Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
16-05-2024 07:19
Static task
static1
Behavioral task
behavioral1
Sample
5a2c66fd7246b0438cd763593b909cbadf782407afa384bd27bc7bc8ff84edab.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
5a2c66fd7246b0438cd763593b909cbadf782407afa384bd27bc7bc8ff84edab.exe
Resource
win11-20240426-en
General
-
Target
5a2c66fd7246b0438cd763593b909cbadf782407afa384bd27bc7bc8ff84edab.exe
-
Size
14KB
-
MD5
242ffae14d520fa9b735110f360555fe
-
SHA1
ec821b71309cfc74a17fbbe1dd6cbcb2de7a9c39
-
SHA256
5a2c66fd7246b0438cd763593b909cbadf782407afa384bd27bc7bc8ff84edab
-
SHA512
eb8c6ac31dbcce05e551fa4451bfa42ad81791edeca441efaa59de1a0a7ee29ae64bcedbd88d88ae712a90c2eee0865aa71e00b4e358007377f380039175c0a1
-
SSDEEP
192:A/H+DgGK83SxHn2OQ/dmBI4KBfTgir+xzoOZQgn8PbqUqV/Qjo7AGa:Av+kGKqbOCdWIVBff+xzN6g8jfCXAn
Malware Config
Extracted
metasploit
windows/download_exec
http://3.208.96.244:80/Meeting/32251817/
- headers Accept: */* Accept-Language: en-US Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/587.38 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Extracted
cobaltstrike
1359593325
http://3.208.96.244:80/functionalStatus
-
access_type
512
-
host
3.208.96.244,/functionalStatus
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQWNjZXB0LUxhbmd1YWdlOiBlbi1VUwAAAAoAAAARQ29ubmVjdGlvbjogY2xvc2UAAAAHAAAAAAAAAA0AAAAFAAAAAV8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAATQWNjZXB0LUxhbmd1YWdlOiBlbgAAAAoAAAARQ29ubmVjdGlvbjogY2xvc2UAAAAHAAAAAQAAAA0AAAAFAAAAGmluY2x1ZGVNZWV0aW5nc0lDb29yZ2FuaXplAAAABwAAAAAAAAANAAAABQAAABNpbmNsdWRlQ29vcmdhbml6ZXJzAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
GET
-
jitter
6400
-
polling_time
37000
-
port_number
80
-
sc_process32
%windir%\syswow64\gpupdate.exe
-
sc_process64
%windir%\sysnative\gpupdate.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCmyNkXmmHqSxx58gQ9Be3RGpNCkhza3M5j0q8b8h1YXlQFQrCvtlz5qkInZj0AnfbXS6VmWl+juAYz60kclbpLBjTJliBaEMisK9WkWAT6UGywouI3a8hSfSUwRKRL3QjL2461m8XR4gldNqf9/JO8gFwNGQBnhWwZDtNHYd6S9wIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
9.06174464e+08
-
unknown2
AAAABAAAAAEAAAAIAAAAAQAAAAgAAAABAAAACgAAAAEAAAAGAAAAAQAAAAsAAAABAAAAIQAAAAEAAABFAAAAAQAAADcAAAABAAAAQwAAAAEAAAAbAAAAAQAAAA8AAAABAAAAGQAAAAEAAAAgAAAAAQAAAEgAAAACAAAAEAAAAAIAAAARAAAAAgAAAAsAAAACAAAAHwAAAAIAAABQAAAAAgAAADwAAAACAAAANgAAAAIAAABFAAAAAgAAACYAAAACAAAACAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown3
1.610612736e+09
-
uri
/rest/2/meetings
-
user_agent
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/587.38 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
-
watermark
1359593325
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3704-0-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/3704-1-0x0000000000E00000-0x0000000000E3D000-memory.dmpFilesize
244KB
-
memory/3704-2-0x0000000003A10000-0x0000000003C1D000-memory.dmpFilesize
2.1MB
-
memory/3704-3-0x0000000000E00000-0x0000000000E3D000-memory.dmpFilesize
244KB
-
memory/3704-4-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3704-6-0x0000000003A10000-0x0000000003C1D000-memory.dmpFilesize
2.1MB