Analysis
-
max time kernel
134s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10-04-2024 15:01
Static task
static1
Behavioral task
behavioral1
Sample
f8fa90be3e6295c275a4d23429e8738228b70693806ed9b2f482581487cb8e08.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f8fa90be3e6295c275a4d23429e8738228b70693806ed9b2f482581487cb8e08.exe
Resource
win10v2004-20240226-en
General
-
Target
f8fa90be3e6295c275a4d23429e8738228b70693806ed9b2f482581487cb8e08.exe
-
Size
690KB
-
MD5
9c161668cc77563a0415c6b0b92bd6ba
-
SHA1
829a37bac477c316750199819070b56a55749199
-
SHA256
f8fa90be3e6295c275a4d23429e8738228b70693806ed9b2f482581487cb8e08
-
SHA512
eb0dc6b6832c75de9062f2271d9f678e478721b0426b0a7ed8a0df7fd7ebf573745f6e942c57aebb47076114b06c0490103e948399867b4a3c2e74b3b39d9715
-
SSDEEP
12288:WalHzyq8D3Pe3I3RsVFPIOXQfEKIdgQBR3P7r9r/+ppppppppppppppppppppppJ:WEazPe42VmfdIdgQBN1q
Malware Config
Extracted
cobaltstrike
305419896
http://47.108.173.88:8099/load
-
access_type
512
-
host
47.108.173.88,/load
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
polling_time
60000
-
port_number
8099
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnCZHWnYFqYB/6gJdkc4MPDTtBJ20nkEAd3tsY4tPKs8MV4yIjJb5CtlrbKHjzP1oD/1AQsj6EKlEMFIKtakLx5+VybrMYE+dDdkDteHmVX0AeFyw001FyQVlt1B+OSNPRscKI5sh1L/ZdwnrMy6S6nNbQ5N5hls6k2kgNO5nQ7QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.php
-
user_agent
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
-
watermark
305419896
Extracted
cobaltstrike
0
-
watermark
0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2780 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
AcroRd32.exepid process 2780 AcroRd32.exe 2780 AcroRd32.exe 2780 AcroRd32.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
f8fa90be3e6295c275a4d23429e8738228b70693806ed9b2f482581487cb8e08.exedescription pid process target process PID 2856 wrote to memory of 2780 2856 f8fa90be3e6295c275a4d23429e8738228b70693806ed9b2f482581487cb8e08.exe AcroRd32.exe PID 2856 wrote to memory of 2780 2856 f8fa90be3e6295c275a4d23429e8738228b70693806ed9b2f482581487cb8e08.exe AcroRd32.exe PID 2856 wrote to memory of 2780 2856 f8fa90be3e6295c275a4d23429e8738228b70693806ed9b2f482581487cb8e08.exe AcroRd32.exe PID 2856 wrote to memory of 2780 2856 f8fa90be3e6295c275a4d23429e8738228b70693806ed9b2f482581487cb8e08.exe AcroRd32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f8fa90be3e6295c275a4d23429e8738228b70693806ed9b2f482581487cb8e08.exe"C:\Users\Admin\AppData\Local\Temp\f8fa90be3e6295c275a4d23429e8738228b70693806ed9b2f482581487cb8e08.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\f8fa90be3e6295c275a4d23429e8738228b70693806ed9b2f482581487cb8e08.pdf"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\f8fa90be3e6295c275a4d23429e8738228b70693806ed9b2f482581487cb8e08.pdfFilesize
42KB
MD5d776c75b72ad3c36421709cfd7e323af
SHA13a0a709e88ab03fb47d33f60f90ce0baf7ab6fff
SHA256569629f78789fb257da5fe32e1924c8fcc6da5d2ea1497485c7ca4d18fd3c0e5
SHA51254437d31026f626020eeba40f09823ba5f214163caae87109484ed7939e0e31f20aaee6b5d05072985accfd2db57a733ab194fb28ef2d9545f93670168f05f27
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEventsFilesize
3KB
MD5c6e570f0eef685d9d57fb35cc049b43b
SHA1cea1c7bb04c6f7c9cd359fbbea23c940e352c3f4
SHA256592f23abceb8c41b2717cb7842d3f4d4918d087d95bec658118b809e570e6e76
SHA512c7386e545338a9ed3d093068e6ef46fd0cb0c6f455e4395a5ffee509908ed938e0a32ab8730f58d1fc3a28d169a1cc03a2361d66110186b2b3be039bcf13074b
-
memory/2856-19-0x0000000002FF0000-0x0000000003070000-memory.dmpFilesize
512KB
-
memory/2856-21-0x00000000020F0000-0x000000000213C000-memory.dmpFilesize
304KB
-
memory/2856-20-0x0000000002FF0000-0x0000000003070000-memory.dmpFilesize
512KB
-
memory/2856-22-0x00000000020F0000-0x000000000213C000-memory.dmpFilesize
304KB