Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25-06-2024 13:21
Static task
static1
Behavioral task
behavioral1
Sample
64803bb4129dfc6fe9c9d6bf05f65c35ea73cc57a2cafd25737e51169b8a6662.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
64803bb4129dfc6fe9c9d6bf05f65c35ea73cc57a2cafd25737e51169b8a6662.exe
Resource
win10v2004-20240508-en
General
-
Target
64803bb4129dfc6fe9c9d6bf05f65c35ea73cc57a2cafd25737e51169b8a6662.exe
-
Size
1.6MB
-
MD5
fb196f6171cd47ac8017d017c5289caa
-
SHA1
6c89cdcda4fff283fe0c7554b0fc20a539ea94c6
-
SHA256
64803bb4129dfc6fe9c9d6bf05f65c35ea73cc57a2cafd25737e51169b8a6662
-
SHA512
a23bb7f7f8bccd1997976c09f01bce8895cdb4696a62876dd3248a51b2a2eef04d4945fabbd487bf067290af13056a7fd937c8bc413a5755c9167737fc969d8c
-
SSDEEP
24576:pCFdFAy+BiOFKt21XRqjXeg0MPtyj+Hp1ywCXpVk9jfV/hbtS6jJlwl:p7HNNfSDV/PS3
Malware Config
Extracted
cobaltstrike
http://192.168.159.137:8088/nTXC
-
user_agent
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENXA)
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Executes dropped EXE 1 IoCs
Processes:
artifact.exepid process 4440 artifact.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: RenamesItself 1 IoCs
Processes:
64803bb4129dfc6fe9c9d6bf05f65c35ea73cc57a2cafd25737e51169b8a6662.exepid process 4364 64803bb4129dfc6fe9c9d6bf05f65c35ea73cc57a2cafd25737e51169b8a6662.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
64803bb4129dfc6fe9c9d6bf05f65c35ea73cc57a2cafd25737e51169b8a6662.exedescription pid process target process PID 4364 wrote to memory of 6116 4364 64803bb4129dfc6fe9c9d6bf05f65c35ea73cc57a2cafd25737e51169b8a6662.exe cmd.exe PID 4364 wrote to memory of 6116 4364 64803bb4129dfc6fe9c9d6bf05f65c35ea73cc57a2cafd25737e51169b8a6662.exe cmd.exe PID 4364 wrote to memory of 6116 4364 64803bb4129dfc6fe9c9d6bf05f65c35ea73cc57a2cafd25737e51169b8a6662.exe cmd.exe PID 4364 wrote to memory of 4440 4364 64803bb4129dfc6fe9c9d6bf05f65c35ea73cc57a2cafd25737e51169b8a6662.exe artifact.exe PID 4364 wrote to memory of 4440 4364 64803bb4129dfc6fe9c9d6bf05f65c35ea73cc57a2cafd25737e51169b8a6662.exe artifact.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\64803bb4129dfc6fe9c9d6bf05f65c35ea73cc57a2cafd25737e51169b8a6662.exe"C:\Users\Admin\AppData\Local\Temp\64803bb4129dfc6fe9c9d6bf05f65c35ea73cc57a2cafd25737e51169b8a6662.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Windows\SysWOW64\cmd.execmd " /c " C:\Users\Admin\AppData\Local\Temp\1.png2⤵PID:6116
-
C:\Users\Public\artifact.exeC:\Users\Public\artifact.exe2⤵
- Executes dropped EXE
PID:4440
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17KB
MD5f76da48c0ed1c19bf726a06bf80a8882
SHA1f8a5a2a2050dc0084c7badd0630193436f798247
SHA256a676c87e4140740d2c1d8dfa455796db1ff79014e28a6f8fee50de28bdf98bb1
SHA512bdc395e0d9cfe4f6e3f134d865ae9e87cada0bb6223bdd34a6350fbee79a6c24273dbc49fb88ea2c454b8144a51cae6e1cbe26f9d1961608f9a16f989ac0462b