Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
03-05-2024 09:28
Static task
static1
Behavioral task
behavioral1
Sample
43780b5d07144e9fd0f547333148f002.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
43780b5d07144e9fd0f547333148f002.exe
Resource
win10v2004-20240419-en
General
-
Target
43780b5d07144e9fd0f547333148f002.exe
-
Size
16KB
-
MD5
43780b5d07144e9fd0f547333148f002
-
SHA1
c4a1e189c6707d4af8e5652a58e2d1d92c073ecc
-
SHA256
dc460f03652eb64c6aeb07a3684780dda19d55dc7e80cc470b61eb2d22b4772c
-
SHA512
a2fcf87c69c0e1d96b3f86e29c89187edc4eafb6aef19592fb4dc1d4cb5be831c13d80509a5bcf6ae48075eb6f16ce9486e5b16d7ac71d479b407862e4489149
-
SSDEEP
384:qktbUK2aFt/faevMcvojAC+DLbs6Od50mzhEIp8:J1/fFMcv2+nbodCR
Malware Config
Extracted
metasploit
windows/download_exec
http://207.148.109.8:443/sig32.gif
Extracted
cobaltstrike
100000000
http://207.148.109.8:443/ptj
-
access_type
512
-
beacon_type
2048
-
host
207.148.109.8,/ptj
-
http_header1
AAAACgAAAF1BY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LGltYWdlL2F2aWYsaW1hZ2Uvd2VicCwqLyo7cT0wLjgAAAAKAAAATEFjY2VwdC1MYW5ndWFnZTogemgtQ04semg7cT0wLjgsemgtVFc7cT0wLjcsemgtSEs7cT0wLjUsZW4tVVM7cT0wLjMsZW47cT0wLjIAAAAKAAAAXFVzZXItQWdlbnQ6IE1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDEwLjA7IFdpbjY0OyB4NjQ7IHJ2OjEwMi4wKSBHZWNrby8yMDEwMDEwMSBGaXJlZm94LzEwMi4wAAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAKAAAAGFNlYy1GZXRjaC1EZXN0OiBkb2N1bWVudAAAAAcAAAAAAAAADQAAAAUAAAACd2EAAAAJAAAADnBhdGg9L2NhbGVuZGFyAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAoAAAALQWNjZXB0OiAqLyoAAAAHAAAAAQAAAA0AAAAFAAAAAndhAAAABwAAAAAAAAANAAAAAgAAAAZ3bGE0Mj0AAAACAAAAC3hpZD03MzBiZjc7AAAAAgAAABJNU1BBdXRoPTNFa0FqREtqSTsAAAACAAAAJU1TMD0xYWZkNGZiMzc5NzE0MzU3YTU5NTMyYTI0YmVmNTJiNDsAAAACAAAAK0VYUElEPTMwN2Y3ZWRkLWIwN2ItNGJkNC1iZThhLTE2ZmYyYTlhM2U0NzsAAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
10240
-
polling_time
60000
-
port_number
443
-
sc_process32
%windir%\syswow64\dllhost.exe
-
sc_process64
%windir%\sysnative\dllhost.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCFmCVAqjwVXuM7g1vpo6ws7F+89TG0j5DCCRZfoZgIoX/jC+Up1bO/cQEM8vbtN5DBXbM/fGccz/PaIU+FnDwN1pCtQkzmF7yvQlPeTsKLNRPWe+HbkFdFgx01MKs9suqkR0K+kN25zEqFkboK0/TnaNbCV7dOLkfXXNiphNvoywIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
1.448416512e+09
-
unknown2
AAAABAAAAA0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown3
1.610612736e+09
-
uri
/OWA/
-
user_agent
Mozilla/5.0 (Windows NT 5.1; U; en; rv:1.8.1) Gecko/20061208 Firefox/2.0.0 Opera 9.50
-
watermark
100000000
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Blocklisted process makes network request 6 IoCs
Processes:
rundll32.exeflow pid process 2 3060 rundll32.exe 11 3060 rundll32.exe 28 3060 rundll32.exe 54 3060 rundll32.exe 69 3060 rundll32.exe 83 3060 rundll32.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
43780b5d07144e9fd0f547333148f002.exedescription pid process target process PID 4744 set thread context of 3060 4744 43780b5d07144e9fd0f547333148f002.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
43780b5d07144e9fd0f547333148f002.exepid process 4744 43780b5d07144e9fd0f547333148f002.exe 4744 43780b5d07144e9fd0f547333148f002.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
43780b5d07144e9fd0f547333148f002.exedescription pid process target process PID 4744 wrote to memory of 3060 4744 43780b5d07144e9fd0f547333148f002.exe rundll32.exe PID 4744 wrote to memory of 3060 4744 43780b5d07144e9fd0f547333148f002.exe rundll32.exe PID 4744 wrote to memory of 3060 4744 43780b5d07144e9fd0f547333148f002.exe rundll32.exe PID 4744 wrote to memory of 3060 4744 43780b5d07144e9fd0f547333148f002.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\43780b5d07144e9fd0f547333148f002.exe"C:\Users\Admin\AppData\Local\Temp\43780b5d07144e9fd0f547333148f002.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe2⤵
- Blocklisted process makes network request
PID:3060
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3060-1-0x0000000000550000-0x0000000000551000-memory.dmpFilesize
4KB
-
memory/3060-4-0x0000000002B20000-0x0000000002B9E000-memory.dmpFilesize
504KB
-
memory/3060-5-0x0000000002BC0000-0x0000000002D1D000-memory.dmpFilesize
1.4MB
-
memory/3060-6-0x0000000002BC0000-0x0000000002D1D000-memory.dmpFilesize
1.4MB
-
memory/4744-0-0x00000000778D1000-0x00000000779F1000-memory.dmpFilesize
1.1MB