Analysis

  • max time kernel
    142s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-04-2024 21:38

General

  • Target

    2/cbappendix.exe

  • Size

    250KB

  • MD5

    9f410ba2b2ec1e1a9fadc1e03d97d649

  • SHA1

    22e1595f67c305af6499571b7a4fcbdfee4e2c63

  • SHA256

    88fae154d211c1fadc2593225b75c3ca773e8a8c3a1ae6bf50aa4a1cdfd534d6

  • SHA512

    a138a61eb0ad4477899f0d5ce04bcb1b3c2e7e33688745166931cad4ee680ed34656fc1f193cd9360caf8a5adc94b09a85b511b110ef3ca5406720352f2e49ba

  • SSDEEP

    3072:e73/xkvPVkoeSJLyy2B9mU2kOkFCbGMPM6f+GfgBGBVdtITSHRtrEp:ezOnVk2WH9mqOsCbGkuoVvPn2

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

cobaltstrike

Botnet

0

C2

http://chart.expocasheuro.com:443/fromdefault

http://94.237.81.57:443/fromdefault

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    chart.expocasheuro.com,/fromdefault,94.237.81.57,/fromdefault

  • http_header1

    AAAACgAAABBIb3N0OiB3d3cucXEuY29tAAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAfQWNjZXB0LUxhbmd1YWdlOiBlbi1VUyxlbjtxPTAuNQAAAAoAAAAZQWNjZXB0LUVuY29kaW5nOiBnemlwLCBicgAAAAcAAAAAAAAADwAAAAMAAAACAAAACmNtX2Nvb2tpZT0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAABBIb3N0OiB3d3cucXEuY29tAAAACgAAAClBY2NlcHQ6IGFwcGxpY2F0aW9uL2pzb24sIHRleHQvcGxhaW4sICovKgAAAAoAAAAVQWNjZXB0LUVuY29kaW5nOiBnemlwAAAABwAAAAAAAAAPAAAAAwAAAAIAAAAKY21fY29va2llPQAAAAYAAAAGQ29va2llAAAABwAAAAEAAAAPAAAAAwAAAAIAAAAQeyJwYWdlIjoyLCJ1aW4iOgAAAAEAAAAOLCJwYWdlU2l6ZSI6M30AAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    6656

  • maxdns

    244

  • polling_time

    7300

  • port_number

    443

  • sc_process32

    %windir%\syswow64\taskeng.exe

  • sc_process64

    %windir%\sysnative\taskeng.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCgKUlf3RLWKgNJ9S8y26ebK2mGsFDDooTj9uq8fjMrU1OIjQ74FBmAQLpksIts/EPd5KL9KW5KpmrHRqoFWsWWylAQBegxuqj4h2Tyw5fi9fAWRBXMhY9lmo9tjYSbFuLMCFCu4kdLRishHaVfQ0uw6TGHr9q2slEMrom+ypPcvwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    1.001138688e+09

  • unknown2

    AAAABAAAAAEAAACOAAAAAgAAAPUAAAADAAAACAAAAA8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /app

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0

  • watermark

    0

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2\cbappendix.exe
    "C:\Users\Admin\AppData\Local\Temp\2\cbappendix.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:2944

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2944-1-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

  • memory/2944-0-0x00000000021D0000-0x0000000002207000-memory.dmp

    Filesize

    220KB

  • memory/2944-3-0x00000000021D0000-0x0000000002207000-memory.dmp

    Filesize

    220KB

  • memory/2944-2-0x0000000000550000-0x0000000000551000-memory.dmp

    Filesize

    4KB

  • memory/2944-5-0x0000000002250000-0x0000000002295000-memory.dmp

    Filesize

    276KB

  • memory/2944-6-0x00000000021D0000-0x0000000002207000-memory.dmp

    Filesize

    220KB

  • memory/2944-7-0x0000000002250000-0x0000000002295000-memory.dmp

    Filesize

    276KB