Analysis

  • max time kernel
    96s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/09/2024, 10:08 UTC

General

  • Target

    5fdb322fcb6b0236f59c3609e8aeff91a21d7020bd47d3c577cdd1d56cb2c4ce.exe

  • Size

    4.5MB

  • MD5

    6eb0f8cdd3f2708b5fc8bdf2dadca602

  • SHA1

    8e2be55f6ae18e9e091619d632c35f6897784a42

  • SHA256

    5fdb322fcb6b0236f59c3609e8aeff91a21d7020bd47d3c577cdd1d56cb2c4ce

  • SHA512

    6a40ae445e0722e5de5306362904dc663e529c8d69aa9437804476c23de8b37e85ab38ba75404d96062dbc4d79dbd164976aec51b95b7982084fb1b266c2bba5

  • SSDEEP

    98304:/XrHQcsibw8SPLeTtSQo5Z8DERxrfExYzbRKHIrH/92BQ6ZyF:frwcXMHLKy6txWRK+H/926Yy

Malware Config

Extracted

Family

cobaltstrike

C2

http://192.168.14.128:443/u6z8

Attributes
  • user_agent

    User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;NLNL)

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • Loads dropped DLL 4 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5fdb322fcb6b0236f59c3609e8aeff91a21d7020bd47d3c577cdd1d56cb2c4ce.exe
    "C:\Users\Admin\AppData\Local\Temp\5fdb322fcb6b0236f59c3609e8aeff91a21d7020bd47d3c577cdd1d56cb2c4ce.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4968
    • C:\Users\Admin\AppData\Local\Temp\5fdb322fcb6b0236f59c3609e8aeff91a21d7020bd47d3c577cdd1d56cb2c4ce.exe
      "C:\Users\Admin\AppData\Local\Temp\5fdb322fcb6b0236f59c3609e8aeff91a21d7020bd47d3c577cdd1d56cb2c4ce.exe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:4220
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4220 -s 456
        3⤵
        • Program crash
        PID:4140
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4220 -ip 4220
    1⤵
      PID:1276

    Network

    • flag-us
      DNS
      133.211.185.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      133.211.185.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.214.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.214.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      2.159.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      2.159.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      58.55.71.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      58.55.71.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      56.163.245.4.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      56.163.245.4.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      15.164.165.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      15.164.165.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      92.12.20.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      92.12.20.2.in-addr.arpa
      IN PTR
      Response
      92.12.20.2.in-addr.arpa
      IN PTR
      a2-20-12-92deploystaticakamaitechnologiescom
    • flag-us
      DNS
      13.227.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      13.227.111.52.in-addr.arpa
      IN PTR
      Response
    No results found
    • 8.8.8.8:53
      133.211.185.52.in-addr.arpa
      dns
      73 B
      147 B
      1
      1

      DNS Request

      133.211.185.52.in-addr.arpa

    • 8.8.8.8:53
      172.214.232.199.in-addr.arpa
      dns
      74 B
      128 B
      1
      1

      DNS Request

      172.214.232.199.in-addr.arpa

    • 8.8.8.8:53
      2.159.190.20.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      2.159.190.20.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
      144 B
      1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      58.55.71.13.in-addr.arpa
      dns
      70 B
      144 B
      1
      1

      DNS Request

      58.55.71.13.in-addr.arpa

    • 8.8.8.8:53
      56.163.245.4.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      56.163.245.4.in-addr.arpa

    • 8.8.8.8:53
      15.164.165.52.in-addr.arpa
      dns
      72 B
      146 B
      1
      1

      DNS Request

      15.164.165.52.in-addr.arpa

    • 8.8.8.8:53
      92.12.20.2.in-addr.arpa
      dns
      69 B
      131 B
      1
      1

      DNS Request

      92.12.20.2.in-addr.arpa

    • 8.8.8.8:53
      13.227.111.52.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      13.227.111.52.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\_MEI49682\Crypto.Cipher._AES.pyd

      Filesize

      29KB

      MD5

      3c4ab2e06feb6e4ca1b7a1244055671a

      SHA1

      a4c3c44b45248b7cf53881e6d8efa8d557e100a9

      SHA256

      c7e4194470a677304fad05c771654e6986c32bc29a04c3c4c52594172d83cb23

      SHA512

      7531b4ecf3c2a37b33b790e403cf69c6c90c33b0236ad65996fad6e5fdd0e831935126ed96026f612d6fdd2847f2d7b01823f49fbdbd8c95b434fbdd9aaf557c

    • C:\Users\Admin\AppData\Local\Temp\_MEI49682\MSVCR100.dll

      Filesize

      755KB

      MD5

      bf38660a9125935658cfa3e53fdc7d65

      SHA1

      0b51fb415ec89848f339f8989d323bea722bfd70

      SHA256

      60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

      SHA512

      25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

    • C:\Users\Admin\AppData\Local\Temp\_MEI49682\_ctypes.pyd

      Filesize

      83KB

      MD5

      5d1bc1be2f02b4a2890e921af15190d2

      SHA1

      057c88438b40cd8e73554274171341244f107139

      SHA256

      97c3cdef6d28ad19c0dacff15dd66f874fe73c8767d88f3bc7c0bde794d857da

      SHA512

      9751f471312dd5a24f4a7f25b192ddcb64d28a332ff66f3aa2c3f7ef69127cf14c93043350397e9f884f1830f51d5e01214e82627158d37ef95ce4746a83bbd9

    • C:\Users\Admin\AppData\Local\Temp\_MEI49682\base_library.zip

      Filesize

      717KB

      MD5

      d6d034e1af968d134b3cc4477b623069

      SHA1

      6eb0fc22dc6360177956e0884241b94b68f69ee7

      SHA256

      63f31b4c43a469971854a1d1eae5516f8d0ccdcd3d0566a84b2496c25a28de44

      SHA512

      e45c32d209ab14a328c843d06958ce0f35c9ef2f52e5e8d47fbd0caa4b89eb3388d03497f973ee73aaf73ee3be3327942a6202a7934d818261c5b29965de94bb

    • C:\Users\Admin\AppData\Local\Temp\_MEI49682\python34.dll

      Filesize

      2.6MB

      MD5

      96f7167b725a27b3bd4766a89c4b4305

      SHA1

      39a1d7e1648adce5740a1976211724cf87792b9e

      SHA256

      30ab1713ca7cbbee7227bf50db4d1415654eb81ea0a16134f37dc11a746d9f92

      SHA512

      3d7ce22c29956f7f1c001ab86298485987d2b1dc5f52d5eb5b7dd21c21d88d00849163f684c01141b77ed387bc32733d26da79cc81a2d01f0d2f5d9ec8c5441a

    • C:\Users\Admin\AppData\Local\Temp\_MEI49682\test.exe.manifest

      Filesize

      1KB

      MD5

      0995942e0c238d67de452a3b2c1db5a9

      SHA1

      ac9fdb353e74a3de2c1024c6d6a068fef7860328

      SHA256

      4801e45f989133f5dfb453fd3e31ff512043dc89b099b64faf55f78724e7518d

      SHA512

      e97e43d6d3f14e00835be72e78e3e29a0632a47c4057c3a7340780f6761f6643793c8427d997446a3152a8b2fc5133ea9065b554e2321d216f9f7df34a16a35e

    • memory/4220-25-0x00000000007B0000-0x00000000007B1000-memory.dmp

      Filesize

      4KB

    • memory/4220-28-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

    • memory/4968-38-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.