Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
29-06-2024 10:25
Behavioral task
behavioral1
Sample
ff1f36e4e741bf3a333b7f26beb870c50954445ed230a1c5819b55f3cecbfa28.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
ff1f36e4e741bf3a333b7f26beb870c50954445ed230a1c5819b55f3cecbfa28.exe
Resource
win10v2004-20240611-en
General
-
Target
ff1f36e4e741bf3a333b7f26beb870c50954445ed230a1c5819b55f3cecbfa28.exe
-
Size
5.4MB
-
MD5
961498dcc65e20844c81da3073d6c5b3
-
SHA1
70aab5c916eb0f91ce6ef0ca26654260b423ad79
-
SHA256
ff1f36e4e741bf3a333b7f26beb870c50954445ed230a1c5819b55f3cecbfa28
-
SHA512
2aac99aea83c5095f7e360e0421e252146f24986ca37580bb8e44427e93a5c2a218e93de3a57db328e75262dbf97cba02651882b10c11eaf8e9070cfadd7faed
-
SSDEEP
98304:DesmBEbbyX5ICDtPfeE/joXzKzA0xZRdp3zi5u5D41fopr26/Y1C/aYpaT9+Ru:DeDEbGX5ICteEroXGzlxZV3Gu5D4S26U
Malware Config
Extracted
cobaltstrike
http://49.232.97.58:80/v1Mi
-
user_agent
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Loads dropped DLL 4 IoCs
Processes:
ff1f36e4e741bf3a333b7f26beb870c50954445ed230a1c5819b55f3cecbfa28.exepid process 4996 ff1f36e4e741bf3a333b7f26beb870c50954445ed230a1c5819b55f3cecbfa28.exe 4996 ff1f36e4e741bf3a333b7f26beb870c50954445ed230a1c5819b55f3cecbfa28.exe 4996 ff1f36e4e741bf3a333b7f26beb870c50954445ed230a1c5819b55f3cecbfa28.exe 4996 ff1f36e4e741bf3a333b7f26beb870c50954445ed230a1c5819b55f3cecbfa28.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
ff1f36e4e741bf3a333b7f26beb870c50954445ed230a1c5819b55f3cecbfa28.exedescription pid process target process PID 4724 wrote to memory of 4996 4724 ff1f36e4e741bf3a333b7f26beb870c50954445ed230a1c5819b55f3cecbfa28.exe ff1f36e4e741bf3a333b7f26beb870c50954445ed230a1c5819b55f3cecbfa28.exe PID 4724 wrote to memory of 4996 4724 ff1f36e4e741bf3a333b7f26beb870c50954445ed230a1c5819b55f3cecbfa28.exe ff1f36e4e741bf3a333b7f26beb870c50954445ed230a1c5819b55f3cecbfa28.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff1f36e4e741bf3a333b7f26beb870c50954445ed230a1c5819b55f3cecbfa28.exe"C:\Users\Admin\AppData\Local\Temp\ff1f36e4e741bf3a333b7f26beb870c50954445ed230a1c5819b55f3cecbfa28.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ff1f36e4e741bf3a333b7f26beb870c50954445ed230a1c5819b55f3cecbfa28.exe"C:\Users\Admin\AppData\Local\Temp\ff1f36e4e741bf3a333b7f26beb870c50954445ed230a1c5819b55f3cecbfa28.exe"2⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\_MEI47242\VCRUNTIME140.dllFilesize
94KB
MD511d9ac94e8cb17bd23dea89f8e757f18
SHA1d4fb80a512486821ad320c4fd67abcae63005158
SHA256e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e
SHA512aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778
-
C:\Users\Admin\AppData\Local\Temp\_MEI47242\_ctypes.pydFilesize
117KB
MD579f339753dc8954b8eb45fe70910937e
SHA13ad1bf9872dc779f32795988eb85c81fe47b3dd4
SHA25635cdd122679041ebef264de5626b7805f3f66c8ae6cc451b8bc520be647fa007
SHA51221e567e813180ed0480c4b21be3e2e67974d8d787e663275be054cee0a3f5161fc39034704dbd25f1412feb021d6a21b300a32d1747dee072820be81b9d9b753
-
C:\Users\Admin\AppData\Local\Temp\_MEI47242\base_library.zipFilesize
811KB
MD5a56b791f9bea3e473cba5e44c6332715
SHA1023abf5acc96041068d8dd626d7d070fdb8b339b
SHA256b746a06534e17018f9c7eb62240fb1d2ef3927c4fab11828f0fe850becad4e56
SHA512a7703894f5890178df2255a61c562eaa54661eb7a3b2707ac2443e4f96d72ff6a5f5671777a5570b735a978ef040f9e9aa9b176d51ba48375e065b9dff28b9ce
-
C:\Users\Admin\AppData\Local\Temp\_MEI47242\libffi-7.dllFilesize
32KB
MD5eef7981412be8ea459064d3090f4b3aa
SHA1c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016
-
C:\Users\Admin\AppData\Local\Temp\_MEI47242\python310.dllFilesize
4.2MB
MD5384349987b60775d6fc3a6d202c3e1bd
SHA1701cb80c55f859ad4a31c53aa744a00d61e467e5
SHA256f281c2e252ed59dd96726dbb2de529a2b07b818e9cc3799d1ffa9883e3028ed8
SHA5126bf3ef9f08f4fc07461b6ea8d9822568ad0a0f211e471b990f62c6713adb7b6be28b90f206a4ec0673b92bae99597d1c7785381e486f6091265c7df85ff0f9b5
-
memory/4996-22-0x000002C332680000-0x000002C332681000-memory.dmpFilesize
4KB