Analysis
-
max time kernel
141s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
31-08-2024 13:14
Static task
static1
Behavioral task
behavioral1
Sample
33988f6852a9c11377d2b0439a5a12d8d515f0d5031629b3eeceff3ea86aae64.exe
Resource
win7-20240704-en
General
-
Target
33988f6852a9c11377d2b0439a5a12d8d515f0d5031629b3eeceff3ea86aae64.exe
-
Size
5.6MB
-
MD5
528be357068444851c5194a3a4ad04e6
-
SHA1
d37b162402783415908a583be6fcc169411933f1
-
SHA256
33988f6852a9c11377d2b0439a5a12d8d515f0d5031629b3eeceff3ea86aae64
-
SHA512
5fe6cdfb3b14a897f5496c40fd3037a560bcac7338ea4174ee96f6a8bf755baaf0aa4656d8aa12648c8557a8c2b4a88cdc88e115d6d2509f0dd2bc4beae80dec
-
SSDEEP
98304:Az0tpywzPOFSPnUXJFerrlcDN8Xe6OlcfNCPs55y1uB/HfFxH5mIi:i0tg9ynA+rlcD0e6OafNlTy1w/HfFHmZ
Malware Config
Extracted
cobaltstrike
100000
http://120.26.241.224:52847/__utm.gif
-
access_type
512
-
host
120.26.241.224,/__utm.gif
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
polling_time
60000
-
port_number
52847
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCSyBVvMd4tLh9+W9CJyVRvl+G/u3JfXaJ2+oaSVpYZ9gTk8AoDgaXE54lJHbTNz3TYoJzu9+pl2qsX2G+E+xziM3hTLoaBctIrY0iZiZQmRd0a6yds4ZAs7TIOTXqPP0kjPEOI+5JTx0uwCPC9Z6zCA2XbbvAfku4FuQAttCPWBQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.php
-
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;ENGB)
-
watermark
100000
Extracted
cobaltstrike
0
-
watermark
0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
33988f6852a9c11377d2b0439a5a12d8d515f0d5031629b3eeceff3ea86aae64.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation 33988f6852a9c11377d2b0439a5a12d8d515f0d5031629b3eeceff3ea86aae64.exe -
Executes dropped EXE 2 IoCs
Processes:
beacon.exeNavicat_Keygen_Patch_v6.3.2_By_DFoX.exepid process 804 beacon.exe 4144 Navicat_Keygen_Patch_v6.3.2_By_DFoX.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
33988f6852a9c11377d2b0439a5a12d8d515f0d5031629b3eeceff3ea86aae64.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 33988f6852a9c11377d2b0439a5a12d8d515f0d5031629b3eeceff3ea86aae64.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
33988f6852a9c11377d2b0439a5a12d8d515f0d5031629b3eeceff3ea86aae64.exedescription pid process target process PID 3160 wrote to memory of 804 3160 33988f6852a9c11377d2b0439a5a12d8d515f0d5031629b3eeceff3ea86aae64.exe beacon.exe PID 3160 wrote to memory of 804 3160 33988f6852a9c11377d2b0439a5a12d8d515f0d5031629b3eeceff3ea86aae64.exe beacon.exe PID 3160 wrote to memory of 4144 3160 33988f6852a9c11377d2b0439a5a12d8d515f0d5031629b3eeceff3ea86aae64.exe Navicat_Keygen_Patch_v6.3.2_By_DFoX.exe PID 3160 wrote to memory of 4144 3160 33988f6852a9c11377d2b0439a5a12d8d515f0d5031629b3eeceff3ea86aae64.exe Navicat_Keygen_Patch_v6.3.2_By_DFoX.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\33988f6852a9c11377d2b0439a5a12d8d515f0d5031629b3eeceff3ea86aae64.exe"C:\Users\Admin\AppData\Local\Temp\33988f6852a9c11377d2b0439a5a12d8d515f0d5031629b3eeceff3ea86aae64.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Users\Public\Pictures\beacon.exe"C:\Users\Public\Pictures\beacon.exe"2⤵
- Executes dropped EXE
PID:804 -
C:\Users\Public\Pictures\Navicat_Keygen_Patch_v6.3.2_By_DFoX.exe"C:\Users\Public\Pictures\Navicat_Keygen_Patch_v6.3.2_By_DFoX.exe"2⤵
- Executes dropped EXE
PID:4144
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8.5MB
MD5973bc81880b01f493f786625a31b31eb
SHA118704e3406ef52e675ede908b5f8158d88ef5b0f
SHA2566652a80a755644374bc38c4b99b8990e2288dbea593813d11852d40d2ce26c2d
SHA512f3bce517bab0764fab0fa110479149b350e80841514a6096f5e48383ac60d7e7903b81fe8af8fc685ca13d3c94fdf85937331389fac943b2b6de5de3ac4a86b7
-
Filesize
281KB
MD5e733d3f28db97dcda9a17678d31817cf
SHA1740ebd1aacbb16784601bbee921d92a948be3e86
SHA25628c745de667ae05f90a2631fdb1f3611e22de7ec4e16de5f6dc653b6fb3e7f3b
SHA512829e336a3ec9357740f0170dc9867628235105c770af94889d51ac2740625a5f2ac4028594db806ca9ebcbc9d4e27ec0cb0661ca089a91cadda0f79eb4c89937