Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    25-06-2024 13:21

General

  • Target

    64803bb4129dfc6fe9c9d6bf05f65c35ea73cc57a2cafd25737e51169b8a6662.exe

  • Size

    1.6MB

  • MD5

    fb196f6171cd47ac8017d017c5289caa

  • SHA1

    6c89cdcda4fff283fe0c7554b0fc20a539ea94c6

  • SHA256

    64803bb4129dfc6fe9c9d6bf05f65c35ea73cc57a2cafd25737e51169b8a6662

  • SHA512

    a23bb7f7f8bccd1997976c09f01bce8895cdb4696a62876dd3248a51b2a2eef04d4945fabbd487bf067290af13056a7fd937c8bc413a5755c9167737fc969d8c

  • SSDEEP

    24576:pCFdFAy+BiOFKt21XRqjXeg0MPtyj+Hp1ywCXpVk9jfV/hbtS6jJlwl:p7HNNfSDV/PS3

Malware Config

Extracted

Family

cobaltstrike

C2

http://192.168.159.137:8088/nTXC

Attributes
  • user_agent

    User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENXA)

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\64803bb4129dfc6fe9c9d6bf05f65c35ea73cc57a2cafd25737e51169b8a6662.exe
    "C:\Users\Admin\AppData\Local\Temp\64803bb4129dfc6fe9c9d6bf05f65c35ea73cc57a2cafd25737e51169b8a6662.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:2220
    • C:\Windows\SysWOW64\cmd.exe
      cmd " /c " C:\Users\Admin\AppData\Local\Temp\1.png
      2⤵
        PID:2244
      • C:\Users\Public\artifact.exe
        C:\Users\Public\artifact.exe
        2⤵
        • Executes dropped EXE
        PID:1244
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
      1⤵
      • Suspicious use of FindShellTrayWindow
      PID:2440

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\1.png

      Filesize

      139KB

      MD5

      cc366db4527cce2f1b28233320fa4a0c

      SHA1

      fb9ad0d67e3926b3fefa4f79e5bbe5ff6af55843

      SHA256

      91dea1e5974ceac43d475f2e6ebcdedb7b4c46dc2e5fd8ef0b10e443d184d548

      SHA512

      e4cc211e15d1e4f93c87e63383ccdf10d0f4b66a3fcdd5e852be7a5cab2c9e84ceb9519bec86638cbe05c245069cc60ca390af819620b5a94dd0845d1d4c9289

    • \Users\Public\artifact.exe

      Filesize

      17KB

      MD5

      f76da48c0ed1c19bf726a06bf80a8882

      SHA1

      f8a5a2a2050dc0084c7badd0630193436f798247

      SHA256

      a676c87e4140740d2c1d8dfa455796db1ff79014e28a6f8fee50de28bdf98bb1

      SHA512

      bdc395e0d9cfe4f6e3f134d865ae9e87cada0bb6223bdd34a6350fbee79a6c24273dbc49fb88ea2c454b8144a51cae6e1cbe26f9d1961608f9a16f989ac0462b

    • memory/1244-63-0x0000000000020000-0x0000000000021000-memory.dmp

      Filesize

      4KB

    • memory/1244-64-0x0000000000400000-0x000000000040C000-memory.dmp

      Filesize

      48KB

    • memory/2220-8-0x0000000000400000-0x00000000005CB000-memory.dmp

      Filesize

      1.8MB

    • memory/2244-59-0x0000000000470000-0x0000000000472000-memory.dmp

      Filesize

      8KB

    • memory/2440-60-0x0000000000160000-0x0000000000162000-memory.dmp

      Filesize

      8KB

    • memory/2440-61-0x0000000000750000-0x0000000000751000-memory.dmp

      Filesize

      4KB

    • memory/2440-66-0x0000000000750000-0x0000000000751000-memory.dmp

      Filesize

      4KB