Analysis
-
max time kernel
96s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/09/2024, 10:08 UTC
Behavioral task
behavioral1
Sample
5fdb322fcb6b0236f59c3609e8aeff91a21d7020bd47d3c577cdd1d56cb2c4ce.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
5fdb322fcb6b0236f59c3609e8aeff91a21d7020bd47d3c577cdd1d56cb2c4ce.exe
Resource
win10v2004-20240802-en
General
-
Target
5fdb322fcb6b0236f59c3609e8aeff91a21d7020bd47d3c577cdd1d56cb2c4ce.exe
-
Size
4.5MB
-
MD5
6eb0f8cdd3f2708b5fc8bdf2dadca602
-
SHA1
8e2be55f6ae18e9e091619d632c35f6897784a42
-
SHA256
5fdb322fcb6b0236f59c3609e8aeff91a21d7020bd47d3c577cdd1d56cb2c4ce
-
SHA512
6a40ae445e0722e5de5306362904dc663e529c8d69aa9437804476c23de8b37e85ab38ba75404d96062dbc4d79dbd164976aec51b95b7982084fb1b266c2bba5
-
SSDEEP
98304:/XrHQcsibw8SPLeTtSQo5Z8DERxrfExYzbRKHIrH/92BQ6ZyF:frwcXMHLKy6txWRK+H/926Yy
Malware Config
Extracted
cobaltstrike
http://192.168.14.128:443/u6z8
-
user_agent
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;NLNL)
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Loads dropped DLL 4 IoCs
pid Process 4220 5fdb322fcb6b0236f59c3609e8aeff91a21d7020bd47d3c577cdd1d56cb2c4ce.exe 4220 5fdb322fcb6b0236f59c3609e8aeff91a21d7020bd47d3c577cdd1d56cb2c4ce.exe 4220 5fdb322fcb6b0236f59c3609e8aeff91a21d7020bd47d3c577cdd1d56cb2c4ce.exe 4220 5fdb322fcb6b0236f59c3609e8aeff91a21d7020bd47d3c577cdd1d56cb2c4ce.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4140 4220 WerFault.exe 82 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5fdb322fcb6b0236f59c3609e8aeff91a21d7020bd47d3c577cdd1d56cb2c4ce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5fdb322fcb6b0236f59c3609e8aeff91a21d7020bd47d3c577cdd1d56cb2c4ce.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: 35 4220 5fdb322fcb6b0236f59c3609e8aeff91a21d7020bd47d3c577cdd1d56cb2c4ce.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4968 wrote to memory of 4220 4968 5fdb322fcb6b0236f59c3609e8aeff91a21d7020bd47d3c577cdd1d56cb2c4ce.exe 82 PID 4968 wrote to memory of 4220 4968 5fdb322fcb6b0236f59c3609e8aeff91a21d7020bd47d3c577cdd1d56cb2c4ce.exe 82 PID 4968 wrote to memory of 4220 4968 5fdb322fcb6b0236f59c3609e8aeff91a21d7020bd47d3c577cdd1d56cb2c4ce.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\5fdb322fcb6b0236f59c3609e8aeff91a21d7020bd47d3c577cdd1d56cb2c4ce.exe"C:\Users\Admin\AppData\Local\Temp\5fdb322fcb6b0236f59c3609e8aeff91a21d7020bd47d3c577cdd1d56cb2c4ce.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Users\Admin\AppData\Local\Temp\5fdb322fcb6b0236f59c3609e8aeff91a21d7020bd47d3c577cdd1d56cb2c4ce.exe"C:\Users\Admin\AppData\Local\Temp\5fdb322fcb6b0236f59c3609e8aeff91a21d7020bd47d3c577cdd1d56cb2c4ce.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4220 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4220 -s 4563⤵
- Program crash
PID:4140
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4220 -ip 42201⤵PID:1276
Network
-
Remote address:8.8.8.8:53Request133.211.185.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request2.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request58.55.71.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request56.163.245.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request15.164.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request92.12.20.2.in-addr.arpaIN PTRResponse92.12.20.2.in-addr.arpaIN PTRa2-20-12-92deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request13.227.111.52.in-addr.arpaIN PTRResponse
-
73 B 147 B 1 1
DNS Request
133.211.185.52.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
2.159.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
58.55.71.13.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
56.163.245.4.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
15.164.165.52.in-addr.arpa
-
69 B 131 B 1 1
DNS Request
92.12.20.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
13.227.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29KB
MD53c4ab2e06feb6e4ca1b7a1244055671a
SHA1a4c3c44b45248b7cf53881e6d8efa8d557e100a9
SHA256c7e4194470a677304fad05c771654e6986c32bc29a04c3c4c52594172d83cb23
SHA5127531b4ecf3c2a37b33b790e403cf69c6c90c33b0236ad65996fad6e5fdd0e831935126ed96026f612d6fdd2847f2d7b01823f49fbdbd8c95b434fbdd9aaf557c
-
Filesize
755KB
MD5bf38660a9125935658cfa3e53fdc7d65
SHA10b51fb415ec89848f339f8989d323bea722bfd70
SHA25660c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa
SHA51225f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1
-
Filesize
83KB
MD55d1bc1be2f02b4a2890e921af15190d2
SHA1057c88438b40cd8e73554274171341244f107139
SHA25697c3cdef6d28ad19c0dacff15dd66f874fe73c8767d88f3bc7c0bde794d857da
SHA5129751f471312dd5a24f4a7f25b192ddcb64d28a332ff66f3aa2c3f7ef69127cf14c93043350397e9f884f1830f51d5e01214e82627158d37ef95ce4746a83bbd9
-
Filesize
717KB
MD5d6d034e1af968d134b3cc4477b623069
SHA16eb0fc22dc6360177956e0884241b94b68f69ee7
SHA25663f31b4c43a469971854a1d1eae5516f8d0ccdcd3d0566a84b2496c25a28de44
SHA512e45c32d209ab14a328c843d06958ce0f35c9ef2f52e5e8d47fbd0caa4b89eb3388d03497f973ee73aaf73ee3be3327942a6202a7934d818261c5b29965de94bb
-
Filesize
2.6MB
MD596f7167b725a27b3bd4766a89c4b4305
SHA139a1d7e1648adce5740a1976211724cf87792b9e
SHA25630ab1713ca7cbbee7227bf50db4d1415654eb81ea0a16134f37dc11a746d9f92
SHA5123d7ce22c29956f7f1c001ab86298485987d2b1dc5f52d5eb5b7dd21c21d88d00849163f684c01141b77ed387bc32733d26da79cc81a2d01f0d2f5d9ec8c5441a
-
Filesize
1KB
MD50995942e0c238d67de452a3b2c1db5a9
SHA1ac9fdb353e74a3de2c1024c6d6a068fef7860328
SHA2564801e45f989133f5dfb453fd3e31ff512043dc89b099b64faf55f78724e7518d
SHA512e97e43d6d3f14e00835be72e78e3e29a0632a47c4057c3a7340780f6761f6643793c8427d997446a3152a8b2fc5133ea9065b554e2321d216f9f7df34a16a35e