Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
05-03-2024 19:13
Static task
static1
Behavioral task
behavioral1
Sample
b576f3376717226f7e88a2a0950665bc.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b576f3376717226f7e88a2a0950665bc.exe
Resource
win10v2004-20240226-en
General
-
Target
b576f3376717226f7e88a2a0950665bc.exe
-
Size
799KB
-
MD5
b576f3376717226f7e88a2a0950665bc
-
SHA1
fc6cb60995aadbff13ba36a13171c0d5e32fc889
-
SHA256
bbda658833fd7e14fb605f3bb5c7698d1b6db08539ef0a20c2b7a3b39fe4d2dc
-
SHA512
9f8a7c0c4604d612325c4eb21027ad17d74fcbbef408482df65ae2542a53cd6638b84aa2ada7e378db108841c0ab00bc595a7264c9094d783a2cccb9a6a80caf
-
SSDEEP
12288:rCtP1JSy90AQO0ONLVIXu8mYac5LUECvn314MCzyAdlAUhCp5f7VqF:CnSywO0+8mkUd314nOzU83
Malware Config
Extracted
cobaltstrike
426352781
http://121.196.195.112:8880/jquery-3.3.1.min.js
-
access_type
512
-
host
121.196.195.112,/jquery-3.3.1.min.js
-
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAUSG9zdDogd3d3LmpxdWVyeS5jb20AAAAKAAAAIFJlZmVyZXI6IGh0dHA6Ly9jb2RlLmpxdWVyeS5jb20vAAAACgAAAEVVc2VyLUFnZW50OiBNb3ppbGxhLzQuMCAoY29tcGF0aWJsZTsgTVNJRSA3LjA7IFdpbmRvd3MgTlQgNS4xOyAzNjBTRSkAAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADQAAAAIAAAAJX19jZmR1aWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAUSG9zdDogd3d3LmpxdWVyeS5jb20AAAAKAAAAIFJlZmVyZXI6IGh0dHA6Ly9jb2RlLmpxdWVyeS5jb20vAAAACgAAAEVVc2VyLUFnZW50OiBNb3ppbGxhLzQuMCAoY29tcGF0aWJsZTsgTVNJRSA3LjA7IFdpbmRvd3MgTlQgNS4xOyAzNjBTRSkAAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADwAAAA0AAAAFAAAACF9fY2ZkdWlkAAAABwAAAAEAAAAPAAAADQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
9472
-
polling_time
45000
-
port_number
8880
-
sc_process32
%windir%\syswow64\dllhost.exe
-
sc_process64
%windir%\sysnative\dllhost.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCi2C+aJ8Qbn+57ZTFt9LB8FsLVJiPEHchi6sZwTNHPEi40kmxsg2xFwCmM5xnVCpVYMchR8KKX/IagzWt3/UylF0YfqI08EnUZZb7UHWVGN93VuBLNVg7jANmA5GfxU5SJfQq1YbfgEBTu7Tf3jidJ/5frfj/Xx2d09oIaP700WQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4.234810624e+09
-
unknown2
AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/jquery-3.3.2.min.js
-
user_agent
Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
-
watermark
426352781
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
b576f3376717226f7e88a2a0950665bc.exedescription pid process target process PID 3364 created 3504 3364 b576f3376717226f7e88a2a0950665bc.exe Explorer.EXE -
Executes dropped EXE 1 IoCs
Processes:
Update.exepid process 3084 Update.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
b576f3376717226f7e88a2a0950665bc.exepid process 3364 b576f3376717226f7e88a2a0950665bc.exe 3364 b576f3376717226f7e88a2a0950665bc.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
b576f3376717226f7e88a2a0950665bc.exedescription pid process target process PID 3364 wrote to memory of 3084 3364 b576f3376717226f7e88a2a0950665bc.exe Update.exe PID 3364 wrote to memory of 3084 3364 b576f3376717226f7e88a2a0950665bc.exe Update.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\b576f3376717226f7e88a2a0950665bc.exe"C:\Users\Admin\AppData\Local\Temp\b576f3376717226f7e88a2a0950665bc.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Update.exeC:\Users\Admin\AppData\Local\Temp\Update.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Update.exeFilesize
124KB
MD5695ec60a6cf76f52c09692434581d111
SHA13e2e30c20f0558c51d93b6f1dddbb6e4c08c6608
SHA2561a51542848954b016e9f52caa4367eb1759e03d0318f17ccf89474b928f351aa
SHA512faf567b682d6ba4ec22a923deca33813f4bacaee91891d4939945dc93c8df0416375521c5fd92c74aa13ad78ad21d0ea5f8f90f7099d3b9d197fb1efb9fd0a36
-
C:\Users\Admin\AppData\Local\Temp\office_48.binFilesize
256KB
MD5231b7ab6d3e0682a7455f09403d5a0cc
SHA1c3dae5bbe41af28caac5962c06847aa103961fbc
SHA256025c0e9b66fad454ed4cde8c1e6021294f42d8ada140b6375fb8623e2e301260
SHA51255b5c2158342fd860d110008db7f2b8b1949d4ccd6e98245ed5dcaeca62e3d68c66e2b4cf2297d070a2889c54c34961ad14a1c9e0d9fe8009e9e2b9d59083bbe
-
memory/3084-6-0x0000026307900000-0x0000026307941000-memory.dmpFilesize
260KB
-
memory/3084-7-0x0000026307A70000-0x0000026307EE2000-memory.dmpFilesize
4.4MB
-
memory/3084-8-0x0000026307A70000-0x0000026307EE2000-memory.dmpFilesize
4.4MB