Analysis
-
max time kernel
152s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
21/04/2024, 10:26
Static task
static1
Behavioral task
behavioral1
Sample
52850a2d3d4c87d62f348b4df59a6c25b62e3c8fd5fc5035909dc73802b03bf8.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
52850a2d3d4c87d62f348b4df59a6c25b62e3c8fd5fc5035909dc73802b03bf8.exe
Resource
win10v2004-20240226-en
General
-
Target
52850a2d3d4c87d62f348b4df59a6c25b62e3c8fd5fc5035909dc73802b03bf8.exe
-
Size
19KB
-
MD5
7f6219613eda811eada544ac6caa6c16
-
SHA1
a04973420c8cb78746caa68bd7d85128d40690f4
-
SHA256
52850a2d3d4c87d62f348b4df59a6c25b62e3c8fd5fc5035909dc73802b03bf8
-
SHA512
a693a694baeff6a2ae9180a5086e906deabea57b79ea90ffb44f2bd94d05c9a7ec740a0322cfd2f3aa75f17ee1b511904fd9d71f9241442ec82ca49c673407cf
-
SSDEEP
192:5V7qaCF6Op1t2dobVXujRDcBaXWQjwOT/2cmA9mhmWF8qa1Dojjgi:bqaCF31cix+Dc4zjpmxFF46gi
Malware Config
Extracted
cobaltstrike
http://107.175.158.78:80/qQb9
-
user_agent
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALC)
Extracted
cobaltstrike
987654321
http://107.175.158.78:80/MicrosoftUpdate/ShellEx/KB242742/default.aspx
-
access_type
512
-
host
107.175.158.78,/MicrosoftUpdate/ShellEx/KB242742/default.aspx
-
http_header1
AAAACgAAAD1Vc2VyLUFnZW50OiBNb3ppbGxhLzQuMCAoQ29tcGF0aWJsZTsgTVNJRSA2LjA7V2luZG93cyBOVCA1LjEpAAAACgAAABtBY2NlcHQ6ICovKiwgLi4uLCAuLi4uLi4sIC4AAAAHAAAAAAAAAAsAAAAFAAAAA3RtcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAoAAAA9VXNlci1BZ2VudDogTW96aWxsYS80LjAgKENvbXBhdGlibGU7IE1TSUUgNi4wO1dpbmRvd3MgTlQgNS4xKQAAAAcAAAAAAAAAAQAAAAwvZGVmYXVsdC5hc3AAAAAMAAAABwAAAAEAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
polling_time
500
-
port_number
80
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCj46Hh/xPdl6SVS/rb1DluSClic5D/zPS/2+I9/ABTMm+y4b9H5oDOOKI+i7iDCqkKDabQ0eZr6zAZUiwbXRPpNf/aIjYgAI90AY1cJNOXNkkeBioJSrIxzzfGZorz+nXN9ENaWL8uR4eh6mbrJPKhl3VHT8y68KBkC5f5y9FTfQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/MicrosoftUpdate/GetUpdate/KB
-
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; BOIE9;ENUS)
-
watermark
987654321
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
Processes
-
C:\Users\Admin\AppData\Local\Temp\52850a2d3d4c87d62f348b4df59a6c25b62e3c8fd5fc5035909dc73802b03bf8.exe"C:\Users\Admin\AppData\Local\Temp\52850a2d3d4c87d62f348b4df59a6c25b62e3c8fd5fc5035909dc73802b03bf8.exe"1⤵PID:3304
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4120 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:81⤵PID:828