Analysis
-
max time kernel
119s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25-04-2024 16:15
Static task
static1
Behavioral task
behavioral1
Sample
c419c26008463823963113284f1b01535ec141a30f5e14bf151147b3c1386314.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c419c26008463823963113284f1b01535ec141a30f5e14bf151147b3c1386314.exe
Resource
win10v2004-20240412-en
General
-
Target
c419c26008463823963113284f1b01535ec141a30f5e14bf151147b3c1386314.exe
-
Size
1.8MB
-
MD5
c12ffe233630bb216f04c392a3a46ba2
-
SHA1
33abb4914e43f575e6689d88ffc10fed90c04ff3
-
SHA256
c419c26008463823963113284f1b01535ec141a30f5e14bf151147b3c1386314
-
SHA512
f9a7731feea054663d811024d59e8460e4fd1ba48844334113fd5b35fc9d33cd1b74b9a5ba8e434499d3aa93b20063a711234500c8589c72fd57b48c4a47ebdb
-
SSDEEP
49152:r7LEqdDdrb/TXvO90dL3BmAFd4A64nsfJO7CDWRgvUVNO1AFub1Nd:jE8J9/2v
Malware Config
Extracted
cobaltstrike
http://1.116.160.39:80/user.js
-
user_agent
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: RenamesItself 1 IoCs
Processes:
c419c26008463823963113284f1b01535ec141a30f5e14bf151147b3c1386314.exepid process 2892 c419c26008463823963113284f1b01535ec141a30f5e14bf151147b3c1386314.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
c419c26008463823963113284f1b01535ec141a30f5e14bf151147b3c1386314.execmd.exedescription pid process target process PID 2892 wrote to memory of 3016 2892 c419c26008463823963113284f1b01535ec141a30f5e14bf151147b3c1386314.exe cmd.exe PID 2892 wrote to memory of 3016 2892 c419c26008463823963113284f1b01535ec141a30f5e14bf151147b3c1386314.exe cmd.exe PID 2892 wrote to memory of 3016 2892 c419c26008463823963113284f1b01535ec141a30f5e14bf151147b3c1386314.exe cmd.exe PID 3016 wrote to memory of 2520 3016 cmd.exe NOTEPAD.EXE PID 3016 wrote to memory of 2520 3016 cmd.exe NOTEPAD.EXE PID 3016 wrote to memory of 2520 3016 cmd.exe NOTEPAD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\c419c26008463823963113284f1b01535ec141a30f5e14bf151147b3c1386314.exe"C:\Users\Admin\AppData\Local\Temp\c419c26008463823963113284f1b01535ec141a30f5e14bf151147b3c1386314.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd " /c " C:\Users\Admin\AppData\Local\Temp\谷歌.txt2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\谷歌.txt3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\谷歌.txtFilesize
349B
MD539c36f1364ae8568df34eb9523da440d
SHA1f27a71203e9ac14125eaaaa4f5e017530e8cfb8b
SHA25678117462ce9ede6688e95338da19e7160e039b8e37869f8d6e8389d82c2f011b
SHA512621e89de6fda053b029ae98880c8b017437723ed143892e17446c5ab529ab4b41146c64c689c0ca481f47711acbf46a23e03a5ee66cb46efefef7c77bd96c01a
-
memory/2892-2-0x000000C000000000-0x000000C000400000-memory.dmpFilesize
4.0MB