Analysis
-
max time kernel
119s -
max time network
108s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
21-05-2024 13:10
Static task
static1
Behavioral task
behavioral1
Sample
beacon.exe
Resource
win10-20240404-en
General
-
Target
beacon.exe
-
Size
289KB
-
MD5
927ee11071594552182a02d7b0b971fa
-
SHA1
629b283a2612f623c88aff4e8c806844aa86065f
-
SHA256
a82983039fd8a63e3ac15d731af598519aedcdfedad67c793699f96cf4510ecf
-
SHA512
9eff6f2ff7f91badc2d4996556a502c9dec6adc078e183100599696067a89b69e4e5c1ae08f06454522efe4699e9c35f82e9065a2ff48b2e41a0fd29f512a3f0
-
SSDEEP
3072:llbRasNrj1i/RT1UcPjjhBqaSnmP95K5JoevSAVFUQJi5y1pCGxtbbQAnKFmdHB5:T1njcbTq9nmPWo9AFni5AkGnnOKU0D
Malware Config
Extracted
cobaltstrike
391144938
http://114.132.120.166:7071/api/x
-
access_type
512
-
host
114.132.120.166,/api/x
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAAAwAAAAIAAAAKU0VTU0lPTklEPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAAAwAAAAIAAAAJSlNFU1NJT049AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
polling_time
3000
-
port_number
7071
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCmUQ8rbj+qeQEdQ0iYNHQXf3N7vXCPOI0yk9HgZZ5uul3gq3k7tMKIMNhj4p+nMIalDc2YBz+H6GGHv0HEK4dFKZbYjOtGY5GTw4ye4f3vG2UjmzFWGgsLpM8XvCEhmycH+6eXvA0X4q5Xjx71UpUfyZludTXFruqQ1kTYsEGleQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
1.481970944e+09
-
unknown2
AAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/api/y
-
user_agent
Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0)
-
watermark
391144938
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Drops file in Windows directory 2 IoCs
Processes:
taskmgr.exedescription ioc process File created C:\Windows\rescache\_merged\4183903823\2290032291.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\715946058.pri taskmgr.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
taskmgr.exepid process 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 3804 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
taskmgr.exedescription pid process Token: SeDebugPrivilege 3804 taskmgr.exe Token: SeSystemProfilePrivilege 3804 taskmgr.exe Token: SeCreateGlobalPrivilege 3804 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid process 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe 3804 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\beacon.exe"C:\Users\Admin\AppData\Local\Temp\beacon.exe"1⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2768-0-0x00000000001A0000-0x00000000001E4000-memory.dmpFilesize
272KB
-
memory/2768-1-0x0000000000750000-0x00000000007A2000-memory.dmpFilesize
328KB
-
memory/2768-2-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/2768-13-0x0000000000C90000-0x0000000000C92000-memory.dmpFilesize
8KB
-
memory/2768-15-0x0000000000750000-0x00000000007A2000-memory.dmpFilesize
328KB