171c0d5e32fc889
-
SHA256
bbda658833fd7e14fb605f3bb5c7698d1b6db08539ef0a20c2b7a3b39fe4d2dc
-
SHA512
9f8a7c0c4604d612325c4eb21027ad17d74fcbbef408482df65ae2542a53cd6638b84aa2ada7e378db108841c0ab00bc595a7264c9094d783a2cccb9a6a80caf
-
SSDEEP
12288:rCtP1JSy90AQO0ONLVIXu8mYac5LUECvn314MCzyAdlAUhCp5f7VqF:CnSywO0+8mkUd314nOzU83
Malware Config
Extracted
cobaltstrike
426352781
http://121.196.195.112:8880/jquery-3.3.1.min.js
-
access_type
512
-
host
121.196.195.112,/jquery-3.3.1.min.js
-
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAUSG9zdDogd3d3LmpxdWVyeS5jb20AAAAKAAAAIFJlZmVyZXI6IGh0dHA6Ly9jb2RlLmpxdWVyeS5jb20vAAAACgAAAEVVc2VyLUFnZW50OiBNb3ppbGxhLzQuMCAoY29tcGF0aWJsZTsgTVNJRSA3LjA7IFdpbmRvd3MgTlQgNS4xOyAzNjBTRSkAAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADQAAAAIAAAAJX19jZmR1aWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAUSG9zdDogd3d3LmpxdWVyeS5jb20AAAAKAAAAIFJlZmVyZXI6IGh0dHA6Ly9jb2RlLmpxdWVyeS5jb20vAAAACgAAAEVVc2VyLUFnZW50OiBNb3ppbGxhLzQuMCAoY29tcGF0aWJsZTsgTVNJRSA3LjA7IFdpbmRvd3MgTlQgNS4xOyAzNjBTRSkAAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADwAAAA0AAAAFAAAACF9fY2ZkdWlkAAAABwAAAAEAAAAPAAAADQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
9472
-
polling_time
45000
-
port_number
8880
-
sc_process32
%windir%\syswow64\dllhost.exe
-
sc_process64
%windir%\sysnative\dllhost.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCi2C+aJ8Qbn+57ZTFt9LB8FsLVJiPEHchi6sZwTNHPEi40kmxsg2xFwCmM5xnVCpVYMchR8KKX/IagzWt3/UylF0YfqI08EnUZZb7UHWVGN93VuBLNVg7jANmA5GfxU5SJfQq1YbfgEBTu7Tf3jidJ/5frfj/Xx2d09oIaP700WQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4.234810624e+09
-
unknown2
AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/jquery-3.3.2.min.js
-
user_agent
Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
-
watermark
426352781
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
b576f3376717226f7e88a2a0950665bc.exedescription pid process target process PID 2108 created 1240 2108 b576f3376717226f7e88a2a0950665bc.exe Explorer.EXE -
Executes dropped EXE 1 IoCs
Processes:
Update.exepid process 2352 Update.exe -
Loads dropped DLL 2 IoCs
Processes:
b576f3376717226f7e88a2a0950665bc.exepid process 2108 b576f3376717226f7e88a2a0950665bc.exe 2108 b576f3376717226f7e88a2a0950665bc.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
b576f3376717226f7e88a2a0950665bc.exepid process 2108 b576f3376717226f7e88a2a0950665bc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
b576f3376717226f7e88a2a0950665bc.exedescription pid process target process PID 2108 wrote to memory of 2352 2108 b576f3376717226f7e88a2a0950665bc.exe Update.exe PID 2108 wrote to memory of 2352 2108 b576f3376717226f7e88a2a0950665bc.exe Update.exe PID 2108 wrote to memory of 2352 2108 b576f3376717226f7e88a2a0950665bc.exe Update.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\b576f3376717226f7e88a2a0950665bc.exe"C:\Users\Admin\AppData\Local\Temp\b576f3376717226f7e88a2a0950665bc.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Update.exeC:\Users\Admin\AppData\Local\Temp\Update.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Update.exeFilesize
124KB
MD5695ec60a6cf76f52c09692434581d111
SHA13e2e30c20f0558c51d93b6f1dddbb6e4c08c6608
SHA2561a51542848954b016e9f52caa4367eb1759e03d0318f17ccf89474b928f351aa
SHA512faf567b682d6ba4ec22a923deca33813f4bacaee91891d4939945dc93c8df0416375521c5fd92c74aa13ad78ad21d0ea5f8f90f7099d3b9d197fb1efb9fd0a36
-
C:\Users\Admin\AppData\Local\Temp\office_48.binFilesize
256KB
MD5231b7ab6d3e0682a7455f09403d5a0cc
SHA1c3dae5bbe41af28caac5962c06847aa103961fbc
SHA256025c0e9b66fad454ed4cde8c1e6021294f42d8ada140b6375fb8623e2e301260
SHA51255b5c2158342fd860d110008db7f2b8b1949d4ccd6e98245ed5dcaeca62e3d68c66e2b4cf2297d070a2889c54c34961ad14a1c9e0d9fe8009e9e2b9d59083bbe
-
memory/2352-9-0x00000000000C0000-0x0000000000101000-memory.dmpFilesize
260KB
-
memory/2352-10-0x0000000000760000-0x0000000000BD2000-memory.dmpFilesize
4.4MB
-
memory/2352-11-0x0000000000760000-0x0000000000BD2000-memory.dmpFilesize
4.4MB