Analysis

  • max time kernel
    141s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-08-2024 13:14

General

  • Target

    33988f6852a9c11377d2b0439a5a12d8d515f0d5031629b3eeceff3ea86aae64.exe

  • Size

    5.6MB

  • MD5

    528be357068444851c5194a3a4ad04e6

  • SHA1

    d37b162402783415908a583be6fcc169411933f1

  • SHA256

    33988f6852a9c11377d2b0439a5a12d8d515f0d5031629b3eeceff3ea86aae64

  • SHA512

    5fe6cdfb3b14a897f5496c40fd3037a560bcac7338ea4174ee96f6a8bf755baaf0aa4656d8aa12648c8557a8c2b4a88cdc88e115d6d2509f0dd2bc4beae80dec

  • SSDEEP

    98304:Az0tpywzPOFSPnUXJFerrlcDN8Xe6OlcfNCPs55y1uB/HfFxH5mIi:i0tg9ynA+rlcD0e6OafNlTy1w/HfFHmZ

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000

C2

http://120.26.241.224:52847/__utm.gif

Attributes
  • access_type

    512

  • host

    120.26.241.224,/__utm.gif

  • http_header1

    AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • polling_time

    60000

  • port_number

    52847

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCSyBVvMd4tLh9+W9CJyVRvl+G/u3JfXaJ2+oaSVpYZ9gTk8AoDgaXE54lJHbTNz3TYoJzu9+pl2qsX2G+E+xziM3hTLoaBctIrY0iZiZQmRd0a6yds4ZAs7TIOTXqPP0kjPEOI+5JTx0uwCPC9Z6zCA2XbbvAfku4FuQAttCPWBQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /submit.php

  • user_agent

    Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;ENGB)

  • watermark

    100000

Extracted

Family

cobaltstrike

Botnet

0

Attributes
  • watermark

    0

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\33988f6852a9c11377d2b0439a5a12d8d515f0d5031629b3eeceff3ea86aae64.exe
    "C:\Users\Admin\AppData\Local\Temp\33988f6852a9c11377d2b0439a5a12d8d515f0d5031629b3eeceff3ea86aae64.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3160
    • C:\Users\Public\Pictures\beacon.exe
      "C:\Users\Public\Pictures\beacon.exe"
      2⤵
      • Executes dropped EXE
      PID:804
    • C:\Users\Public\Pictures\Navicat_Keygen_Patch_v6.3.2_By_DFoX.exe
      "C:\Users\Public\Pictures\Navicat_Keygen_Patch_v6.3.2_By_DFoX.exe"
      2⤵
      • Executes dropped EXE
      PID:4144

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\Pictures\Navicat_Keygen_Patch_v6.3.2_By_DFoX.exe

    Filesize

    8.5MB

    MD5

    973bc81880b01f493f786625a31b31eb

    SHA1

    18704e3406ef52e675ede908b5f8158d88ef5b0f

    SHA256

    6652a80a755644374bc38c4b99b8990e2288dbea593813d11852d40d2ce26c2d

    SHA512

    f3bce517bab0764fab0fa110479149b350e80841514a6096f5e48383ac60d7e7903b81fe8af8fc685ca13d3c94fdf85937331389fac943b2b6de5de3ac4a86b7

  • C:\Users\Public\Pictures\beacon.exe

    Filesize

    281KB

    MD5

    e733d3f28db97dcda9a17678d31817cf

    SHA1

    740ebd1aacbb16784601bbee921d92a948be3e86

    SHA256

    28c745de667ae05f90a2631fdb1f3611e22de7ec4e16de5f6dc653b6fb3e7f3b

    SHA512

    829e336a3ec9357740f0170dc9867628235105c770af94889d51ac2740625a5f2ac4028594db806ca9ebcbc9d4e27ec0cb0661ca089a91cadda0f79eb4c89937

  • memory/804-28-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

  • memory/804-25-0x0000000000AB0000-0x0000000000AF1000-memory.dmp

    Filesize

    260KB

  • memory/804-26-0x0000000000D00000-0x0000000000D4F000-memory.dmp

    Filesize

    316KB

  • memory/804-31-0x0000000000D00000-0x0000000000D4F000-memory.dmp

    Filesize

    316KB

  • memory/4144-22-0x0000000000680000-0x0000000000F06000-memory.dmp

    Filesize

    8.5MB

  • memory/4144-23-0x000000001BC10000-0x000000001BE94000-memory.dmp

    Filesize

    2.5MB

  • memory/4144-24-0x00007FFE2CB10000-0x00007FFE2D5D1000-memory.dmp

    Filesize

    10.8MB

  • memory/4144-27-0x00007FFE2CB13000-0x00007FFE2CB15000-memory.dmp

    Filesize

    8KB

  • memory/4144-21-0x00007FFE2CB13000-0x00007FFE2CB15000-memory.dmp

    Filesize

    8KB

  • memory/4144-29-0x000000001D0B0000-0x000000001D259000-memory.dmp

    Filesize

    1.7MB

  • memory/4144-30-0x00007FFE2CB10000-0x00007FFE2D5D1000-memory.dmp

    Filesize

    10.8MB